Bug 245991 (CVE-2007-3106)

Summary: CVE-2007-3106 libvorbis array boundary condition
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: behdad, cmontgom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-17 15:47:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 245994, 245995, 245996, 245997, 245998, 245999, 250599, 250600    
Bug Blocks:    

Description Josh Bressers 2007-06-27 19:46:52 UTC 
Chris Montgomery has informed us of a bug found in libvorbis.
The patch is in revision 13160 from http://svn.xiph.org/trunk/vorbis
(svn diff -r 13159:13160 http://svn.xiph.org/trunk/vorbis)

I'm calling this bug an "array boundary condition flaw".  It's the best
definition I could find that matched up with something MITRE uses.  The
issue in question is related to the usage of a function pointer table.
Here is an example:

_mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);

What happens is the value of 'ci->map_type[i]' can be an attacker
controlled 16 bit unsigned integer.  The amount of play with the that
function pointer is a bit suspect I admit, but I suspect it's still
exploitable (some peer review from someone better at this sort of thing
would be helpful).

The code in question is called when libvorbis starts to clean things up
after receiving bad data.
Comment 6 Josh Bressers 2007-07-26 20:28:11 UTC 
Lifting embargo:
http://www.isecpartners.com/advisories/2007-003-libvorbis.txt
Comment 9 Red Hat Product Security 2008-01-17 15:47:38 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0845.html
  http://rhn.redhat.com/errata/RHSA-2007-0912.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-1765