Your message dated Sat, 24 Sep 2016 07:55:14 +0200 with message-id <[email protected]> and subject line Bug fixed in Jessie has caused the Debian Bug report #797461, regarding vorbis-tools: CVE-2015-6749 invalid AIFF file cause alloca() buffer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 797461: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797461 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: vorbis-tools Version: 1.4.0-1 Severity: important Tags: patch security There is a problem with oggenc and invalid AIFF files. I discovered it in <URL: https://security-tracker.debian.org/tracker/TEMP-0000000-08B637 >, and see it has been assigned the CVE-2015-6749 identifier. A fix is available from upstream in <URL: https://trac.xiph.org/ticket/2212 > (which also have an example triggering the bug), looking like this: >From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001 From: Mark Harris <[email protected]> Date: Sun, 30 Aug 2015 05:54:46 -0700 Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input Fixes #2212 --- oggenc/audio.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/oggenc/audio.c b/oggenc/audio.c index 477da8c..4921fb9 100644 --- a/oggenc/audio.c +++ b/oggenc/audio.c @@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] = int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) { int aifc; /* AIFC or AIFF? */ - unsigned int len; - unsigned char *buffer; + unsigned int len, readlen; + unsigned char buffer[22]; unsigned char buf2[8]; aiff_fmt format; aifffile *aiff = malloc(sizeof(aifffile)); @@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) return 0; /* Weird common chunk */ } - buffer = alloca(len); - - if(fread(buffer,1,len,in) < len) + readlen = len < sizeof(buffer) ? len : sizeof(buffer); + if(fread(buffer,1,readlen,in) < readlen || + (len > readlen && !seek_forward(in, len-readlen))) { fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n")); return 0; -- 2.5.0 -- Happy hacking Petter Reinholdtsen
--- End Message ---
--- Begin Message ---Version: 1.4.0-6+deb8u1 This issue was fixed in Jessue with this upload: vorbis-tools (1.4.0-6+deb8u1) jessie; urgency=low . [ Petter Reinholdtsen ] * Add gbp.conf file documenting git branch to use for updates to Jessie. * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749). (Closes: 797461) * oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639). (Closes: 776086) . [ Martin Steghöfer ] * Fix segmentation fault in vcut (Closes: #818037) No idea why the BTS have not noticed yet, but I close the bugs manually to have the fact properly recorded. -- Happy hacking Petter Reinholdtsen
--- End Message ---
