Bug 440706 (CVE-2008-1420) - CVE-2008-1420 vorbis: integer overflow in partvals computation
Summary: CVE-2008-1420 vorbis: integer overflow in partvals computation
Status: CLOSED ERRATA
Alias: CVE-2008-1420
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=vendorsec,reported=20080318,pu...
Keywords: Security
Depends On: 444703 444704 444705 444706 444707 444708 446341 446342 446343 446344 833929
Blocks: 438125
TreeView+ depends on / blocked
 
Reported: 2008-04-04 15:22 UTC by Tomas Hoger
Modified: 2019-06-08 12:29 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-06-19 10:47:37 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0270 normal SHIPPED_LIVE Important: libvorbis security update 2008-05-14 07:54:26 UTC
Red Hat Product Errata RHSA-2008:0271 normal SHIPPED_LIVE Important: libvorbis security update 2008-05-14 07:35:55 UTC

Description Tomas Hoger 2008-04-04 15:22:34 UTC
Will Drewry of the Google Security Team reported an issue in OGG Vorbis library,
that can cause an integer overflow leading to possible heap overflow.

Comment 3 Tomas Hoger 2008-04-04 15:45:21 UTC
Upstream patch:

$ svn log -r 14598 http://svn.xiph.org/trunk/vorbis/
------------------------------------------------------------------------
r14598 | xiphmont | 2008-03-18 16:39:43 +0100 (Tue, 18 Mar 2008) | 6 lines

Add code to prevent heap attacks by exploiting dim=bignum and
partition_codewords = partion_values^dim.  partition_codewords is
actually overdetermined; in the case of inconsistency, mark stream
undecodable.

------------------------------------------------------------------------

$ svn diff -r 14597:14600 http://svn.xiph.org/trunk/vorbis/lib
Index: misc.h
===================================================================
--- misc.h      (revision 14597)
+++ misc.h      (revision 14600)
@@ -29,6 +29,7 @@
 #ifdef DEBUG_MALLOC

 #define _VDBG_GRAPHFILE "malloc.m"
+#undef _VDBG_GRAPHFILE
 extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line);
 extern void _VDBG_free(void *ptr,char *file,long line);

Index: res0.c
===================================================================
--- res0.c      (revision 14597)
+++ res0.c      (revision 14600)
@@ -223,6 +223,20 @@
   for(j=0;j<acc;j++)
     if(info->booklist[j]>=ci->books)goto errout;

+  /* verify the phrasebook is not specifying an impossible or
+     inconsistent partitioning scheme. */
+  {
+    int entries = ci->book_param[info->groupbook]->entries;
+    int dim = ci->book_param[info->groupbook]->dim;
+    int partvals = 1;
+    while(dim>0){
+      partvals *= info->partitions;
+      if(partvals > entries) goto errout;
+      dim--;
+    }
+    if(partvals != entries) goto errout;
+  }
+
   return(info);
  errout:
   res0_free_info(info);
@@ -263,7 +277,7 @@
     }
   }

-  look->partvals=rint(pow((float)look->parts,(float)dim));
+  look->partvals=look->phrasebook->entries;
   look->stages=maxstage;
   look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
   for(j=0;j<look->partvals;j++){
Index: misc.c
===================================================================
--- misc.c      (revision 14597)
+++ misc.c      (revision 14600)
@@ -190,7 +190,10 @@
   pthread_mutex_unlock(&memlock);
 }

-extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){
+void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){
+  if(bytes<=0)
+    fprintf(stderr,"bad malloc request (%ld bytes) from %s:%ld\n",bytes,file,line);
+
   bytes+=HEAD_ALIGN;
   if(ptr){
     ptr-=HEAD_ALIGN;
@@ -203,7 +206,7 @@
   return _insert(ptr,bytes,file,line);
 }

-extern void _VDBG_free(void *ptr,char *file,long line){
+void _VDBG_free(void *ptr,char *file,long line){
   if(ptr){
     ptr-=HEAD_ALIGN;
     _ripremove(ptr);


Comment 8 Tomas Hoger 2008-05-14 07:30:40 UTC
Lifting embargo.

Comment 10 Fedora Update System 2008-05-14 10:47:55 UTC
libvorbis-1.2.0-4.fc9 has been submitted as an update for Fedora 9

Comment 11 Fedora Update System 2008-05-14 10:50:13 UTC
libvorbis-1.2.0-2.fc8 has been submitted as an update for Fedora 8

Comment 12 Fedora Update System 2008-05-14 10:51:49 UTC
libvorbis-1.1.2-4.fc7 has been submitted as an update for Fedora 7

Comment 13 Fedora Update System 2008-05-14 22:08:00 UTC
libvorbis-1.2.0-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2008-05-14 22:08:44 UTC
libvorbis-1.1.2-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2008-05-14 22:10:02 UTC
libvorbis-1.2.0-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.