Bug 531765 (CVE-2009-3379)

Summary: CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ajax, cmontgom, hdegoede, jnovy, kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=internet,reported=20091029,public=20091027,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-19 10:04:55 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 532415, 532416, 532417, 532418, 532419, 833931    
Bug Blocks:    
Attachments:
Description Flags
Patches for 1.2.0 none

Description Tomas Hoger 2009-10-29 09:01:47 EDT
Quoting Mozilla Foundation Security Advisory 2009-63:

  http://www.mozilla.org/security/announce/2009/mfsa2009-63.html

  Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky reported
  crashes in libvorbis.

Advisory provides following bug list:

https://bugzilla.mozilla.org/buglist.cgi?bug_id=501279,499512,500254,515889,507167

with only 500254 being public at the moment.
Comment 1 Tomas Hoger 2009-10-29 09:31:36 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=500254
reported by Lucas Adamski

This issue is already known as CVE-2009-2663 (bug #516259).  It was first fixed in Firefox 3.5.2 / 1.9.1.2 via:

  http://www.mozilla.org/security/announce/2009/mfsa2009-45.html

(part of the "Browser crashes - Firefox 3.5").  Not sure why Mozilla upstream is mentioning this as security fix again, the bug seems to have been re-tested as the backported patch added in 1.9.1.2 was dropped during the rebase to libvorbis 1.2.3 in 3.5.4 / 1.9.1.4.

libvorbis packages in Red Hat Enterprise Linux have this fix included already:

  https://www.redhat.com/security/data/cve/CVE-2009-2663.html
Comment 2 Tomas Hoger 2009-10-29 09:52:00 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=515889

This is a report of the possible integer overflow leading to bogus allocation of quantlist in vorbis_staticbook_unpack() in (vorbis_)cookbook.c.  This seems to be a dupe of the older CVE-2008-1423 (bug #440709), which is also fixed in libvorbis packages in Red Hat Enterprise Linux for a while:

  https://www.redhat.com/security/data/cve/CVE-2008-1423.html
Comment 3 Tomas Hoger 2009-10-29 11:39:25 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=501279

Looks like this mozilla hg commit has some relevant test cases:

  http://hg.mozilla.org/mozilla-central/rev/5e68517728d2

Related vorbis SVN commit should be r16218:

  https://trac.xiph.org/changeset/16218
Comment 5 Tomas Hoger 2009-10-29 12:01:26 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=507167

Searching mozilla hg for 507167 yields this commit:

  http://hg.mozilla.org/mozilla-central/rev/196956e36ed2

That "update to latest vorbis SVN" change seems to include two vorbis SVN commits:

  https://trac.xiph.org/changeset/16552
  https://trac.xiph.org/changeset/16597

r16552 seems to be changing / enhancing previous r14598:

  https://trac.xiph.org/changeset/14598

which is a fix for CVE-2008-1420 (bug #440706).  r16552 seems to make certain ogg files playable again, which were treated as invalid with original patch.

Hence r16597 should be relevant for mozilla 507167.
Comment 6 Tomas Hoger 2009-10-29 16:14:19 EDT
(In reply to comment #1)
> (part of the "Browser crashes - Firefox 3.5").  Not sure why Mozilla upstream
> is mentioning this as security fix again, the bug seems to have been re-tested
> as the backported patch added in 1.9.1.2 was dropped during the rebase to
> libvorbis 1.2.3 in 3.5.4 / 1.9.1.4.

Advisory is now updated, 500254 was removed with following explanation:

  The original version of this advisory incorrectly included bug 500254 as
  part of CVE-2009-3370. That bug was actually fixed in Firefox 3.5.2 as
  CVE-2009-2663
Comment 7 Tomas Hoger 2009-10-30 10:09:46 EDT
Going through the mozilla bugs, this is my list of vorbis SVN commits that should be needed:

  https://trac.xiph.org/changeset/16218 (501279)
  https://trac.xiph.org/changeset/16597 (507167)

One of the test cases triggers NULL deref crash in _vorbis_unpack_comment() because of an integer overflow in the check.  That was fixed as part of the larger hardening commit:

  https://trac.xiph.org/changeset/16222

Another similar fix:

  https://trac.xiph.org/changeset/16217

And finally this commit which should prevent some unspecified overflows, which may also be an ABI breaker:

  https://trac.xiph.org/changeset/16326

Anyone see anything else we should consider?
Comment 9 Tomas Hoger 2009-10-30 10:26:20 EDT
Created attachment 366806 [details]
Patches for 1.2.0

Patches from comment #7, for 1.2.0 in F-11.
Comment 10 Tomas Hoger 2009-10-30 10:29:50 EDT
(In reply to comment #9)
> Patches from comment #7, for 1.2.0 in F-11.

Apply to 1.0 in EL3 with +-1 offsets, not tested yet.
Comment 12 Monty 2009-11-03 14:57:24 EST
> And finally this commit which should prevent some unspecified overflows, which
> may also be an ABI breaker:
> 
>   https://trac.xiph.org/changeset/16326
> 
> Anyone see anything else we should consider?  

Just FYI, the extended structure in question is entirely internal.  No ABI break.

Monty
Comment 14 Fedora Update System 2009-11-09 09:54:11 EST
libvorbis-1.2.0-9.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libvorbis-1.2.0-9.fc11
Comment 15 Fedora Update System 2009-11-09 10:02:39 EST
libvorbis-1.2.0-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libvorbis-1.2.0-7.fc10
Comment 16 errata-xmlrpc 2009-11-09 10:22:27 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1561 https://rhn.redhat.com/errata/RHSA-2009-1561.html
Comment 17 Fedora Update System 2009-11-10 12:43:25 EST
libvorbis-1.2.0-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-11-10 12:52:28 EST
libvorbis-1.2.0-9.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.