Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626704 (CVE-2017-11333, CVE-2017-11735) - media-libs/libvorbis : multiple vulnerabilities (CVE-2017-1133{3,5})
Summary: media-libs/libvorbis : multiple vulnerabilities (CVE-2017-1133{3,5})
Status: RESOLVED FIXED
Alias: CVE-2017-11333, CVE-2017-11735
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-31 13:18 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2019-03-12 05:43 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-31 13:18:17 UTC 
From URL:

Introduction:
=============
The libvorbis package contains a general purpose audio and music encoding format. This is useful for creating 
(encoding) and playing (decoding) sound in an open (patent free) format.


Affected version:
=====
1.3.5


Vulnerability Description:
==========================
1.
the vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(OOM) via a 
crafted wav file.


I found this bug when I test Sound eXchange(SoX) 14.4.2 which used the libvorbis library.


./sox libvorbis_1.3.5_OOM.wav out.ogg


/var/log/syslog info:
  Jul 13 19:58:05 ubuntu kernel: [] Out of memory: Kill process 44203 (sox) score 364 or sacrifice child
Jul 13 19:58:05 ubuntu kernel: [] Killed process 44203 (sox) total-vm:1831804kB, anon-rss:599932kB, file-rss:40kB


----debug info:----
#0  0x00007ffff5df5e92 in vorbis_analysis_wrote ()
from /usr/local/lib/libvorbis.so.0
#1  0x00007ffff7ba1cba in write_samples (ft=0x611c20, buf=buf@entry=0x0, 
    len=len@entry=0x0) at vorbis.c:358
#2  0x00007ffff7ba1dc5 in stopwrite (ft=<optimized out>) at vorbis.c:398
#3  0x00007ffff7b58488 in sox_close (ft=0x611c20) at formats.c:1006
#4  0x0000000000405fa8 in cleanup () at sox.c:246
#5  0x0000000000403479 in main (argc=argc@entry=0x3, 
    argv=argv@entry=0x7fffffffe5e8) at sox.c:3050
#6  0x00007ffff727bec5 in __libc_start_main (main=0x4029c0 <main>, argc=0x3, 
    argv=0x7fffffffe5e8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe5d8) at libc-start.c:287
#7  0x0000000000403c65 in _start ()
--------
Program terminated with signal SIGKILL, Killed.
The program no longer exists.


POC:
libvorbis_1.3.5_OOM.wav
CVE:
CVE-2017-11333


2.
the vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(NULL pointer 
dereference and application crash) via a crafted ogg file.


I found this bug when I test mp3splt 2.6.2 which used the libvorbis library.


./mp3splt -P -t 0.9 libvorbis_1.3.5_null_pointer_dereference.ogg


----debug info:----
0x00007ffff61752c0 in vorbis_block_clear () from /usr/local/lib/libvorbis.so.0
(gdb) disassemble 
Dump of assembler code for function vorbis_block_clear:
   0x00007ffff61752a0 <+0>:push   %r14
   0x00007ffff61752a2 <+2>:mov    %rdi,%r14
   0x00007ffff61752a5 <+5>:push   %r13
   0x00007ffff61752a7 <+7>:push   %r12
   0x00007ffff61752a9 <+9>:push   %rbp
   0x00007ffff61752aa <+10>:push   %rbx
   0x00007ffff61752ab <+11>:mov    0xb8(%rdi),%r13
   0x00007ffff61752b2 <+18>:callq  0x7ffff616b240 <_vorbis_block_ripcord@plt>
   0x00007ffff61752b7 <+23>:mov    0x70(%r14),%rdi
   0x00007ffff61752bb <+27>:test   %rdi,%rdi
   0x00007ffff61752be <+30>:je     0x7ffff61752c5 <vorbis_block_clear+37>
=> 0x00007ffff61752c0 <+32>:callq  0x7ffff616b130 <free@plt>
   0x00007ffff61752c5 <+37>:test   %r13,%r13
   0x00007ffff61752c8 <+40>:je     0x7ffff617530c <vorbis_block_clear+108>
   0x00007ffff61752ca <+42>:mov    $0x1,%r12d
   0x00007ffff61752d0 <+48>:xor    %ebx,%ebx
   0x00007ffff61752d2 <+50>:jmp    0x7ffff61752df <vorbis_block_clear+63>
   0x00007ffff61752d4 <+52>:nopl   0x0(%rax)
   0x00007ffff61752d8 <+56>:add    $0x1,%ebx
   0x00007ffff61752db <+59>:add    $0x1,%r12d
   0x00007ffff61752df <+63>:movslq %ebx,%rax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x22
rbx            0x61fca06421664
rcx            0x00
rdx            0x7ffff7ba6778140737349576568
rsi            0x00
rdi            0x80128
rbp            0x7fffffffd4700x7fffffffd470
rsp            0x7fffffffd4000x7fffffffd400
r8             0x746e656d75636f008389754676633104128
r9             0x6143506374224
r10            0x7fffffffd1f0140737488343536
r11            0x7ffff61752a0140737322111648
r12            0x6128506367312
r13            0x00
r14            0x6205606423904
r15            0x7ffff7bcf146140737349742918
rip            0x7ffff61752c00x7ffff61752c0 <vorbis_block_clear+32>
eflags         0x202[ IF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb) ni


Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x80) at malloc.c:2929
2929malloc.c: No such file or directory.
(gdb) bt
#0  __GI___libc_free (mem=0x80) at malloc.c:2929
#1  0x00007ffff61752c5 in vorbis_block_clear ()
   from /usr/local/lib/libvorbis.so.0
#2  0x00007ffff65ac5ae in splt_ogg_v_free (oggstate=0x61fca0) at ogg.c:162
#3  0x00007ffff65ace0b in splt_ogg_info (in=<optimized out>, 
    state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0) at ogg.c:545
#4  0x00007ffff65acf75 in splt_ogg_get_info (state=state@entry=0x60ddb0, 
    file_input=<optimized out>, error=error@entry=0x7fffffffdbf0) at ogg.c:108
#5  0x00007ffff65ae6c7 in splt_pl_init (state=0x60ddb0, error=0x7fffffffdbf0)
    at ogg.c:1482
#6  0x00007ffff7bcac16 in splt_tp_get_original_tags_and_append (
    error=0x7fffffffdbf0, state=0x60ddb0) at tags_parser.c:545
#7  splt_tp_process_original_tags_variable (tpu=tpu@entry=0x61f800, 
    state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0, 
    set_original_tags=1) at tags_parser.c:514
#8  0x00007ffff7bcb4d1 in splt_tp_process_tag_variable (error=0x7fffffffdbf0, 
    state=0x60ddb0, tpu=0x61f800, end_paranthesis=0x7ffff7bcf14c "]", 
    tag_variable_start=0x7ffff7bcf146 "o,@N=1]") at tags_parser.c:363
#9  splt_tp_process_tags (error=0x7fffffffdbf0, state=0x60ddb0, tpu=0x61f800, 
    tags=0x7ffff7bcf143 "%[@o,@N=1]") at tags_parser.c:293
#10 splt_tp_put_tags_from_string (state=state@entry=0x60ddb0, 
    tags=tags@entry=0x7ffff7bcf143 "%[@o,@N=1]", 
    error=error@entry=0x7fffffffdbf0) at tags_parser.c:192
---Type <return> to continue, or q <return> to quit---
#11 0x00007ffff7bbb4f3 in mp3splt_split (state=state@entry=0x60ddb0)
    at mp3splt.c:1232
#12 0x0000000000403320 in main (argc=<optimized out>, 
    orig_argv=<optimized out>) at mp3splt.c:872
(gdb) 
--------------------
 int vorbis_block_clear(vorbis_block *vb){
 int i;
 vorbis_block_internal *vbi=vb->internal;


 _vorbis_block_ripcord(vb);
 if(vb->localstore)_ogg_free(vb->localstore);  <========


 if(vbi){
   for(i=0;i<PACKETBLOBS;i++){
     oggpack_writeclear(vbi->packetblob[i]);
     if(i!=PACKETBLOBS/2)_ogg_free(vbi->packetblob[i]);
   }
   _ogg_free(vbi);
 }
 memset(vb,0,sizeof(*vb));
 return(0);
 }
Comment 1 Ian Zimmerman 2018-03-17 16:22:15 UTC 
libvorbis 1.3.6 has been released by upstream, can an ebuild for it be added to the gentoo tree please?
Comment 2 Mart Raudsepp gentoo-dev 2018-04-05 09:57:46 UTC 
1.3.6 CHANGES has this:

* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read

But I don't see any changes in block.c about this, or mentions of CVE-2017-11333/11735. Maintainer, please advise?
The CVEs actually fixed in 1.3.6 are bug 650654 and bug 631632
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2019-03-12 05:43:11 UTC 
GLSA Vote: No