Bug 438125 - vorbis: multiple issues in ogg vorbis and tremor
Summary: vorbis: multiple issues in ogg vorbis and tremor
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: CVE-2008-1419 CVE-2008-1420 CVE-2008-1423 CVE-2008-2009
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-19 09:40 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-19 13:00:07 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2008-03-19 09:40:53 UTC
Will Drewry of the Google Security Team reported multiple issues in OGG Vorbis
and Tremor libraries, that could cause application using those libraries to
crash (NULL pointer dereference or divide by zero), enter an infinite loop or
cause heap overflow caused by integer overflow.

Comment 4 Josh Bressers 2008-03-20 19:07:34 UTC
Here are the fixes according to Monty:

 r14604: check for / reject impossibly large codebook requests;
 protects against the case of overflowing a 32 bit integer and
 requesting a negative heap allocation.

 r14602: reject nonsensiscal 0-dimension codebooks.  Prevents a divide
 by zero crash.

 r14598, r14600: Prevent heap overflows caused by dim=bignum and
 partition_codewords = partion_values^dim.  partition_codewords is
 actually overdetermined; in the case of inconsistency, mark stream
 undecodable.  Protects against the case of overflowing a 32 bit
 integer and requesting a negative heap allocation.


The revisions refer to the xiph subversion repository:
http://svn.xiph.org/

Comment 5 Josh Bressers 2008-03-20 19:10:38 UTC
Monty also says we want revision 14502:

"It just checked to see if the declared string lengths (vorbis comments are
length coded) are longer than the actual comment packet."

Comment 15 Tomas Hoger 2008-06-19 13:00:07 UTC
All individual issues are resolved now, closing this bug as well.


Note You need to log in before you can comment on or make changes to this bug.