Bug 1184449 (CVE-2014-9639) - CVE-2014-9639 vorbis-tools: integer overflow on crafted WAV file
Summary: CVE-2014-9639 vorbis-tools: integer overflow on crafted WAV file
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-9639
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1185269 (view as bug list)
Depends On: 1184452
Blocks: 1184457 1185273
TreeView+ depends on / blocked
 
Reported: 2015-01-21 12:47 UTC by Martin Prpič
Modified: 2019-09-29 13:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-05-13 07:07:25 UTC
Embargoed:


Attachments (Terms of Use)

Description Martin Prpič 2015-01-21 12:47:09 UTC
An integer overflow flaw, leading to an out-of-bounds memory read, was found in the way the oggenc utility, which is used to encode audio into the Ogg Vorbis format, processed certain WAV files. An attacker could provide a specially crafted WAV file that would crash oggenc when processed.

Upstream report:

https://trac.xiph.org/ticket/2136

Comment 1 Martin Prpič 2015-01-21 12:48:41 UTC
Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1184452]

Comment 2 Vasyl Kaigorodov 2015-01-23 11:21:17 UTC
*** Bug 1185269 has been marked as a duplicate of this bug. ***

Comment 3 Kamil Dudka 2015-01-26 12:26:52 UTC
I am not able to reproduce the crash on x86_64 using vorbis-tools-1.4.0-18.fc21 and attachment #983303 [details].  Valgrind output is sane:

$ rpm -q vorbis-tools
vorbis-tools-1.4.0-18.fc21.x86_64

$ curl -JO 'https://bugzilla.redhat.com/attachment.cgi?id=983303'
curl: Saved to filename 'crash_ex.wav'

$ valgrind oggenc -r -o test.ogg ./crash_ex.wav
==24113== Memcheck, a memory error detector
==24113== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==24113== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==24113== Command: oggenc -r -o test.ogg ./crash_ex.wav
==24113==
Encoding "./crash_ex.wav" to
         "test.ogg"
at quality 3.00


Done encoding file "test.ogg"

        File length:  0m 00.0s
        Elapsed time: 0m 00.7s
        Rate:         0.0041
        Average bitrate: 692.3 kb/s

==24113==
==24113== HEAP SUMMARY:
==24113==     in use at exit: 0 bytes in 0 blocks
==24113==   total heap usage: 1,128 allocs, 1,128 frees, 585,608 bytes allocated
==24113==
==24113== All heap blocks were freed -- no leaks are possible
==24113==
==24113== For counts of detected and suppressed errors, rerun with: -v
==24113== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)


Please provide self-contained steps to reproduce the bug.

Comment 5 Kamil Dudka 2015-02-19 09:24:38 UTC
Thanks for the hint!  I should not have used the -r option.  My mistake.

Comment 6 Kamil Dudka 2015-02-19 15:18:06 UTC
I have proposed a patch upstream:

http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html

Comment 7 Fedora Update System 2015-02-28 10:24:34 UTC
vorbis-tools-1.4.0-19.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-02-28 10:26:58 UTC
vorbis-tools-1.4.0-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.