Bug 1480656 (CVE-2017-11331)

Summary: CVE-2017-11331 vorbis-tools: Invalid memory allocation in wav_open function in oggenc/audio.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hdegoede, kdudka, psampaio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:20:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1480657    
Bug Blocks:    

Description Pedro Sampaio 2017-08-11 15:17:39 UTC 
A flaw was found in vorbis-tools 1.4.0. The wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) 
via a crafted wav file.

References:

http://seclists.org/fulldisclosure/2017/Jul/80
Comment 1 Pedro Sampaio 2017-08-11 15:18:03 UTC 
Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1480657]
Comment 2 Kamil Dudka 2017-08-14 10:02:23 UTC 
To be honest, I do not see any (security) problem here.  If the audio file header is corrupted, oggenc simply cannot cannot open the file.  From user's perspective it does not really matter whether the process is terminated by exit() or by the kernel handling a NULL pointer dereference.  Please clarify what exactly is your concern here.
Comment 3 Pedro Sampaio 2017-08-18 13:11:11 UTC 
The fact that it terminates via a NULL pointer dereference means that someone can  crash it from another process. Thats probably why it got a CVE and why its a security issue.

As this already has a CVE, I we can't do anything else about it but feel free to close it of you think you should.
Comment 4 Kamil Dudka 2017-12-06 16:09:23 UTC 
Please explain how this differs from CVE-2014-9639 for which we have a patch already installed:

https://src.fedoraproject.org/cgit/rpms/vorbis-tools.git/tree/vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch?id=a7431596
Comment 5 Pedro Sampaio 2017-12-06 17:30:45 UTC 
I'm speculating here, but the 2014 CVE looks like an integer overflow that leads to a out-of-bounds read, while this seems a NULL pointer dereference while allocating memory. 

But I couldn't determine for certain if this is the case.

Although, the patch you mentioned really seems to fix this issue too, as stated by other distros bugs (https://security-tracker.debian.org/tracker/CVE-2017-11331).