Bug 1185272 (CVE-2014-9640) - CVE-2014-9640 vorbis-tools: segfault when trying to encode trivial raw input
Summary: CVE-2014-9640 vorbis-tools: segfault when trying to encode trivial raw input
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-9640
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140620,reported=2...
Depends On: 1185558 1569426
Blocks: 1184457 1185273
TreeView+ depends on / blocked
 
Reported: 2015-01-23 11:07 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-05-13 07:07:35 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-23 11:07:01 UTC
Segmentation fault was reported [1] in oggenc when trying to encode a sequence of zeroes.
Upstream commit that fixes this:
https://trac.xiph.org/changeset/19117

[1]: https://trac.xiph.org/ticket/2009

Comment 1 Vasyl Kaigorodov 2015-01-23 11:09:40 UTC
Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1185274]

Comment 2 Kamil Dudka 2015-01-26 12:17:26 UTC
This is already being fixed in Fedora as bug #1185558.

Comment 3 Fedora Update System 2015-01-30 04:35:35 UTC
vorbis-tools-1.4.0-18.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-02-04 08:01:51 UTC
vorbis-tools-1.4.0-13.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Siddharth Sharma 2015-05-13 06:40:52 UTC
Analysis
========

In the code vorbis-tools/oggenc/oggenc.c there was no proper handling of raw format, the problem lies in the code here

         if(opt.rawmode)
         {
-            input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", 
-                N_("RAW file reader")};

variable input_format raw_format should be initialized outside the if block in the main function so that when program tries to close the file it gets correct pointer. Attacker can local DOS the application and there seems no possible way of Arbitrary Code Execution here so impact of this flaw is low.


Note You need to log in before you can comment on or make changes to this bug.