Bug 1185272 (CVE-2014-9640)
Summary: | CVE-2014-9640 vorbis-tools: segfault when trying to encode trivial raw input | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | hdegoede, kdudka, sisharma |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-05-13 07:07:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1185558, 1569426 | ||
Bug Blocks: | 1184457, 1185273 |
Description
Vasyl Kaigorodov
2015-01-23 11:07:01 UTC
Created vorbis-tools tracking bugs for this issue: Affects: fedora-all [bug 1185274] This is already being fixed in Fedora as bug #1185558. vorbis-tools-1.4.0-18.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. vorbis-tools-1.4.0-13.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Analysis ======== In the code vorbis-tools/oggenc/oggenc.c there was no proper handling of raw format, the problem lies in the code here if(opt.rawmode) { - input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", - N_("RAW file reader")}; variable input_format raw_format should be initialized outside the if block in the main function so that when program tries to close the file it gets correct pointer. Attacker can local DOS the application and there seems no possible way of Arbitrary Code Execution here so impact of this flaw is low. |