Bug 1480656 - (CVE-2017-11331) CVE-2017-11331 vorbis-tools: Invalid memory allocation in wav_open function in oggenc/audio.c
CVE-2017-11331 vorbis-tools: Invalid memory allocation in wav_open function i...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20170730,reported=2...
: Security
Depends On: 1480657
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-11 11:17 EDT by Pedro Sampaio
Modified: 2017-12-06 12:30 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pedro Sampaio 2017-08-11 11:17:39 EDT
A flaw was found in vorbis-tools 1.4.0. The wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) 
via a crafted wav file.

References:

http://seclists.org/fulldisclosure/2017/Jul/80
Comment 1 Pedro Sampaio 2017-08-11 11:18:03 EDT
Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1480657]
Comment 2 Kamil Dudka 2017-08-14 06:02:23 EDT
To be honest, I do not see any (security) problem here.  If the audio file header is corrupted, oggenc simply cannot cannot open the file.  From user's perspective it does not really matter whether the process is terminated by exit() or by the kernel handling a NULL pointer dereference.  Please clarify what exactly is your concern here.
Comment 3 Pedro Sampaio 2017-08-18 09:11:11 EDT
The fact that it terminates via a NULL pointer dereference means that someone can  crash it from another process. Thats probably why it got a CVE and why its a security issue.

As this already has a CVE, I we can't do anything else about it but feel free to close it of you think you should.
Comment 4 Kamil Dudka 2017-12-06 11:09:23 EST
Please explain how this differs from CVE-2014-9639 for which we have a patch already installed:

https://src.fedoraproject.org/cgit/rpms/vorbis-tools.git/tree/vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch?id=a7431596
Comment 5 Pedro Sampaio 2017-12-06 12:30:45 EST
I'm speculating here, but the 2014 CVE looks like an integer overflow that leads to a out-of-bounds read, while this seems a NULL pointer dereference while allocating memory. 

But I couldn't determine for certain if this is the case.

Although, the patch you mentioned really seems to fix this issue too, as stated by other distros bugs (https://security-tracker.debian.org/tracker/CVE-2017-11331).

Note You need to log in before you can comment on or make changes to this bug.