Bug 1557221 (CVE-2018-5146)

Summary: CVE-2018-5146 Mozilla: Vorbis audio processing out of bounds write (MFSA 2018-08)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ajax, alexl, caillon, cperry, cschalle, dmoppert, erik-fedora, gecko-bugs-nobody, gecko-bugs-nobody, hdegoede, jhorak, jmagne, john.j5live, klember, mclasen, paulo.cesar.pereira.de.andrade, pjasicek, rhughes, rrelyea, rstrode, sandmann, security-response-team, sfowler, simon, stransky, tuxator, yjog, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firefox 57.2.1, libvorbis 1.3.6 Doc Type: If docs needed, set a value
Doc Text:
An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:17:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1551863, 1551864, 1551865, 1551866, 1557115, 1557116, 1557117, 1557118, 1558170, 1558171, 1558172, 1558173, 1558174, 1558175, 1558176, 1558177, 1558384, 1558385, 1558386, 1558388, 1558389, 1558390, 1558391, 1558392, 1558393, 1558394, 1558395, 1558396, 1558397, 1558398, 1558399    
Bug Blocks: 1557112    

Description Huzaifa S. Sidhpurwala 2018-03-16 08:43:43 UTC 
As per upstream advisory:

An out of bounds write while processing vorbis audio data was reported through the Pwn2Own contest.
Comment 2 Huzaifa S. Sidhpurwala 2018-03-16 08:43:53 UTC 
External References:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-08
Comment 4 Kurt Seifried 2018-03-16 17:33:07 UTC 
This issue is now public via upstream advisory:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
Comment 5 Clifford Perry 2018-03-16 19:44:41 UTC 
*** Bug 1557113 has been marked as a duplicate of this bug. ***
Comment 7 errata-xmlrpc 2018-03-19 05:17:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2018:0549 https://access.redhat.com/errata/RHSA-2018:0549
Comment 8 Pedro Sampaio 2018-03-19 18:41:39 UTC 
Created mozjs45 tracking bugs for this issue:

Affects: fedora-all [bug 1558176]


Created mozjs38 tracking bugs for this issue:

Affects: fedora-all [bug 1558177]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 1558173]


Created mingw-libvorbis tracking bugs for this issue:

Affects: fedora-all [bug 1558174]


Created libvorbis tracking bugs for this issue:

Affects: fedora-all [bug 1558170]


Created xulrunner tracking bugs for this issue:

Affects: fedora-26 [bug 1558172]


Created mingw-libvorbis tracking bugs for this issue:

Affects: epel-7 [bug 1558171]


Created mozjs38 tracking bugs for this issue:

Affects: epel-7 [bug 1558175]
Comment 10 Doran Moppert 2018-03-20 04:43:37 UTC 
It appears that mozjs does not build vorbis support.
Comment 11 Doran Moppert 2018-03-20 04:44:03 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Richard Zhu via Trend Micro's Zero Day Initiative
Comment 17 Doran Moppert 2018-03-22 03:08:33 UTC 
Upstream patch (libvorbis):

https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
Comment 19 Doran Moppert 2018-03-26 02:33:27 UTC 
Thunderbird 52.7 ESR includes this fix.
Comment 20 errata-xmlrpc 2018-04-05 20:01:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0649 https://access.redhat.com/errata/RHSA-2018:0649
Comment 21 errata-xmlrpc 2018-04-05 20:05:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0648 https://access.redhat.com/errata/RHSA-2018:0648
Comment 22 errata-xmlrpc 2018-04-05 20:23:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0647 https://access.redhat.com/errata/RHSA-2018:0647
Comment 24 errata-xmlrpc 2018-04-10 09:10:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1058 https://access.redhat.com/errata/RHSA-2018:1058
Comment 26 Doran Moppert 2018-04-12 01:09:44 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

The affected code is present in esc and xulrunner, however esc has no support for audio, and xulrunner is limited to using only local content that an attacker can not control. These components are not impacted by this vulnerability.