Bug 1185272 (CVE-2014-9640)

Summary: CVE-2014-9640 vorbis-tools: segfault when trying to encode trivial raw input
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hdegoede, kdudka, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-13 07:07:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1185558, 1569426    
Bug Blocks: 1184457, 1185273    

Description Vasyl Kaigorodov 2015-01-23 11:07:01 UTC 
Segmentation fault was reported [1] in oggenc when trying to encode a sequence of zeroes.
Upstream commit that fixes this:
https://trac.xiph.org/changeset/19117

[1]: https://trac.xiph.org/ticket/2009
Comment 1 Vasyl Kaigorodov 2015-01-23 11:09:40 UTC 
Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1185274]
Comment 2 Kamil Dudka 2015-01-26 12:17:26 UTC 
This is already being fixed in Fedora as bug #1185558.
Comment 3 Fedora Update System 2015-01-30 04:35:35 UTC 
vorbis-tools-1.4.0-18.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-02-04 08:01:51 UTC 
vorbis-tools-1.4.0-13.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Siddharth Sharma 2015-05-13 06:40:52 UTC 
Analysis
========

In the code vorbis-tools/oggenc/oggenc.c there was no proper handling of raw format, the problem lies in the code here

         if(opt.rawmode)
         {
-            input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", 
-                N_("RAW file reader")};

variable input_format raw_format should be initialized outside the if block in the main function so that when program tries to close the file it gets correct pointer. Attacker can local DOS the application and there seems no possible way of Arbitrary Code Execution here so impact of this flaw is low.