Bug 531765 - (CVE-2009-3379) CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63
CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=internet,repo...
: Security
Depends On: 532415 532416 532417 532418 532419 833931
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-29 09:01 EDT by Tomas Hoger
Modified: 2012-06-20 10:20 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-19 10:04:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patches for 1.2.0 (2.57 KB, application/x-compressed-tar)
2009-10-30 10:26 EDT, Tomas Hoger
no flags Details

  None (edit)
Description Tomas Hoger 2009-10-29 09:01:47 EDT
Quoting Mozilla Foundation Security Advisory 2009-63:

  http://www.mozilla.org/security/announce/2009/mfsa2009-63.html

  Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky reported
  crashes in libvorbis.

Advisory provides following bug list:

https://bugzilla.mozilla.org/buglist.cgi?bug_id=501279,499512,500254,515889,507167

with only 500254 being public at the moment.
Comment 1 Tomas Hoger 2009-10-29 09:31:36 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=500254
reported by Lucas Adamski

This issue is already known as CVE-2009-2663 (bug #516259).  It was first fixed in Firefox 3.5.2 / 1.9.1.2 via:

  http://www.mozilla.org/security/announce/2009/mfsa2009-45.html

(part of the "Browser crashes - Firefox 3.5").  Not sure why Mozilla upstream is mentioning this as security fix again, the bug seems to have been re-tested as the backported patch added in 1.9.1.2 was dropped during the rebase to libvorbis 1.2.3 in 3.5.4 / 1.9.1.4.

libvorbis packages in Red Hat Enterprise Linux have this fix included already:

  https://www.redhat.com/security/data/cve/CVE-2009-2663.html
Comment 2 Tomas Hoger 2009-10-29 09:52:00 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=515889

This is a report of the possible integer overflow leading to bogus allocation of quantlist in vorbis_staticbook_unpack() in (vorbis_)cookbook.c.  This seems to be a dupe of the older CVE-2008-1423 (bug #440709), which is also fixed in libvorbis packages in Red Hat Enterprise Linux for a while:

  https://www.redhat.com/security/data/cve/CVE-2008-1423.html
Comment 3 Tomas Hoger 2009-10-29 11:39:25 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=501279

Looks like this mozilla hg commit has some relevant test cases:

  http://hg.mozilla.org/mozilla-central/rev/5e68517728d2

Related vorbis SVN commit should be r16218:

  https://trac.xiph.org/changeset/16218
Comment 5 Tomas Hoger 2009-10-29 12:01:26 EDT
https://bugzilla.mozilla.org/show_bug.cgi?id=507167

Searching mozilla hg for 507167 yields this commit:

  http://hg.mozilla.org/mozilla-central/rev/196956e36ed2

That "update to latest vorbis SVN" change seems to include two vorbis SVN commits:

  https://trac.xiph.org/changeset/16552
  https://trac.xiph.org/changeset/16597

r16552 seems to be changing / enhancing previous r14598:

  https://trac.xiph.org/changeset/14598

which is a fix for CVE-2008-1420 (bug #440706).  r16552 seems to make certain ogg files playable again, which were treated as invalid with original patch.

Hence r16597 should be relevant for mozilla 507167.
Comment 6 Tomas Hoger 2009-10-29 16:14:19 EDT
(In reply to comment #1)
> (part of the "Browser crashes - Firefox 3.5").  Not sure why Mozilla upstream
> is mentioning this as security fix again, the bug seems to have been re-tested
> as the backported patch added in 1.9.1.2 was dropped during the rebase to
> libvorbis 1.2.3 in 3.5.4 / 1.9.1.4.

Advisory is now updated, 500254 was removed with following explanation:

  The original version of this advisory incorrectly included bug 500254 as
  part of CVE-2009-3370. That bug was actually fixed in Firefox 3.5.2 as
  CVE-2009-2663
Comment 7 Tomas Hoger 2009-10-30 10:09:46 EDT
Going through the mozilla bugs, this is my list of vorbis SVN commits that should be needed:

  https://trac.xiph.org/changeset/16218 (501279)
  https://trac.xiph.org/changeset/16597 (507167)

One of the test cases triggers NULL deref crash in _vorbis_unpack_comment() because of an integer overflow in the check.  That was fixed as part of the larger hardening commit:

  https://trac.xiph.org/changeset/16222

Another similar fix:

  https://trac.xiph.org/changeset/16217

And finally this commit which should prevent some unspecified overflows, which may also be an ABI breaker:

  https://trac.xiph.org/changeset/16326

Anyone see anything else we should consider?
Comment 9 Tomas Hoger 2009-10-30 10:26:20 EDT
Created attachment 366806 [details]
Patches for 1.2.0

Patches from comment #7, for 1.2.0 in F-11.
Comment 10 Tomas Hoger 2009-10-30 10:29:50 EDT
(In reply to comment #9)
> Patches from comment #7, for 1.2.0 in F-11.

Apply to 1.0 in EL3 with +-1 offsets, not tested yet.
Comment 12 Monty 2009-11-03 14:57:24 EST
> And finally this commit which should prevent some unspecified overflows, which
> may also be an ABI breaker:
> 
>   https://trac.xiph.org/changeset/16326
> 
> Anyone see anything else we should consider?  

Just FYI, the extended structure in question is entirely internal.  No ABI break.

Monty
Comment 14 Fedora Update System 2009-11-09 09:54:11 EST
libvorbis-1.2.0-9.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libvorbis-1.2.0-9.fc11
Comment 15 Fedora Update System 2009-11-09 10:02:39 EST
libvorbis-1.2.0-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libvorbis-1.2.0-7.fc10
Comment 16 errata-xmlrpc 2009-11-09 10:22:27 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1561 https://rhn.redhat.com/errata/RHSA-2009-1561.html
Comment 17 Fedora Update System 2009-11-10 12:43:25 EST
libvorbis-1.2.0-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-11-10 12:52:28 EST
libvorbis-1.2.0-9.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.