Bug 440706 (CVE-2008-1420)

Summary: CVE-2008-1420 vorbis: integer overflow in partvals computation
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cmontgom, jnovy, kreilly, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-19 10:47:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 444703, 444704, 444705, 444706, 444707, 444708, 446341, 446342, 446343, 446344, 833929    
Bug Blocks: 438125    

Description Tomas Hoger 2008-04-04 15:22:34 UTC 
Will Drewry of the Google Security Team reported an issue in OGG Vorbis library,
that can cause an integer overflow leading to possible heap overflow.
Comment 3 Tomas Hoger 2008-04-04 15:45:21 UTC 
Upstream patch:

$ svn log -r 14598 http://svn.xiph.org/trunk/vorbis/
------------------------------------------------------------------------
r14598 | xiphmont | 2008-03-18 16:39:43 +0100 (Tue, 18 Mar 2008) | 6 lines

Add code to prevent heap attacks by exploiting dim=bignum and
partition_codewords = partion_values^dim.  partition_codewords is
actually overdetermined; in the case of inconsistency, mark stream
undecodable.

------------------------------------------------------------------------

$ svn diff -r 14597:14600 http://svn.xiph.org/trunk/vorbis/lib
Index: misc.h
===================================================================
--- misc.h      (revision 14597)
+++ misc.h      (revision 14600)
@@ -29,6 +29,7 @@
 #ifdef DEBUG_MALLOC

 #define _VDBG_GRAPHFILE "malloc.m"
+#undef _VDBG_GRAPHFILE
 extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line);
 extern void _VDBG_free(void *ptr,char *file,long line);

Index: res0.c
===================================================================
--- res0.c      (revision 14597)
+++ res0.c      (revision 14600)
@@ -223,6 +223,20 @@
   for(j=0;j<acc;j++)
     if(info->booklist[j]>=ci->books)goto errout;

+  /* verify the phrasebook is not specifying an impossible or
+     inconsistent partitioning scheme. */
+  {
+    int entries = ci->book_param[info->groupbook]->entries;
+    int dim = ci->book_param[info->groupbook]->dim;
+    int partvals = 1;
+    while(dim>0){
+      partvals *= info->partitions;
+      if(partvals > entries) goto errout;
+      dim--;
+    }
+    if(partvals != entries) goto errout;
+  }
+
   return(info);
  errout:
   res0_free_info(info);
@@ -263,7 +277,7 @@
     }
   }

-  look->partvals=rint(pow((float)look->parts,(float)dim));
+  look->partvals=look->phrasebook->entries;
   look->stages=maxstage;
   look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
   for(j=0;j<look->partvals;j++){
Index: misc.c
===================================================================
--- misc.c      (revision 14597)
+++ misc.c      (revision 14600)
@@ -190,7 +190,10 @@
   pthread_mutex_unlock(&memlock);
 }

-extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){
+void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){
+  if(bytes<=0)
+    fprintf(stderr,"bad malloc request (%ld bytes) from %s:%ld\n",bytes,file,line);
+
   bytes+=HEAD_ALIGN;
   if(ptr){
     ptr-=HEAD_ALIGN;
@@ -203,7 +206,7 @@
   return _insert(ptr,bytes,file,line);
 }

-extern void _VDBG_free(void *ptr,char *file,long line){
+void _VDBG_free(void *ptr,char *file,long line){
   if(ptr){
     ptr-=HEAD_ALIGN;
     _ripremove(ptr);
Comment 5 Tomas Hoger 2008-04-28 13:30:41 UTC 
https://trac.xiph.org/changeset/14598
https://trac.xiph.org/changeset/14600
Comment 8 Tomas Hoger 2008-05-14 07:30:40 UTC 
Lifting embargo.
Comment 10 Fedora Update System 2008-05-14 10:47:55 UTC 
libvorbis-1.2.0-4.fc9 has been submitted as an update for Fedora 9
Comment 11 Fedora Update System 2008-05-14 10:50:13 UTC 
libvorbis-1.2.0-2.fc8 has been submitted as an update for Fedora 8
Comment 12 Fedora Update System 2008-05-14 10:51:49 UTC 
libvorbis-1.1.2-4.fc7 has been submitted as an update for Fedora 7
Comment 13 Fedora Update System 2008-05-14 22:08:00 UTC 
libvorbis-1.2.0-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-05-14 22:08:44 UTC 
libvorbis-1.1.2-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-05-14 22:10:02 UTC 
libvorbis-1.2.0-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Red Hat Product Security 2008-06-19 10:47:37 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0271.html
  http://rhn.redhat.com/errata/RHSA-2008-0270.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3898
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3934
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3910