Maintainer of audio/vorbis-tools, A security issue has been publically reported against this port. References: http://www.openwall.com/lists/oss-security/2015/08/29/1 "Name : vorbis-tool Affected Version: <= Revision 19495 URL : https://wiki.xiph.org/Vorbis-tools Description : An issue was found in oggenc/audio.c when it tries to open invalid AIFF file. 274 if(fread(buffer,1,len,in) < len) The input buffer and length can be controlled by user indirectly via: 260 if(!find_aiff_chunk(in, "COMM", &len)) More info can be found at : https://trac.xiph.org/ticket/2212" http://www.openwall.com/lists/oss-security/2015/08/30/1 "Use CVE-2015-6749"
Created attachment 160878 [details] Start of a patch I started looking at this and made this to address the most recent issue. I came across two other issues addressed at the end of 2014 that should be worked in. http://pkgs.fedoraproject.org/cgit/vorbis-tools.git/tree/vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch
A commit references this bug: Author: naddy Date: Wed Sep 9 20:07:03 UTC 2015 New revision: 396532 URL: https://svnweb.freebsd.org/changeset/ports/396532 Log: Fix oggenc buffer overflow. PR: 202941 Submitted by: junovitch Obtained from: https://trac.xiph.org/ticket/2212 Security: a35f415d-572a-11e5-b0a4-f8b156b6dcc8 Security: CVE-2015-6749 MFH: 2015Q3 Changes: head/audio/vorbis-tools/Makefile head/audio/vorbis-tools/files/patch-oggenc_audio.c
Still digging around through change logs: Debian and Fedora both have this as well. There's no CVE tied to it as far as I can tell. https://trac.xiph.org/changeset/19117/trunk/vorbis-tools/oggenc
These bugs also affect audio/opus-tools.
Created attachment 160879 [details] Part 2 of patch audio/vorbis-tools: apply patches for earlier security issues Obtained from: https://trac.xiph.org/changeset/19117 Obtained from: Fedora vorbis-tools Git (commit 63a1a62d) Security: CVE-2014-9638 Security: CVE-2014-9639 Security: a35f415d-572a-11e5-b0a4-f8b156b6dcc8 MFH: 2015Q3
I got sidetracked and wasn't able to look at opus-tools yesterday after uploading the second patch. I'm traveling today and only on my phone. Thanks for taking a look at things in the meantime
A commit references this bug: Author: naddy Date: Thu Sep 10 19:42:07 UTC 2015 New revision: 396599 URL: https://svnweb.freebsd.org/changeset/ports/396599 Log: Fix oggenc crash on raw file close, channel integer overflow, and division by zero. PR: 202941 Submitted by: junovitch Obtained from: https://trac.xiph.org/changeset/19117 Obtained from: Fedora vorbis-tools Git (commit 63a1a62d) Security: CVE-2014-9638 Security: CVE-2014-9639 Security: a35f415d-572a-11e5-b0a4-f8b156b6dcc8 MFH: 2015Q3 Changes: head/audio/vorbis-tools/Makefile head/audio/vorbis-tools/files/patch-oggenc_audio.c head/audio/vorbis-tools/files/patch-oggenc_oggenc.c
A commit references this bug: Author: naddy Date: Thu Sep 10 19:46:31 UTC 2015 New revision: 396600 URL: https://svnweb.freebsd.org/changeset/ports/396600 Log: Fix opusenc buffer overflow, channel integer overflow, and division by zero. (Same code as vorbis-tools oggenc.) PR: 202941 Obtained from: https://trac.xiph.org/ticket/2212 Obtained from: https://trac.xiph.org/changeset/19117 Obtained from: Fedora vorbis-tools Git (commit 63a1a62d) Security: CVE-2015-6749 Security: CVE-2014-9638 Security: CVE-2014-9639 Security: a35f415d-572a-11e5-b0a4-f8b156b6dcc8 MFH: 2015Q3 Changes: head/audio/opus-tools/Makefile head/audio/opus-tools/files/patch-src_audio-in.c
Thank you for tracking these down.
(In reply to Christian Weisgerber from comment #9) No problem. Thanks for looking at them so quick. We're just waiting on the MFH approval then, correct?
A commit references this bug: Author: naddy Date: Fri Sep 11 14:59:05 UTC 2015 New revision: 396673 URL: https://svnweb.freebsd.org/changeset/ports/396673 Log: MFH: r396532 r396599 Fix oggenc buffer overflow, crash on raw file close, channel integer overflow, and division by zero. PR: 202941 Submitted by: junovitch Obtained from: https://trac.xiph.org/ticket/2212 Obtained from: https://trac.xiph.org/changeset/19117 Obtained from: Fedora vorbis-tools Git (commit 63a1a62d) Security: CVE-2015-6749 Security: CVE-2014-9638 Security: CVE-2014-9639 Security: a35f415d-572a-11e5-b0a4-f8b156b6dcc8 Approved by: ports-secteam Changes: _U branches/2015Q3/ branches/2015Q3/audio/vorbis-tools/Makefile branches/2015Q3/audio/vorbis-tools/files/patch-oggenc_audio.c branches/2015Q3/audio/vorbis-tools/files/patch-oggenc_oggenc.c
A commit references this bug: Author: naddy Date: Fri Sep 11 15:01:54 UTC 2015 New revision: 396674 URL: https://svnweb.freebsd.org/changeset/ports/396674 Log: MFH: r396600 Fix opusenc buffer overflow, channel integer overflow, and division by zero. (Same code as vorbis-tools oggenc.) PR: 202941 Obtained from: https://trac.xiph.org/ticket/2212 Obtained from: https://trac.xiph.org/changeset/19117 Obtained from: Fedora vorbis-tools Git (commit 63a1a62d) Security: CVE-2015-6749 Security: CVE-2014-9638 Security: CVE-2014-9639 Security: a35f415d-572a-11e5-b0a4-f8b156b6dcc8 Approved by: ports-secteam Changes: _U branches/2015Q3/ branches/2015Q3/audio/opus-tools/Makefile branches/2015Q3/audio/opus-tools/files/patch-src_audio-in.c