Bug 202941

Summary: audio/vorbis-tools: buffer overflow issue with invalid aiff files (CVE-2015-6749)
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Christian Weisgerber <naddy>
Status: Closed FIXED    
Severity: Affects Some People CC: junovitch
Priority: --- Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (naddy)
Hardware: Any   
OS: Any   
URL: https://trac.xiph.org/ticket/2212
Attachments:
Description Flags
Start of a patch
none
Part 2 of patch none

Description Jason Unovitch freebsd_committer freebsd_triage 2015-09-07 02:44:04 UTC 
Maintainer of audio/vorbis-tools,

A security issue has been publically reported against this port.

References:
http://www.openwall.com/lists/oss-security/2015/08/29/1

"Name : vorbis-tool
Affected Version: <= Revision 19495
URL : https://wiki.xiph.org/Vorbis-tools

Description :
An issue was found in oggenc/audio.c when it tries to open invalid AIFF file.

274    if(fread(buffer,1,len,in) < len)
The input buffer and length can be controlled by user indirectly via:

260    if(!find_aiff_chunk(in, "COMM", &len))

More info can be found at :
https://trac.xiph.org/ticket/2212"

http://www.openwall.com/lists/oss-security/2015/08/30/1

"Use CVE-2015-6749"
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-09-09 20:04:38 UTC 
Created attachment 160878 [details]
Start of a patch

I started looking at this and made this to address the most recent issue.  I came across two other issues addressed at the end of 2014 that should be worked in.

http://pkgs.fedoraproject.org/cgit/vorbis-tools.git/tree/vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch
Comment 2 commit-hook freebsd_committer freebsd_triage 2015-09-09 20:07:46 UTC 
A commit references this bug:

Author: naddy
Date: Wed Sep  9 20:07:03 UTC 2015
New revision: 396532
URL: https://svnweb.freebsd.org/changeset/ports/396532

Log:
  Fix oggenc buffer overflow.

  PR:		202941
  Submitted by:	junovitch
  Obtained from:	https://trac.xiph.org/ticket/2212
  Security:	a35f415d-572a-11e5-b0a4-f8b156b6dcc8
  Security:	CVE-2015-6749
  MFH:		2015Q3

Changes:
  head/audio/vorbis-tools/Makefile
  head/audio/vorbis-tools/files/patch-oggenc_audio.c
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2015-09-09 20:16:55 UTC 
Still digging around through change logs:

Debian and Fedora both have this as well.  There's no CVE tied to it as far as I can tell.
https://trac.xiph.org/changeset/19117/trunk/vorbis-tools/oggenc
Comment 4 Christian Weisgerber freebsd_committer freebsd_triage 2015-09-09 20:25:17 UTC 
These bugs also affect audio/opus-tools.
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2015-09-09 21:11:55 UTC 
Created attachment 160879 [details]
Part 2 of patch

audio/vorbis-tools: apply patches for earlier security issues

Obtained from:	https://trac.xiph.org/changeset/19117
Obtained from:	Fedora vorbis-tools Git (commit 63a1a62d)
Security:	CVE-2014-9638
Security:	CVE-2014-9639
Security:	a35f415d-572a-11e5-b0a4-f8b156b6dcc8
MFH:		2015Q3
Comment 6 Jason Unovitch freebsd_committer freebsd_triage 2015-09-10 19:36:31 UTC 
I got sidetracked and wasn't able to look at opus-tools yesterday after uploading the second patch. I'm traveling today and only on my phone. Thanks for taking a look at things in the meantime
Comment 7 commit-hook freebsd_committer freebsd_triage 2015-09-10 19:42:38 UTC 
A commit references this bug:

Author: naddy
Date: Thu Sep 10 19:42:07 UTC 2015
New revision: 396599
URL: https://svnweb.freebsd.org/changeset/ports/396599

Log:
  Fix oggenc crash on raw file close, channel integer overflow, and
  division by zero.

  PR:		202941
  Submitted by:	junovitch
  Obtained from:	https://trac.xiph.org/changeset/19117
  Obtained from:	Fedora vorbis-tools Git (commit 63a1a62d)
  Security:	CVE-2014-9638
  Security:	CVE-2014-9639
  Security:	a35f415d-572a-11e5-b0a4-f8b156b6dcc8
  MFH:		2015Q3

Changes:
  head/audio/vorbis-tools/Makefile
  head/audio/vorbis-tools/files/patch-oggenc_audio.c
  head/audio/vorbis-tools/files/patch-oggenc_oggenc.c
Comment 8 commit-hook freebsd_committer freebsd_triage 2015-09-10 19:46:40 UTC 
A commit references this bug:

Author: naddy
Date: Thu Sep 10 19:46:31 UTC 2015
New revision: 396600
URL: https://svnweb.freebsd.org/changeset/ports/396600

Log:
  Fix opusenc buffer overflow, channel integer overflow, and division
  by zero.  (Same code as vorbis-tools oggenc.)

  PR:		202941
  Obtained from:	https://trac.xiph.org/ticket/2212
  Obtained from:	https://trac.xiph.org/changeset/19117
  Obtained from:	Fedora vorbis-tools Git (commit 63a1a62d)
  Security:	CVE-2015-6749
  Security:	CVE-2014-9638
  Security:	CVE-2014-9639
  Security:	a35f415d-572a-11e5-b0a4-f8b156b6dcc8
  MFH:		2015Q3

Changes:
  head/audio/opus-tools/Makefile
  head/audio/opus-tools/files/patch-src_audio-in.c
Comment 9 Christian Weisgerber freebsd_committer freebsd_triage 2015-09-10 19:50:24 UTC 
Thank you for tracking these down.
Comment 10 Jason Unovitch freebsd_committer freebsd_triage 2015-09-10 19:52:10 UTC 
(In reply to Christian Weisgerber from comment #9)
No problem. Thanks for looking at them so quick. We're just waiting on the MFH approval then, correct?
Comment 11 commit-hook freebsd_committer freebsd_triage 2015-09-11 14:59:08 UTC 
A commit references this bug:

Author: naddy
Date: Fri Sep 11 14:59:05 UTC 2015
New revision: 396673
URL: https://svnweb.freebsd.org/changeset/ports/396673

Log:
  MFH: r396532 r396599

  Fix oggenc buffer overflow, crash on raw file close, channel integer
  overflow, and division by zero.

  PR:		202941
  Submitted by:	junovitch
  Obtained from:	https://trac.xiph.org/ticket/2212
  Obtained from:	https://trac.xiph.org/changeset/19117
  Obtained from:	Fedora vorbis-tools Git (commit 63a1a62d)
  Security:	CVE-2015-6749
  Security:	CVE-2014-9638
  Security:	CVE-2014-9639
  Security:	a35f415d-572a-11e5-b0a4-f8b156b6dcc8
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q3/
  branches/2015Q3/audio/vorbis-tools/Makefile
  branches/2015Q3/audio/vorbis-tools/files/patch-oggenc_audio.c
  branches/2015Q3/audio/vorbis-tools/files/patch-oggenc_oggenc.c
Comment 12 commit-hook freebsd_committer freebsd_triage 2015-09-11 15:02:09 UTC 
A commit references this bug:

Author: naddy
Date: Fri Sep 11 15:01:54 UTC 2015
New revision: 396674
URL: https://svnweb.freebsd.org/changeset/ports/396674

Log:
  MFH: r396600

  Fix opusenc buffer overflow, channel integer overflow, and division
  by zero.  (Same code as vorbis-tools oggenc.)

  PR:		202941
  Obtained from:	https://trac.xiph.org/ticket/2212
  Obtained from:	https://trac.xiph.org/changeset/19117
  Obtained from:	Fedora vorbis-tools Git (commit 63a1a62d)
  Security:	CVE-2015-6749
  Security:	CVE-2014-9638
  Security:	CVE-2014-9639
  Security:	a35f415d-572a-11e5-b0a4-f8b156b6dcc8
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q3/
  branches/2015Q3/audio/opus-tools/Makefile
  branches/2015Q3/audio/opus-tools/files/patch-src_audio-in.c