Bug 438125 - vorbis: multiple issues in ogg vorbis and tremor
vorbis: multiple issues in ogg vorbis and tremor
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20080318,pu...
: Security
Depends On: CVE-2008-1419 CVE-2008-1420 CVE-2008-1423 CVE-2008-2009
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-19 05:40 EDT by Tomas Hoger
Modified: 2008-06-19 09:00 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-19 09:00:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-03-19 05:40:53 EDT
Will Drewry of the Google Security Team reported multiple issues in OGG Vorbis
and Tremor libraries, that could cause application using those libraries to
crash (NULL pointer dereference or divide by zero), enter an infinite loop or
cause heap overflow caused by integer overflow.
Comment 4 Josh Bressers 2008-03-20 15:07:34 EDT
Here are the fixes according to Monty:

 r14604: check for / reject impossibly large codebook requests;
 protects against the case of overflowing a 32 bit integer and
 requesting a negative heap allocation.

 r14602: reject nonsensiscal 0-dimension codebooks.  Prevents a divide
 by zero crash.

 r14598, r14600: Prevent heap overflows caused by dim=bignum and
 partition_codewords = partion_values^dim.  partition_codewords is
 actually overdetermined; in the case of inconsistency, mark stream
 undecodable.  Protects against the case of overflowing a 32 bit
 integer and requesting a negative heap allocation.


The revisions refer to the xiph subversion repository:
http://svn.xiph.org/
Comment 5 Josh Bressers 2008-03-20 15:10:38 EDT
Monty also says we want revision 14502:

"It just checked to see if the declared string lengths (vorbis comments are
length coded) are longer than the actual comment packet."
Comment 15 Tomas Hoger 2008-06-19 09:00:07 EDT
All individual issues are resolved now, closing this bug as well.

Note You need to log in before you can comment on or make changes to this bug.