Your message dated Wed, 23 Sep 2015 16:11:29 +0000 with message-id <e1zemdl-0004r9...@franck.debian.org> and subject line Bug#797461: fixed in vorbis-tools 1.4.0-7 has caused the Debian Bug report #797461, regarding vorbis-tools: CVE-2015-6749 invalid AIFF file cause alloca() buffer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 797461: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797461 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: vorbis-tools Version: 1.4.0-1 Severity: important Tags: patch security There is a problem with oggenc and invalid AIFF files. I discovered it in <URL: https://security-tracker.debian.org/tracker/TEMP-0000000-08B637 >, and see it has been assigned the CVE-2015-6749 identifier. A fix is available from upstream in <URL: https://trac.xiph.org/ticket/2212 > (which also have an example triggering the bug), looking like this: >From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001 From: Mark Harris <mark....@gmail.com> Date: Sun, 30 Aug 2015 05:54:46 -0700 Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input Fixes #2212 --- oggenc/audio.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/oggenc/audio.c b/oggenc/audio.c index 477da8c..4921fb9 100644 --- a/oggenc/audio.c +++ b/oggenc/audio.c @@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] = int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) { int aifc; /* AIFC or AIFF? */ - unsigned int len; - unsigned char *buffer; + unsigned int len, readlen; + unsigned char buffer[22]; unsigned char buf2[8]; aiff_fmt format; aifffile *aiff = malloc(sizeof(aifffile)); @@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) return 0; /* Weird common chunk */ } - buffer = alloca(len); - - if(fread(buffer,1,len,in) < len) + readlen = len < sizeof(buffer) ? len : sizeof(buffer); + if(fread(buffer,1,readlen,in) < readlen || + (len > readlen && !seek_forward(in, len-readlen))) { fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n")); return 0; -- 2.5.0 -- Happy hacking Petter Reinholdtsen
--- End Message ---
--- Begin Message ---Source: vorbis-tools Source-Version: 1.4.0-7 We believe that the bug you reported is fixed in the latest version of vorbis-tools, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 797...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Petter Reinholdtsen <p...@debian.org> (supplier of updated vorbis-tools package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 23 Sep 2015 12:15:44 +0000 Source: vorbis-tools Binary: vorbis-tools vorbis-tools-dbg Architecture: source Version: 1.4.0-7 Distribution: unstable Urgency: low Maintainer: Debian Xiph.org Maintainers <pkg-xiph-ma...@lists.alioth.debian.org> Changed-By: Petter Reinholdtsen <p...@debian.org> Description: vorbis-tools - several Ogg Vorbis tools vorbis-tools-dbg - several Ogg Vorbis tools (debug files) Closes: 239073 312185 728062 771448 772391 772766 772976 772978 776086 797461 Changes: vorbis-tools (1.4.0-7) unstable; urgency=low . [ Martin Steghöfer ] * Format patches for gbp-pq, correct tagging and add missing information to tagging. * Add sampling rate sanity check to avoid crash (in case of unpatched libvorbis version) or to improve error message (with patched libvorbis). * Fix vorbistagedit: Reading of file list from stdin was broken. (Closes: #771448) * Documentation of vorbistagedit: Improve wording of error message. * Fix bashism in /usr/bin/vorbistagedit (negative status code). (Closes: #772391) * Truncate long status lines on small terminals (Closes: #239073) * Fix ogg123 speex stereo playback: Initialize stereo information data structure (Closes: #312185) * Fix ogg123 speex playback: Initialize channel matrix (Closes: #772766) * Add low-priority mailcap entry for "ogginfo" on action "cat". (Closes: #728062) * Fix oggdec crash/hang: Don't ignore stream errors (Closes: #772978) * Use translations in oggdec (Closes: #772976) . [ Petter Reinholdtsen ] * Add debian/gbp.conf to enforce the user of pristine-tar. * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749). (Closes: #797461) * oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639). (Closes: #776086) Checksums-Sha1: d66bf4c51506b3265eb650ad4d95acfce7615c22 2380 vorbis-tools_1.4.0-7.dsc c55fa8ba764e47c73b0451a268a976924420d341 21040 vorbis-tools_1.4.0-7.debian.tar.xz Checksums-Sha256: 52359ff2669f482e1afa28c2728ee02bd099e9049c738620185b38df093143bf 2380 vorbis-tools_1.4.0-7.dsc 03d11b1a3d708d46c857211885034af4d9eea4ed103eccbcdcbcbc1c5fe6067f 21040 vorbis-tools_1.4.0-7.debian.tar.xz Files: e1d497e619c703fdcc773c7503ca4ece 2380 sound optional vorbis-tools_1.4.0-7.dsc 1100d666f68549f3476b8dbb6e460b20 21040 sound optional vorbis-tools_1.4.0-7.debian.tar.xz -----BEGIN PGP SIGNATURE----- Comment: Debian powered! iQJ8BAEBCgBmBQJWAq48XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGM0REMDlGOERBODdEMURGNTA0NkM5OUIw NjEyRjQ5NDRFQ0RDRDVBAAoJEAYS9JROzc1aiHwP/jgHOPc2ArPyAbwV52iRfLGv a+H10hA8f5OTof1hubfysZ6vfvY6XPjQN3wFFFqIhEi1AKVRMLTArpOptLdTUOwa Bl/E1ZQ0L64+FVvq5FPhx0nmCK8VCrIy3VX9IZFtzYSGoMUbUGCh7HGT75P8JQTS y6aDRjjufeoqU7dafqvrZsZF+3IOJ/+LFnEdxyDitpAjzm20YbLrXIJD6V6sUEBA S0D5TNHbD0Rv+jTszaNcb5EpWKdsNPd4MNcH63c0RBrU2UOQ+GsT0ehMzsxa33tz Q5TmipBJU5S6P70RnYc4gjLO/R2HiVgyhwyxccJZqED8LYWXw03sjhfB/ushX11y HXg/eY3cproxisu+sTNgOToGXRkIV2W+hxemvPU4+EwMQIRVOvnsIDdmY6NY/aUG CK9M+9ajg0ta0TCjSCtuKzmmAtJIggIQrD1Td0yRjLH+UKmjeBHzXa0/fSj5cwXM iIEiyG2saLC4mUvRkhe/eWNN0z3o1Pk6qV7bapa6CLX8t41OXzJMm5btpNJWHvYT rBWJGe5NiOwaS0y5Jic7Ye1ZZ7sY+zX7/LbwBCcJpdnDOG9KVR/87K5rKHBUe95n JikrhQtEW/ZBPVan4ZmRSEV+FawWzgTNwz7kXvxOENE9ux7J7ls9YcGMCbGJ9gmi XqMYujFuK0yLmVQO4+QK =/6uU -----END PGP SIGNATURE-----
--- End Message ---
