Quoting Mozilla Foundation Security Advisory 2009-63: http://www.mozilla.org/security/announce/2009/mfsa2009-63.html Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky reported crashes in libvorbis. Advisory provides following bug list: https://bugzilla.mozilla.org/buglist.cgi?bug_id=501279,499512,500254,515889,507167 with only 500254 being public at the moment.
https://bugzilla.mozilla.org/show_bug.cgi?id=500254 reported by Lucas Adamski This issue is already known as CVE-2009-2663 (bug #516259). It was first fixed in Firefox 3.5.2 / 1.9.1.2 via: http://www.mozilla.org/security/announce/2009/mfsa2009-45.html (part of the "Browser crashes - Firefox 3.5"). Not sure why Mozilla upstream is mentioning this as security fix again, the bug seems to have been re-tested as the backported patch added in 1.9.1.2 was dropped during the rebase to libvorbis 1.2.3 in 3.5.4 / 1.9.1.4. libvorbis packages in Red Hat Enterprise Linux have this fix included already: https://www.redhat.com/security/data/cve/CVE-2009-2663.html
https://bugzilla.mozilla.org/show_bug.cgi?id=515889 This is a report of the possible integer overflow leading to bogus allocation of quantlist in vorbis_staticbook_unpack() in (vorbis_)cookbook.c. This seems to be a dupe of the older CVE-2008-1423 (bug #440709), which is also fixed in libvorbis packages in Red Hat Enterprise Linux for a while: https://www.redhat.com/security/data/cve/CVE-2008-1423.html
https://bugzilla.mozilla.org/show_bug.cgi?id=501279 Looks like this mozilla hg commit has some relevant test cases: http://hg.mozilla.org/mozilla-central/rev/5e68517728d2 Related vorbis SVN commit should be r16218: https://trac.xiph.org/changeset/16218
https://bugzilla.mozilla.org/show_bug.cgi?id=507167 Searching mozilla hg for 507167 yields this commit: http://hg.mozilla.org/mozilla-central/rev/196956e36ed2 That "update to latest vorbis SVN" change seems to include two vorbis SVN commits: https://trac.xiph.org/changeset/16552 https://trac.xiph.org/changeset/16597 r16552 seems to be changing / enhancing previous r14598: https://trac.xiph.org/changeset/14598 which is a fix for CVE-2008-1420 (bug #440706). r16552 seems to make certain ogg files playable again, which were treated as invalid with original patch. Hence r16597 should be relevant for mozilla 507167.
(In reply to comment #1) > (part of the "Browser crashes - Firefox 3.5"). Not sure why Mozilla upstream > is mentioning this as security fix again, the bug seems to have been re-tested > as the backported patch added in 1.9.1.2 was dropped during the rebase to > libvorbis 1.2.3 in 3.5.4 / 1.9.1.4. Advisory is now updated, 500254 was removed with following explanation: The original version of this advisory incorrectly included bug 500254 as part of CVE-2009-3370. That bug was actually fixed in Firefox 3.5.2 as CVE-2009-2663
Going through the mozilla bugs, this is my list of vorbis SVN commits that should be needed: https://trac.xiph.org/changeset/16218 (501279) https://trac.xiph.org/changeset/16597 (507167) One of the test cases triggers NULL deref crash in _vorbis_unpack_comment() because of an integer overflow in the check. That was fixed as part of the larger hardening commit: https://trac.xiph.org/changeset/16222 Another similar fix: https://trac.xiph.org/changeset/16217 And finally this commit which should prevent some unspecified overflows, which may also be an ABI breaker: https://trac.xiph.org/changeset/16326 Anyone see anything else we should consider?
Created attachment 366806 [details] Patches for 1.2.0 Patches from comment #7, for 1.2.0 in F-11.
(In reply to comment #9) > Patches from comment #7, for 1.2.0 in F-11. Apply to 1.0 in EL3 with +-1 offsets, not tested yet.
> And finally this commit which should prevent some unspecified overflows, which > may also be an ABI breaker: > > https://trac.xiph.org/changeset/16326 > > Anyone see anything else we should consider? Just FYI, the extended structure in question is entirely internal. No ABI break. Monty
libvorbis-1.2.0-9.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libvorbis-1.2.0-9.fc11
libvorbis-1.2.0-7.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libvorbis-1.2.0-7.fc10
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1561 https://rhn.redhat.com/errata/RHSA-2009-1561.html
libvorbis-1.2.0-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
libvorbis-1.2.0-9.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.