Bug 1480656 (CVE-2017-11331) - CVE-2017-11331 vorbis-tools: Invalid memory allocation in wav_open function in oggenc/audio.c
Summary: CVE-2017-11331 vorbis-tools: Invalid memory allocation in wav_open function i...
Alias: CVE-2017-11331
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1480657
TreeView+ depends on / blocked
Reported: 2017-08-11 15:17 UTC by Pedro Sampaio
Modified: 2019-09-29 14:18 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-08 03:20:39 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2017-08-11 15:17:39 UTC
A flaw was found in vorbis-tools 1.4.0. The wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) 
via a crafted wav file.



Comment 1 Pedro Sampaio 2017-08-11 15:18:03 UTC
Created vorbis-tools tracking bugs for this issue:

Affects: fedora-all [bug 1480657]

Comment 2 Kamil Dudka 2017-08-14 10:02:23 UTC
To be honest, I do not see any (security) problem here.  If the audio file header is corrupted, oggenc simply cannot cannot open the file.  From user's perspective it does not really matter whether the process is terminated by exit() or by the kernel handling a NULL pointer dereference.  Please clarify what exactly is your concern here.

Comment 3 Pedro Sampaio 2017-08-18 13:11:11 UTC
The fact that it terminates via a NULL pointer dereference means that someone can  crash it from another process. Thats probably why it got a CVE and why its a security issue.

As this already has a CVE, I we can't do anything else about it but feel free to close it of you think you should.

Comment 4 Kamil Dudka 2017-12-06 16:09:23 UTC
Please explain how this differs from CVE-2014-9639 for which we have a patch already installed:


Comment 5 Pedro Sampaio 2017-12-06 17:30:45 UTC
I'm speculating here, but the 2014 CVE looks like an integer overflow that leads to a out-of-bounds read, while this seems a NULL pointer dereference while allocating memory. 

But I couldn't determine for certain if this is the case.

Although, the patch you mentioned really seems to fix this issue too, as stated by other distros bugs (https://security-tracker.debian.org/tracker/CVE-2017-11331).

Note You need to log in before you can comment on or make changes to this bug.