Bug 440700 (CVE-2008-1419)

Summary: CVE-2008-1419 vorbis: zero-dim codebooks can cause crash, infinite loop or heap overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cmontgom, jnovy, kreilly, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-19 10:47:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 444703, 444704, 444705, 444706, 444707, 444708, 446341, 446342, 446343, 446344, 833929    
Bug Blocks: 438125    

Description Tomas Hoger 2008-04-04 15:07:26 UTC 
Will Drewry of the Google Security Team reported an issue in OGG Vorbis library,
that can cause crash of the application using vorbis library, trigger an
infinite loop, or cause an integer overflow leading to possible heap overflow.

Problem is caused by codebooks with codebook.dim == 0.
Comment 1 Tomas Hoger 2008-04-04 15:10:54 UTC 
Upstream patch:

$ svn log -r 14602 http://svn.xiph.org/trunk/vorbis/
------------------------------------------------------------------------
r14602 | xiphmont | 2008-03-18 19:12:52 +0100 (Tue, 18 Mar 2008) | 2 lines

correctly handle the nonsensical codebook.dim==0 case

------------------------------------------------------------------------

$ svn diff -c 14602 http://svn.xiph.org/trunk/vorbis/lib/
Index: codebook.c
===================================================================
--- codebook.c  (revision 14601)
+++ codebook.c  (revision 14602)
@@ -225,7 +225,7 @@
       int quantvals=0;
       switch(s->maptype){
       case 1:
-       quantvals=_book_maptype1_quantvals(s);
+       quantvals=(s->dim==0?0:_book_maptype1_quantvals(s));
        break;
       case 2:
        quantvals=s->entries*s->dim;
Comment 3 Tomas Hoger 2008-04-28 13:32:21 UTC 
https://trac.xiph.org/changeset/14602
Comment 6 Tomas Hoger 2008-05-14 07:30:36 UTC 
Lifting embargo.
Comment 8 Fedora Update System 2008-05-14 10:47:49 UTC 
libvorbis-1.2.0-4.fc9 has been submitted as an update for Fedora 9
Comment 9 Fedora Update System 2008-05-14 10:50:18 UTC 
libvorbis-1.2.0-2.fc8 has been submitted as an update for Fedora 8
Comment 10 Fedora Update System 2008-05-14 10:51:52 UTC 
libvorbis-1.1.2-4.fc7 has been submitted as an update for Fedora 7
Comment 11 Fedora Update System 2008-05-14 22:08:05 UTC 
libvorbis-1.2.0-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-05-14 22:08:41 UTC 
libvorbis-1.1.2-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-05-14 22:10:04 UTC 
libvorbis-1.2.0-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Red Hat Product Security 2008-06-19 10:47:04 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0271.html
  http://rhn.redhat.com/errata/RHSA-2008-0270.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3898
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3934
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3910