Bug 440709 (CVE-2008-1423)

Summary:	CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks
Product:	[Other] Security Response	Reporter:	Tomas Hoger <thoger>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	cmontgom, jnovy, jrusnack, kreilly, security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-06-19 10:47:59 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	444703, 444704, 444705, 444706, 444707, 444708, 446341, 446342, 446343, 446344, 833929
Bug Blocks:	438125

Description Tomas Hoger 2008-04-04 15:33:10 UTC

Will Drewry of the Google Security Team reported an issue in OGG Vorbis library,
that can cause an integer overflow in the computation of quantvals and of the
space required for quantlist leading to a heap overflow.

Check for the overflow added in the fix.  Files are rejected if the total
virtual space of the codebook exceeds 24 bits.

Comment 1 Tomas Hoger 2008-04-04 15:33:57 UTC

Upstream patch:

$ svn log -r 14604 http://svn.xiph.org/trunk/vorbis/
------------------------------------------------------------------------
r14604 | xiphmont | 2008-03-19 09:03:29 +0100 (Wed, 19 Mar 2008) | 3 lines

dd checks/rejection for absurdly huge codebooks.

------------------------------------------------------------------------

$ svn diff -c 14604 http://svn.xiph.org/trunk/vorbis/
Index: lib/codebook.c
===================================================================
--- lib/codebook.c      (revision 14603)
+++ lib/codebook.c      (revision 14604)
@@ -159,6 +159,8 @@
   s->entries=oggpack_read(opb,24);
   if(s->entries==-1)goto _eofout;

+  if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout;
+
   /* codeword ordering.... length ordered or unordered? */
   switch((int)oggpack_read(opb,1)){
   case 0:

Comment 3 Tomas Hoger 2008-04-28 13:28:48 UTC

https://trac.xiph.org/changeset/14604

Comment 6 Tomas Hoger 2008-05-14 07:30:44 UTC

Lifting embargo.

Comment 8 Fedora Update System 2008-05-14 10:47:53 UTC

libvorbis-1.2.0-4.fc9 has been submitted as an update for Fedora 9

Comment 9 Fedora Update System 2008-05-14 10:50:16 UTC

libvorbis-1.2.0-2.fc8 has been submitted as an update for Fedora 8

Comment 10 Fedora Update System 2008-05-14 10:51:45 UTC

libvorbis-1.1.2-4.fc7 has been submitted as an update for Fedora 7

Comment 11 Fedora Update System 2008-05-14 22:08:03 UTC

libvorbis-1.2.0-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-05-14 22:08:46 UTC

libvorbis-1.1.2-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2008-05-14 22:10:09 UTC

libvorbis-1.2.0-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Red Hat Product Security 2008-06-19 10:47:59 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0271.html
  http://rhn.redhat.com/errata/RHSA-2008-0270.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3898
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3934
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3910