Debian Bug report logs - #482518
libvorbis0a: possible integer overflows and DoS attacks

version graph

Package: libvorbis0a; Maintainer for libvorbis0a is Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>; Source for libvorbis0a is src:libvorbis.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 23 May 2008 09:13:22 UTC

Severity: grave

Tags: patch, security

Fixed in version libvorbis/1.2.0.dfsg-3.1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers):
Bug#482518; Package libvorbis0a. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libvorbis0a: possible integer overflows and DoS attacks
Date: Fri, 23 May 2008 19:10:58 +1000
[Message part 1 (text/plain, inline)]
Package: libvorbis0a
Version: 1.2.0.dfsg-3.1
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

The following CVEs(0,1,2) have been issued against libvorbis.


CVE-2008-1423:

Integer overflow in a certain quantvals and quantlist calculation in
Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a
denial of service (crash) or execute arbitrary code via a crafted OGG
file with a large virtual space for its codebook, which triggers a heap
overflow.


CVE-2008-1420:

Integer overflow in residue partition value (aka partvals) evaluation in
Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute
arbitrary code via a crafted OGG file, which triggers a heap overflow.


CVE-2008-1419:

Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero
value for codebook.dim, which allows remote attackers to cause a denial
of service (crash or infinite loop) or trigger an integer overflow.


Possible patches are attached. Since the misc.c file does not exist, it
should be enough to just patch the misc.h file, but please feel free to
review.

Please also mention the CVE ids in your changelog, when you fix these issues.

Cheers
Steffen

(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1423

(1): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1420

(2): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1419
[CVE-2008-1420.patch (text/x-c, attachment)]
[CVE-2008-1423+CVE-2008-1419.patch (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers):
Bug#482518; Package libvorbis0a. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers). Full text and rfc822 format available.

Message #10 received at 482518@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 482518@bugs.debian.org
Subject: nmu patch
Date: Mon, 26 May 2008 23:32:18 +1000
[Message part 1 (text/plain, inline)]
Hi

Attached you'll find the complete nmu patch.

Cheers
Steffen
[nmu.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 482518-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 482518-close@bugs.debian.org
Subject: Bug#482518: fixed in libvorbis 1.2.0.dfsg-3.1
Date: Mon, 26 May 2008 13:47:05 +0000
Source: libvorbis
Source-Version: 1.2.0.dfsg-3.1

We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive:

libvorbis-dev_1.2.0.dfsg-3.1_i386.deb
  to pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1_i386.deb
libvorbis0a_1.2.0.dfsg-3.1_i386.deb
  to pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1_i386.deb
libvorbis_1.2.0.dfsg-3.1.diff.gz
  to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1.diff.gz
libvorbis_1.2.0.dfsg-3.1.dsc
  to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1.dsc
libvorbisenc2_1.2.0.dfsg-3.1_i386.deb
  to pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1_i386.deb
libvorbisfile3_1.2.0.dfsg-3.1_i386.deb
  to pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 482518@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated libvorbis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 26 May 2008 12:48:06 +0000
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev
Architecture: source i386
Version: 1.2.0.dfsg-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 libvorbis-dev - The Vorbis General Audio Compression Codec (development files)
 libvorbis0a - The Vorbis General Audio Compression Codec
 libvorbisenc2 - The Vorbis General Audio Compression Codec
 libvorbisfile3 - The Vorbis General Audio Compression Codec
Closes: 482518
Changes: 
 libvorbis (1.2.0.dfsg-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix integer overflows (and possible DoS attacks) via crafted
     OGG files (Closes: #482518)
     Fixes: CVE-2008-1423, CVE-2008-1420, CVE-2008-1419
Checksums-Sha1: 
 7e30930f75eee0faa1b0046091291fc04276543a 1240 libvorbis_1.2.0.dfsg-3.1.dsc
 19c75d4a951d93b09129cd4afe3561cc26ec2472 7756 libvorbis_1.2.0.dfsg-3.1.diff.gz
 3a5d8a6e00af5042cb189c625dc11fe65678eb28 100066 libvorbis0a_1.2.0.dfsg-3.1_i386.deb
 d3c488dd904ed66d0155341091b87ed5f01b56f7 76940 libvorbisenc2_1.2.0.dfsg-3.1_i386.deb
 408a6ff91aea8d32fd9b1c7ebbf0436579bfc688 20654 libvorbisfile3_1.2.0.dfsg-3.1_i386.deb
 33662bd98970711a40008dfbc4ae722fdeca342d 462118 libvorbis-dev_1.2.0.dfsg-3.1_i386.deb
Checksums-Sha256: 
 1554f8fd5f742d8e43942ac06f21a22417440bcefed5909ac754843cae797369 1240 libvorbis_1.2.0.dfsg-3.1.dsc
 e677b256fb8fe3de476be305324dbdc3dba332e79a32cca8c5f174be5ab199ac 7756 libvorbis_1.2.0.dfsg-3.1.diff.gz
 ab2926f9aade0e32db6b898959d8c90e103a7cd74ed91651baec4958b2863e68 100066 libvorbis0a_1.2.0.dfsg-3.1_i386.deb
 1a2687243e3518f89eaa183d531dfe5bc06e74134d7688a96a526ac6963f4d50 76940 libvorbisenc2_1.2.0.dfsg-3.1_i386.deb
 d1cd774b967fdcae09229095aaa6be6355ec56159d8fd5a14f2afe4e2a6a5162 20654 libvorbisfile3_1.2.0.dfsg-3.1_i386.deb
 3b9b36f92399379b34b926802aa405e58b2b27a583a2d41018fc7df8208295ef 462118 libvorbis-dev_1.2.0.dfsg-3.1_i386.deb
Files: 
 e979e8ed3688c8acf00520ba4fffdca9 1240 libs optional libvorbis_1.2.0.dfsg-3.1.dsc
 c94aa925033b7f0f788ee51026229681 7756 libs optional libvorbis_1.2.0.dfsg-3.1.diff.gz
 64abf5026fb2171e21b75c99ab3818cb 100066 libs optional libvorbis0a_1.2.0.dfsg-3.1_i386.deb
 12e191ce8c9af5a54fbabf0b77622faa 76940 libs optional libvorbisenc2_1.2.0.dfsg-3.1_i386.deb
 2a6bfacb6d8f3d4b477ea157114bc3a0 20654 libs optional libvorbisfile3_1.2.0.dfsg-3.1_i386.deb
 9f1a4cb81cf57889fabfbbc4e3b859fc 462118 libdevel optional libvorbis-dev_1.2.0.dfsg-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIOruA62zWxYk/rQcRAoR5AJ9zEq39OWCfOLdRoDEKrx4YbnhCZACgpxWQ
PYDS/OBolbewKuo5bhHFHD4=
=o9UI
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 24 Jun 2008 07:28:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:43:14 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.