Bug 531765 (CVE-2009-3379)
| Summary: | CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | ajax, cmontgom, hdegoede, jnovy, kreilly | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-11-19 15:04:55 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 532415, 532416, 532417, 532418, 532419, 833931 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Tomas Hoger
2009-10-29 13:01:47 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=500254 reported by Lucas Adamski This issue is already known as CVE-2009-2663 (bug #516259). It was first fixed in Firefox 3.5.2 / 1.9.1.2 via: http://www.mozilla.org/security/announce/2009/mfsa2009-45.html (part of the "Browser crashes - Firefox 3.5"). Not sure why Mozilla upstream is mentioning this as security fix again, the bug seems to have been re-tested as the backported patch added in 1.9.1.2 was dropped during the rebase to libvorbis 1.2.3 in 3.5.4 / 1.9.1.4. libvorbis packages in Red Hat Enterprise Linux have this fix included already: https://www.redhat.com/security/data/cve/CVE-2009-2663.html https://bugzilla.mozilla.org/show_bug.cgi?id=515889 This is a report of the possible integer overflow leading to bogus allocation of quantlist in vorbis_staticbook_unpack() in (vorbis_)cookbook.c. This seems to be a dupe of the older CVE-2008-1423 (bug #440709), which is also fixed in libvorbis packages in Red Hat Enterprise Linux for a while: https://www.redhat.com/security/data/cve/CVE-2008-1423.html https://bugzilla.mozilla.org/show_bug.cgi?id=501279 Looks like this mozilla hg commit has some relevant test cases: http://hg.mozilla.org/mozilla-central/rev/5e68517728d2 Related vorbis SVN commit should be r16218: https://trac.xiph.org/changeset/16218 https://bugzilla.mozilla.org/show_bug.cgi?id=507167 Searching mozilla hg for 507167 yields this commit: http://hg.mozilla.org/mozilla-central/rev/196956e36ed2 That "update to latest vorbis SVN" change seems to include two vorbis SVN commits: https://trac.xiph.org/changeset/16552 https://trac.xiph.org/changeset/16597 r16552 seems to be changing / enhancing previous r14598: https://trac.xiph.org/changeset/14598 which is a fix for CVE-2008-1420 (bug #440706). r16552 seems to make certain ogg files playable again, which were treated as invalid with original patch. Hence r16597 should be relevant for mozilla 507167. (In reply to comment #1) > (part of the "Browser crashes - Firefox 3.5"). Not sure why Mozilla upstream > is mentioning this as security fix again, the bug seems to have been re-tested > as the backported patch added in 1.9.1.2 was dropped during the rebase to > libvorbis 1.2.3 in 3.5.4 / 1.9.1.4. Advisory is now updated, 500254 was removed with following explanation: The original version of this advisory incorrectly included bug 500254 as part of CVE-2009-3370. That bug was actually fixed in Firefox 3.5.2 as CVE-2009-2663 Going through the mozilla bugs, this is my list of vorbis SVN commits that should be needed: https://trac.xiph.org/changeset/16218 (501279) https://trac.xiph.org/changeset/16597 (507167) One of the test cases triggers NULL deref crash in _vorbis_unpack_comment() because of an integer overflow in the check. That was fixed as part of the larger hardening commit: https://trac.xiph.org/changeset/16222 Another similar fix: https://trac.xiph.org/changeset/16217 And finally this commit which should prevent some unspecified overflows, which may also be an ABI breaker: https://trac.xiph.org/changeset/16326 Anyone see anything else we should consider? Created attachment 366806 [details] Patches for 1.2.0 Patches from comment #7, for 1.2.0 in F-11. (In reply to comment #9) > Patches from comment #7, for 1.2.0 in F-11. Apply to 1.0 in EL3 with +-1 offsets, not tested yet.
> And finally this commit which should prevent some unspecified overflows, which
> may also be an ABI breaker:
>
> https://trac.xiph.org/changeset/16326
>
> Anyone see anything else we should consider?
Just FYI, the extended structure in question is entirely internal. No ABI break.
Monty
libvorbis-1.2.0-9.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libvorbis-1.2.0-9.fc11 libvorbis-1.2.0-7.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libvorbis-1.2.0-7.fc10 This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1561 https://rhn.redhat.com/errata/RHSA-2009-1561.html libvorbis-1.2.0-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. libvorbis-1.2.0-9.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |