Bug 1557221 (CVE-2018-5146) - CVE-2018-5146 Mozilla: Vorbis audio processing out of bounds write (MFSA 2018-08)
Summary: CVE-2018-5146 Mozilla: Vorbis audio processing out of bounds write (MFSA 2018...
Status: CLOSED ERRATA
Alias: CVE-2018-5146
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20180316,repor...
Keywords: Security
: 1557113 (view as bug list)
Depends On: 1558171 1558172 1551863 1551864 1551865 1551866 1557115 1557116 1557117 1557118 1558170 1558173 1558174 1558175 1558176 1558177 1558384 1558385 1558386 1558388 1558389 1558390 1558391 1558392 1558393 1558394 1558395 1558396 1558397 1558398 1558399
Blocks: 1557112
TreeView+ depends on / blocked
 
Reported: 2018-03-16 08:43 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-06-11 11:13 UTC (History)
28 users (show)

(edit)
An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:17:52 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0549 None None None 2018-03-19 05:17 UTC
Red Hat Product Errata RHSA-2018:0647 None None None 2018-04-05 20:23 UTC
Red Hat Product Errata RHSA-2018:0648 None None None 2018-04-05 20:06 UTC
Red Hat Product Errata RHSA-2018:0649 None None None 2018-04-05 20:01 UTC
Red Hat Product Errata RHSA-2018:1058 None None None 2018-04-10 09:10 UTC

Description Huzaifa S. Sidhpurwala 2018-03-16 08:43:43 UTC
As per upstream advisory:

An out of bounds write while processing vorbis audio data was reported through the Pwn2Own contest.

Comment 2 Huzaifa S. Sidhpurwala 2018-03-16 08:43:53 UTC
External References:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-08

Comment 4 Kurt Seifried 2018-03-16 17:33:07 UTC
This issue is now public via upstream advisory:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/

Comment 5 Clifford Perry 2018-03-16 19:44:41 UTC
*** Bug 1557113 has been marked as a duplicate of this bug. ***

Comment 7 errata-xmlrpc 2018-03-19 05:17:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2018:0549 https://access.redhat.com/errata/RHSA-2018:0549

Comment 8 Pedro Sampaio 2018-03-19 18:41:39 UTC
Created mozjs45 tracking bugs for this issue:

Affects: fedora-all [bug 1558176]


Created mozjs38 tracking bugs for this issue:

Affects: fedora-all [bug 1558177]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 1558173]


Created mingw-libvorbis tracking bugs for this issue:

Affects: fedora-all [bug 1558174]


Created libvorbis tracking bugs for this issue:

Affects: fedora-all [bug 1558170]


Created xulrunner tracking bugs for this issue:

Affects: fedora-26 [bug 1558172]


Created mingw-libvorbis tracking bugs for this issue:

Affects: epel-7 [bug 1558171]


Created mozjs38 tracking bugs for this issue:

Affects: epel-7 [bug 1558175]

Comment 10 Doran Moppert 2018-03-20 04:43:37 UTC
It appears that mozjs does not build vorbis support.

Comment 11 Doran Moppert 2018-03-20 04:44:03 UTC
Acknowledgments:

Name: the Mozilla project
Upstream: Richard Zhu via Trend Micro's Zero Day Initiative

Comment 17 Doran Moppert 2018-03-22 03:08:33 UTC
Upstream patch (libvorbis):

https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f

Comment 19 Doran Moppert 2018-03-26 02:33:27 UTC
Thunderbird 52.7 ESR includes this fix.

Comment 20 errata-xmlrpc 2018-04-05 20:01:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0649 https://access.redhat.com/errata/RHSA-2018:0649

Comment 21 errata-xmlrpc 2018-04-05 20:05:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0648 https://access.redhat.com/errata/RHSA-2018:0648

Comment 22 errata-xmlrpc 2018-04-05 20:23:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0647 https://access.redhat.com/errata/RHSA-2018:0647

Comment 24 errata-xmlrpc 2018-04-10 09:10:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1058 https://access.redhat.com/errata/RHSA-2018:1058

Comment 26 Doran Moppert 2018-04-12 01:09:44 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

The affected code is present in esc and xulrunner, however esc has no support for audio, and xulrunner is limited to using only local content that an attacker can not control. These components are not impacted by this vulnerability.


Note You need to log in before you can comment on or make changes to this bug.