Bug 1184449 (CVE-2014-9639)

Summary: CVE-2014-9639 vorbis-tools: integer overflow on crafted WAV file
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, hdegoede, kdudka, mprpic, sisharma, vkaigoro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-13 07:07:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1184452    
Bug Blocks: 1184457, 1185273    

Description Martin Prpič 2015-01-21 12:47:09 UTC 
An integer overflow flaw, leading to an out-of-bounds memory read, was found in the way the oggenc utility, which is used to encode audio into the Ogg Vorbis format, processed certain WAV files. An attacker could provide a specially crafted WAV file that would crash oggenc when processed.

Upstream report:

https://trac.xiph.org/ticket/2136
Comment 1 Martin Prpič 2015-01-21 12:48:41 UTC 
Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1184452]
Comment 2 Vasyl Kaigorodov 2015-01-23 11:21:17 UTC 
*** Bug 1185269 has been marked as a duplicate of this bug. ***
Comment 3 Kamil Dudka 2015-01-26 12:26:52 UTC 
I am not able to reproduce the crash on x86_64 using vorbis-tools-1.4.0-18.fc21 and attachment #983303 [details].  Valgrind output is sane:

$ rpm -q vorbis-tools
vorbis-tools-1.4.0-18.fc21.x86_64

$ curl -JO 'https://bugzilla.redhat.com/attachment.cgi?id=983303'
curl: Saved to filename 'crash_ex.wav'

$ valgrind oggenc -r -o test.ogg ./crash_ex.wav
==24113== Memcheck, a memory error detector
==24113== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==24113== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==24113== Command: oggenc -r -o test.ogg ./crash_ex.wav
==24113==
Encoding "./crash_ex.wav" to
         "test.ogg"
at quality 3.00


Done encoding file "test.ogg"

        File length:  0m 00.0s
        Elapsed time: 0m 00.7s
        Rate:         0.0041
        Average bitrate: 692.3 kb/s

==24113==
==24113== HEAP SUMMARY:
==24113==     in use at exit: 0 bytes in 0 blocks
==24113==   total heap usage: 1,128 allocs, 1,128 frees, 585,608 bytes allocated
==24113==
==24113== All heap blocks were freed -- no leaks are possible
==24113==
==24113== For counts of detected and suppressed errors, rerun with: -v
==24113== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)


Please provide self-contained steps to reproduce the bug.
Comment 5 Kamil Dudka 2015-02-19 09:24:38 UTC 
Thanks for the hint!  I should not have used the -r option.  My mistake.
Comment 6 Kamil Dudka 2015-02-19 15:18:06 UTC 
I have proposed a patch upstream:

http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html
Comment 7 Fedora Update System 2015-02-28 10:24:34 UTC 
vorbis-tools-1.4.0-19.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-02-28 10:26:58 UTC 
vorbis-tools-1.4.0-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.