Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: Relevance of some old CVEs? (Read 6698 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Relevance of some old CVEs?

I picked up this chat transcript from an anonymous IRC user on the #vorbis channel:

Quote
hi. the current release of vorbis-tools (1.4.0) contains several (potential?) security issues (CVE-2014-9638, CVE-2014-9639, CVE-2015-6749) and at least one segfault bug
for the first three, downstream patches seem to exist (e.g. link and link)
i do not know why these were not upstreamed, i.e. are not contained in xiph-tools.git (at least i didn't find the fixes there)
the segfault bug is fixed in git master
so... could you *please* check and add the known fixes and afterwards create a proper release? according to CHANGES, the last one is from 2010-03-25 ...
(yes, i know that opus is the fancy new stuff, but this does not mean that vorbis.* should rot away silently)
tickets:
https://trac.xiph.org/ticket/2009
https://trac.xiph.org/ticket/2137
https://trac.xiph.org/ticket/2136
(note that there might be additional interesting fixes e.g. in the patches directory linked above - i did not check if these were upstreamed. the cves certainly should have higher priority though.)

They're all old bugs, but this user seemed to think they were still relevant in some fashion.

Re: Relevance of some old CVEs?

Reply #1
Apparently those bugs are fixed now (vorbis-tools 1.4.0):

Code: [Select]
$ dd if=/dev/zero bs=1 count=1 | oggenc -r - -o out.ogg
Encoding standard input to
         "out.ogg"
at quality 3.00
1+0 records in
1+0 records out
1 byte (1 B) copied, 2.0883e-05 s, 47.9 kB/s


Done encoding file "out.ogg"

File length:  0m 00.0s
Elapsed time: 0m 00.1s
Rate:         0.0000
Average bitrate: inf kb/s

$ oggenc ./crash_div_zero.wav
ERROR: Input file "./crash_div_zero.wav" is not a supported format

$ oggenc ./crash_ex.wav
ERROR: Input file "./crash_ex.wav" is not a supported format

Re: Relevance of some old CVEs?

Reply #2
The poster was suggesting that at least Debian is inlining their own patches to fix the bugs, and that they're not fixed upstream. *shrug*

Re: Relevance of some old CVEs?

Reply #3
Arch Linux also applies the CVE fixes.
It's worth noting because usually Arch Linux packages have very little deviation from upstream.

IMO vorbis-tools is de facto unmaintained, see also this bug (originally reported 5 years ago), that is still present in the latest version from the official git repository, and can cause a segfault of oggenc with a trivial command line.
Opus 96 kb/s (Android) / Vorbis -q5 (PC) / WavPack -hhx6m (Archive)

Re: Relevance of some old CVEs?

Reply #4
They probably moved on to bigger and more important things, like Daala and Opus.

 

Re: Relevance of some old CVEs?

Reply #5
They probably moved on to bigger and more important things, like Daala and Opus.
Which I perfectly understand.

But just releasing the security fixes from patches already floating around in a proper point release is still the minimum we can expect from such a widely deployed project.
Opus 96 kb/s (Android) / Vorbis -q5 (PC) / WavPack -hhx6m (Archive)