Bug#870341: libvorbis: CVE-2017-11333

Guido Günther agx at sigxcpu.org
Mon Nov 20 16:03:55 UTC 2017


control: clone -1 -2
control: retitle -2 missing error checking when encoding vorbis
control: tags -2 +patch

Hi sox mantainers,
On Mon, Nov 20, 2017 at 04:39:51PM +0100, Guido Günther wrote:
> Hi Petter,
> On Tue, Aug 01, 2017 at 08:02:47PM +0200, Petter Reinholdtsen wrote:
> > Control: retitle -1 libvorbis: CVE-2017-11333 OOM via crafted WAV file
> > 
> > I've tried to figure out of the recently reported security problems are
> > reported upstream, but the upstream bug tracker is being moved from
> > trac.xiph.org to https://gitlab.xiph.org/xiph and the migration is
> > not done yet, so it seem to be impossible to register it with upstream
> > so far.
> 
> The issue is at https://gitlab.xiph.org/xiph/vorbis/issues/2332
> 
> > 
> > Thus I have no idea if there are any patches for this issue yet.  Anyone
> > know?
> 
> The wav file also seems to suffer from too many channels. When I apply
> the patch from #876778 and then the attached patch sox aborts
> correctly. I did not check if there are other issues in the wav file
> besides too many channels.
> 
> (Attaching the patch here since the upstream sox list doesn't seem to
> list my submission).

There seems to be missing error checking in sox

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870341#19

which might cause trouble if libvorbis indicates an error. I've submited
this patch upstream too but it doesn't seem to make it to the
sourceforge list.
Cheers,
 -- Guido



More information about the pkg-xiph-maint mailing list