1185272 – (CVE-2014-9640) CVE-2014-9640 vorbis-tools: segfault when trying to encode trivial raw input

Bug 1185272 (CVE-2014-9640) - CVE-2014-9640 vorbis-tools: segfault when trying to encode trivial raw input

Summary: CVE-2014-9640 vorbis-tools: segfault when trying to encode trivial raw input

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2014-9640
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1185558 1569426
Blocks:	1184457 1185273
TreeView+	depends on / blocked

Reported:	2015-01-23 11:07 UTC by Vasyl Kaigorodov
Modified:	2019-09-29 13:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-05-13 07:07:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vasyl Kaigorodov 2015-01-23 11:07:01 UTC

Segmentation fault was reported [1] in oggenc when trying to encode a sequence of zeroes.
Upstream commit that fixes this:
https://trac.xiph.org/changeset/19117

[1]: https://trac.xiph.org/ticket/2009

Comment 1 Vasyl Kaigorodov 2015-01-23 11:09:40 UTC

Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1185274]

Comment 2 Kamil Dudka 2015-01-26 12:17:26 UTC

This is already being fixed in Fedora as bug #1185558.

Comment 3 Fedora Update System 2015-01-30 04:35:35 UTC

vorbis-tools-1.4.0-18.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-02-04 08:01:51 UTC

vorbis-tools-1.4.0-13.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Siddharth Sharma 2015-05-13 06:40:52 UTC

Analysis
========

In the code vorbis-tools/oggenc/oggenc.c there was no proper handling of raw format, the problem lies in the code here

         if(opt.rawmode)
         {
-            input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", 
-                N_("RAW file reader")};

variable input_format raw_format should be initialized outside the if block in the main function so that when program tries to close the file it gets correct pointer. Attacker can local DOS the application and there seems no possible way of Arbitrary Code Execution here so impact of this flaw is low.

Note You need to log in before you can comment on or make changes to this bug.