Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||ajax, cmontgom, hdegoede, jnovy, kreilly|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-11-19 10:04:55 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||532415, 532416, 532417, 532418, 532419, 833931|
Description Tomas Hoger 2009-10-29 09:01:47 EDT
Quoting Mozilla Foundation Security Advisory 2009-63: http://www.mozilla.org/security/announce/2009/mfsa2009-63.html Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky reported crashes in libvorbis. Advisory provides following bug list: https://bugzilla.mozilla.org/buglist.cgi?bug_id=501279,499512,500254,515889,507167 with only 500254 being public at the moment.
Comment 1 Tomas Hoger 2009-10-29 09:31:36 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=500254 reported by Lucas Adamski This issue is already known as CVE-2009-2663 (bug #516259). It was first fixed in Firefox 3.5.2 / 22.214.171.124 via: http://www.mozilla.org/security/announce/2009/mfsa2009-45.html (part of the "Browser crashes - Firefox 3.5"). Not sure why Mozilla upstream is mentioning this as security fix again, the bug seems to have been re-tested as the backported patch added in 126.96.36.199 was dropped during the rebase to libvorbis 1.2.3 in 3.5.4 / 188.8.131.52. libvorbis packages in Red Hat Enterprise Linux have this fix included already: https://www.redhat.com/security/data/cve/CVE-2009-2663.html
Comment 2 Tomas Hoger 2009-10-29 09:52:00 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=515889 This is a report of the possible integer overflow leading to bogus allocation of quantlist in vorbis_staticbook_unpack() in (vorbis_)cookbook.c. This seems to be a dupe of the older CVE-2008-1423 (bug #440709), which is also fixed in libvorbis packages in Red Hat Enterprise Linux for a while: https://www.redhat.com/security/data/cve/CVE-2008-1423.html
Comment 3 Tomas Hoger 2009-10-29 11:39:25 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=501279 Looks like this mozilla hg commit has some relevant test cases: http://hg.mozilla.org/mozilla-central/rev/5e68517728d2 Related vorbis SVN commit should be r16218: https://trac.xiph.org/changeset/16218
Comment 5 Tomas Hoger 2009-10-29 12:01:26 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=507167 Searching mozilla hg for 507167 yields this commit: http://hg.mozilla.org/mozilla-central/rev/196956e36ed2 That "update to latest vorbis SVN" change seems to include two vorbis SVN commits: https://trac.xiph.org/changeset/16552 https://trac.xiph.org/changeset/16597 r16552 seems to be changing / enhancing previous r14598: https://trac.xiph.org/changeset/14598 which is a fix for CVE-2008-1420 (bug #440706). r16552 seems to make certain ogg files playable again, which were treated as invalid with original patch. Hence r16597 should be relevant for mozilla 507167.
Comment 6 Tomas Hoger 2009-10-29 16:14:19 EDT
(In reply to comment #1) > (part of the "Browser crashes - Firefox 3.5"). Not sure why Mozilla upstream > is mentioning this as security fix again, the bug seems to have been re-tested > as the backported patch added in 184.108.40.206 was dropped during the rebase to > libvorbis 1.2.3 in 3.5.4 / 220.127.116.11. Advisory is now updated, 500254 was removed with following explanation: The original version of this advisory incorrectly included bug 500254 as part of CVE-2009-3370. That bug was actually fixed in Firefox 3.5.2 as CVE-2009-2663
Comment 7 Tomas Hoger 2009-10-30 10:09:46 EDT
Going through the mozilla bugs, this is my list of vorbis SVN commits that should be needed: https://trac.xiph.org/changeset/16218 (501279) https://trac.xiph.org/changeset/16597 (507167) One of the test cases triggers NULL deref crash in _vorbis_unpack_comment() because of an integer overflow in the check. That was fixed as part of the larger hardening commit: https://trac.xiph.org/changeset/16222 Another similar fix: https://trac.xiph.org/changeset/16217 And finally this commit which should prevent some unspecified overflows, which may also be an ABI breaker: https://trac.xiph.org/changeset/16326 Anyone see anything else we should consider?
Comment 9 Tomas Hoger 2009-10-30 10:26:20 EDT
Created attachment 366806 [details] Patches for 1.2.0 Patches from comment #7, for 1.2.0 in F-11.
Comment 10 Tomas Hoger 2009-10-30 10:29:50 EDT
(In reply to comment #9) > Patches from comment #7, for 1.2.0 in F-11. Apply to 1.0 in EL3 with +-1 offsets, not tested yet.
Comment 12 Monty 2009-11-03 14:57:24 EST
> And finally this commit which should prevent some unspecified overflows, which > may also be an ABI breaker: > > https://trac.xiph.org/changeset/16326 > > Anyone see anything else we should consider? Just FYI, the extended structure in question is entirely internal. No ABI break. Monty
Comment 14 Fedora Update System 2009-11-09 09:54:11 EST
libvorbis-1.2.0-9.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libvorbis-1.2.0-9.fc11
Comment 15 Fedora Update System 2009-11-09 10:02:39 EST
libvorbis-1.2.0-7.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libvorbis-1.2.0-7.fc10
Comment 16 errata-xmlrpc 2009-11-09 10:22:27 EST
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1561 https://rhn.redhat.com/errata/RHSA-2009-1561.html
Comment 17 Fedora Update System 2009-11-10 12:43:25 EST
libvorbis-1.2.0-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-11-10 12:52:28 EST
libvorbis-1.2.0-9.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.