|Summary:||CVE-2017-11331 vorbis-tools: Invalid memory allocation in wav_open function in oggenc/audio.c|
|Product:||[Other] Security Response||Reporter:||Pedro Sampaio <psampaio>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED WONTFIX||QA Contact:|
|Version:||unspecified||CC:||hdegoede, kdudka, psampaio|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2019-06-08 03:20:39 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1480657|
Description Pedro Sampaio 2017-08-11 15:17:39 UTC
A flaw was found in vorbis-tools 1.4.0. The wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) via a crafted wav file. References: http://seclists.org/fulldisclosure/2017/Jul/80
Comment 1 Pedro Sampaio 2017-08-11 15:18:03 UTC
Created vorbis-tools tracking bugs for this issue: Affects: fedora-all [bug 1480657]
Comment 2 Kamil Dudka 2017-08-14 10:02:23 UTC
To be honest, I do not see any (security) problem here. If the audio file header is corrupted, oggenc simply cannot cannot open the file. From user's perspective it does not really matter whether the process is terminated by exit() or by the kernel handling a NULL pointer dereference. Please clarify what exactly is your concern here.
Comment 3 Pedro Sampaio 2017-08-18 13:11:11 UTC
The fact that it terminates via a NULL pointer dereference means that someone can crash it from another process. Thats probably why it got a CVE and why its a security issue. As this already has a CVE, I we can't do anything else about it but feel free to close it of you think you should.
Comment 4 Kamil Dudka 2017-12-06 16:09:23 UTC
Please explain how this differs from CVE-2014-9639 for which we have a patch already installed: https://src.fedoraproject.org/cgit/rpms/vorbis-tools.git/tree/vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch?id=a7431596
Comment 5 Pedro Sampaio 2017-12-06 17:30:45 UTC
I'm speculating here, but the 2014 CVE looks like an integer overflow that leads to a out-of-bounds read, while this seems a NULL pointer dereference while allocating memory. But I couldn't determine for certain if this is the case. Although, the patch you mentioned really seems to fix this issue too, as stated by other distros bugs (https://security-tracker.debian.org/tracker/CVE-2017-11331).