Bug 531765 (CVE-2009-3379) - CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63
Summary: CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3379
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 532415 532416 532417 532418 532419 833931
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-29 13:01 UTC by Tomas Hoger
Modified: 2019-09-29 12:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-19 15:04:55 UTC
Embargoed:


Attachments (Terms of Use)
Patches for 1.2.0 (2.57 KB, application/x-compressed-tar)
2009-10-30 14:26 UTC, Tomas Hoger
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1561 0 normal SHIPPED_LIVE Important: libvorbis security update 2009-11-09 15:22:21 UTC

Description Tomas Hoger 2009-10-29 13:01:47 UTC
Quoting Mozilla Foundation Security Advisory 2009-63:

  http://www.mozilla.org/security/announce/2009/mfsa2009-63.html

  Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky reported
  crashes in libvorbis.

Advisory provides following bug list:

https://bugzilla.mozilla.org/buglist.cgi?bug_id=501279,499512,500254,515889,507167

with only 500254 being public at the moment.

Comment 1 Tomas Hoger 2009-10-29 13:31:36 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=500254
reported by Lucas Adamski

This issue is already known as CVE-2009-2663 (bug #516259).  It was first fixed in Firefox 3.5.2 / 1.9.1.2 via:

  http://www.mozilla.org/security/announce/2009/mfsa2009-45.html

(part of the "Browser crashes - Firefox 3.5").  Not sure why Mozilla upstream is mentioning this as security fix again, the bug seems to have been re-tested as the backported patch added in 1.9.1.2 was dropped during the rebase to libvorbis 1.2.3 in 3.5.4 / 1.9.1.4.

libvorbis packages in Red Hat Enterprise Linux have this fix included already:

  https://www.redhat.com/security/data/cve/CVE-2009-2663.html

Comment 2 Tomas Hoger 2009-10-29 13:52:00 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=515889

This is a report of the possible integer overflow leading to bogus allocation of quantlist in vorbis_staticbook_unpack() in (vorbis_)cookbook.c.  This seems to be a dupe of the older CVE-2008-1423 (bug #440709), which is also fixed in libvorbis packages in Red Hat Enterprise Linux for a while:

  https://www.redhat.com/security/data/cve/CVE-2008-1423.html

Comment 3 Tomas Hoger 2009-10-29 15:39:25 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=501279

Looks like this mozilla hg commit has some relevant test cases:

  http://hg.mozilla.org/mozilla-central/rev/5e68517728d2

Related vorbis SVN commit should be r16218:

  https://trac.xiph.org/changeset/16218

Comment 5 Tomas Hoger 2009-10-29 16:01:26 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=507167

Searching mozilla hg for 507167 yields this commit:

  http://hg.mozilla.org/mozilla-central/rev/196956e36ed2

That "update to latest vorbis SVN" change seems to include two vorbis SVN commits:

  https://trac.xiph.org/changeset/16552
  https://trac.xiph.org/changeset/16597

r16552 seems to be changing / enhancing previous r14598:

  https://trac.xiph.org/changeset/14598

which is a fix for CVE-2008-1420 (bug #440706).  r16552 seems to make certain ogg files playable again, which were treated as invalid with original patch.

Hence r16597 should be relevant for mozilla 507167.

Comment 6 Tomas Hoger 2009-10-29 20:14:19 UTC
(In reply to comment #1)
> (part of the "Browser crashes - Firefox 3.5").  Not sure why Mozilla upstream
> is mentioning this as security fix again, the bug seems to have been re-tested
> as the backported patch added in 1.9.1.2 was dropped during the rebase to
> libvorbis 1.2.3 in 3.5.4 / 1.9.1.4.

Advisory is now updated, 500254 was removed with following explanation:

  The original version of this advisory incorrectly included bug 500254 as
  part of CVE-2009-3370. That bug was actually fixed in Firefox 3.5.2 as
  CVE-2009-2663

Comment 7 Tomas Hoger 2009-10-30 14:09:46 UTC
Going through the mozilla bugs, this is my list of vorbis SVN commits that should be needed:

  https://trac.xiph.org/changeset/16218 (501279)
  https://trac.xiph.org/changeset/16597 (507167)

One of the test cases triggers NULL deref crash in _vorbis_unpack_comment() because of an integer overflow in the check.  That was fixed as part of the larger hardening commit:

  https://trac.xiph.org/changeset/16222

Another similar fix:

  https://trac.xiph.org/changeset/16217

And finally this commit which should prevent some unspecified overflows, which may also be an ABI breaker:

  https://trac.xiph.org/changeset/16326

Anyone see anything else we should consider?

Comment 9 Tomas Hoger 2009-10-30 14:26:20 UTC
Created attachment 366806 [details]
Patches for 1.2.0

Patches from comment #7, for 1.2.0 in F-11.

Comment 10 Tomas Hoger 2009-10-30 14:29:50 UTC
(In reply to comment #9)
> Patches from comment #7, for 1.2.0 in F-11.

Apply to 1.0 in EL3 with +-1 offsets, not tested yet.

Comment 12 Monty 2009-11-03 19:57:24 UTC
> And finally this commit which should prevent some unspecified overflows, which
> may also be an ABI breaker:
> 
>   https://trac.xiph.org/changeset/16326
> 
> Anyone see anything else we should consider?  

Just FYI, the extended structure in question is entirely internal.  No ABI break.

Monty

Comment 14 Fedora Update System 2009-11-09 14:54:11 UTC
libvorbis-1.2.0-9.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libvorbis-1.2.0-9.fc11

Comment 15 Fedora Update System 2009-11-09 15:02:39 UTC
libvorbis-1.2.0-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libvorbis-1.2.0-7.fc10

Comment 16 errata-xmlrpc 2009-11-09 15:22:27 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1561 https://rhn.redhat.com/errata/RHSA-2009-1561.html

Comment 17 Fedora Update System 2009-11-10 17:43:25 UTC
libvorbis-1.2.0-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2009-11-10 17:52:28 UTC
libvorbis-1.2.0-9.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.