Bug 438125

Summary: vorbis: multiple issues in ogg vorbis and tremor
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cmontgom, jnovy, security-response-team, zprikryl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-19 13:00:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 440700, 440706, 440709, 444443    
Bug Blocks:    

Description Tomas Hoger 2008-03-19 09:40:53 UTC 
Will Drewry of the Google Security Team reported multiple issues in OGG Vorbis
and Tremor libraries, that could cause application using those libraries to
crash (NULL pointer dereference or divide by zero), enter an infinite loop or
cause heap overflow caused by integer overflow.
Comment 4 Josh Bressers 2008-03-20 19:07:34 UTC 
Here are the fixes according to Monty:

 r14604: check for / reject impossibly large codebook requests;
 protects against the case of overflowing a 32 bit integer and
 requesting a negative heap allocation.

 r14602: reject nonsensiscal 0-dimension codebooks.  Prevents a divide
 by zero crash.

 r14598, r14600: Prevent heap overflows caused by dim=bignum and
 partition_codewords = partion_values^dim.  partition_codewords is
 actually overdetermined; in the case of inconsistency, mark stream
 undecodable.  Protects against the case of overflowing a 32 bit
 integer and requesting a negative heap allocation.


The revisions refer to the xiph subversion repository:
http://svn.xiph.org/
Comment 5 Josh Bressers 2008-03-20 19:10:38 UTC 
Monty also says we want revision 14502:

"It just checked to see if the declared string lengths (vorbis comments are
length coded) are longer than the actual comment packet."
Comment 15 Tomas Hoger 2008-06-19 13:00:07 UTC 
All individual issues are resolved now, closing this bug as well.