Skip to main content

Topic: Relevance of some old CVEs? (Read 945 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.
  • kode54
  • [*][*][*][*][*]
  • Administrator
Relevance of some old CVEs?
I picked up this chat transcript from an anonymous IRC user on the #vorbis channel:

Quote
hi. the current release of vorbis-tools (1.4.0) contains several (potential?) security issues (CVE-2014-9638, CVE-2014-9639, CVE-2015-6749) and at least one segfault bug
for the first three, downstream patches seem to exist (e.g. link and link)
i do not know why these were not upstreamed, i.e. are not contained in xiph-tools.git (at least i didn't find the fixes there)
the segfault bug is fixed in git master
so... could you *please* check and add the known fixes and afterwards create a proper release? according to CHANGES, the last one is from 2010-03-25 ...
(yes, i know that opus is the fancy new stuff, but this does not mean that vorbis.* should rot away silently)
tickets:
https://trac.xiph.org/ticket/2009
https://trac.xiph.org/ticket/2137
https://trac.xiph.org/ticket/2136
(note that there might be additional interesting fixes e.g. in the patches directory linked above - i did not check if these were upstreamed. the cves certainly should have higher priority though.)

They're all old bugs, but this user seemed to think they were still relevant in some fashion.

  • butrus
  • [*]
Re: Relevance of some old CVEs?
Reply #1
Apparently those bugs are fixed now (vorbis-tools 1.4.0):

Code: [Select]
$ dd if=/dev/zero bs=1 count=1 | oggenc -r - -o out.ogg
Encoding standard input to
         "out.ogg"
at quality 3.00
1+0 records in
1+0 records out
1 byte (1 B) copied, 2.0883e-05 s, 47.9 kB/s


Done encoding file "out.ogg"

File length:  0m 00.0s
Elapsed time: 0m 00.1s
Rate:         0.0000
Average bitrate: inf kb/s

$ oggenc ./crash_div_zero.wav
ERROR: Input file "./crash_div_zero.wav" is not a supported format

$ oggenc ./crash_ex.wav
ERROR: Input file "./crash_ex.wav" is not a supported format

  • kode54
  • [*][*][*][*][*]
  • Administrator
Re: Relevance of some old CVEs?
Reply #2
The poster was suggesting that at least Debian is inlining their own patches to fix the bugs, and that they're not fixed upstream. *shrug*

  • dutch109
  • [*][*][*]
Re: Relevance of some old CVEs?
Reply #3
Arch Linux also applies the CVE fixes.
It's worth noting because usually Arch Linux packages have very little deviation from upstream.

IMO vorbis-tools is de facto unmaintained, see also this bug (originally reported 5 years ago), that is still present in the latest version from the official git repository, and can cause a segfault of oggenc with a trivial command line.
Vorbis -q2/5 (Android/PC) & WavPack -hhx6m
https://playnoise.com/

  • kode54
  • [*][*][*][*][*]
  • Administrator
Re: Relevance of some old CVEs?
Reply #4
They probably moved on to bigger and more important things, like Daala and Opus.

  • dutch109
  • [*][*][*]
Re: Relevance of some old CVEs?
Reply #5
They probably moved on to bigger and more important things, like Daala and Opus.
Which I perfectly understand.

But just releasing the security fixes from patches already floating around in a proper point release is still the minimum we can expect from such a widely deployed project.
Vorbis -q2/5 (Android/PC) & WavPack -hhx6m
https://playnoise.com/