Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1184449 - (CVE-2014-9639) CVE-2014-9639 vorbis-tools: integer overflow on crafted WAV file
CVE-2014-9639 vorbis-tools: integer overflow on crafted WAV file
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150118,reported=2...
: Security
: 1185269 (view as bug list)
Depends On: 1184452
Blocks: 1184457 1185273
  Show dependency treegraph
 
Reported: 2015-01-21 07:47 EST by Martin Prpič
Modified: 2015-07-31 03:31 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-13 03:07:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Martin Prpič 2015-01-21 07:47:09 EST 
An integer overflow flaw, leading to an out-of-bounds memory read, was found in the way the oggenc utility, which is used to encode audio into the Ogg Vorbis format, processed certain WAV files. An attacker could provide a specially crafted WAV file that would crash oggenc when processed.

Upstream report:

https://trac.xiph.org/ticket/2136
Comment 1 Martin Prpič 2015-01-21 07:48:41 EST 
Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1184452]
Comment 2 Vasyl Kaigorodov 2015-01-23 06:21:17 EST 
*** Bug 1185269 has been marked as a duplicate of this bug. ***
Comment 3 Kamil Dudka 2015-01-26 07:26:52 EST 
I am not able to reproduce the crash on x86_64 using vorbis-tools-1.4.0-18.fc21 and attachment #983303 [details].  Valgrind output is sane:

$ rpm -q vorbis-tools
vorbis-tools-1.4.0-18.fc21.x86_64

$ curl -JO 'https://bugzilla.redhat.com/attachment.cgi?id=983303'
curl: Saved to filename 'crash_ex.wav'

$ valgrind oggenc -r -o test.ogg ./crash_ex.wav
==24113== Memcheck, a memory error detector
==24113== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==24113== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==24113== Command: oggenc -r -o test.ogg ./crash_ex.wav
==24113==
Encoding "./crash_ex.wav" to
         "test.ogg"
at quality 3.00


Done encoding file "test.ogg"

        File length:  0m 00.0s
        Elapsed time: 0m 00.7s
        Rate:         0.0041
        Average bitrate: 692.3 kb/s

==24113==
==24113== HEAP SUMMARY:
==24113==     in use at exit: 0 bytes in 0 blocks
==24113==   total heap usage: 1,128 allocs, 1,128 frees, 585,608 bytes allocated
==24113==
==24113== All heap blocks were freed -- no leaks are possible
==24113==
==24113== For counts of detected and suppressed errors, rerun with: -v
==24113== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)


Please provide self-contained steps to reproduce the bug.
Comment 5 Kamil Dudka 2015-02-19 04:24:38 EST 
Thanks for the hint!  I should not have used the -r option.  My mistake.
Comment 6 Kamil Dudka 2015-02-19 10:18:06 EST 
I have proposed a patch upstream:

http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html
Comment 7 Fedora Update System 2015-02-28 05:24:34 EST 
vorbis-tools-1.4.0-19.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-02-28 05:26:58 EST 
vorbis-tools-1.4.0-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.