Quoting Mozilla Foundation Security Advisory 2009-63:
Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky reported
crashes in libvorbis.
Advisory provides following bug list:
with only 500254 being public at the moment.
reported by Lucas Adamski
This issue is already known as CVE-2009-2663 (bug #516259). It was first fixed in Firefox 3.5.2 / 220.127.116.11 via:
(part of the "Browser crashes - Firefox 3.5"). Not sure why Mozilla upstream is mentioning this as security fix again, the bug seems to have been re-tested as the backported patch added in 18.104.22.168 was dropped during the rebase to libvorbis 1.2.3 in 3.5.4 / 22.214.171.124.
libvorbis packages in Red Hat Enterprise Linux have this fix included already:
This is a report of the possible integer overflow leading to bogus allocation of quantlist in vorbis_staticbook_unpack() in (vorbis_)cookbook.c. This seems to be a dupe of the older CVE-2008-1423 (bug #440709), which is also fixed in libvorbis packages in Red Hat Enterprise Linux for a while:
Looks like this mozilla hg commit has some relevant test cases:
Related vorbis SVN commit should be r16218:
Searching mozilla hg for 507167 yields this commit:
That "update to latest vorbis SVN" change seems to include two vorbis SVN commits:
r16552 seems to be changing / enhancing previous r14598:
which is a fix for CVE-2008-1420 (bug #440706). r16552 seems to make certain ogg files playable again, which were treated as invalid with original patch.
Hence r16597 should be relevant for mozilla 507167.
(In reply to comment #1)
> (part of the "Browser crashes - Firefox 3.5"). Not sure why Mozilla upstream
> is mentioning this as security fix again, the bug seems to have been re-tested
> as the backported patch added in 126.96.36.199 was dropped during the rebase to
> libvorbis 1.2.3 in 3.5.4 / 188.8.131.52.
Advisory is now updated, 500254 was removed with following explanation:
The original version of this advisory incorrectly included bug 500254 as
part of CVE-2009-3370. That bug was actually fixed in Firefox 3.5.2 as
Going through the mozilla bugs, this is my list of vorbis SVN commits that should be needed:
One of the test cases triggers NULL deref crash in _vorbis_unpack_comment() because of an integer overflow in the check. That was fixed as part of the larger hardening commit:
Another similar fix:
And finally this commit which should prevent some unspecified overflows, which may also be an ABI breaker:
Anyone see anything else we should consider?
Created attachment 366806 [details]
Patches for 1.2.0
Patches from comment #7, for 1.2.0 in F-11.
(In reply to comment #9)
> Patches from comment #7, for 1.2.0 in F-11.
Apply to 1.0 in EL3 with +-1 offsets, not tested yet.
> And finally this commit which should prevent some unspecified overflows, which
> may also be an ABI breaker:
> Anyone see anything else we should consider?
Just FYI, the extended structure in question is entirely internal. No ABI break.
libvorbis-1.2.0-9.fc11 has been submitted as an update for Fedora 11.
libvorbis-1.2.0-7.fc10 has been submitted as an update for Fedora 10.
This issue has been addressed in following products:
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2009:1561 https://rhn.redhat.com/errata/RHSA-2009-1561.html
libvorbis-1.2.0-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
libvorbis-1.2.0-9.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.