[ASA-201803-12] libvorbis: multiple issues

Jelle van der Waa jelle at archlinux.org
Mon Mar 19 12:49:47 UTC 2018 

Arch Linux Security Advisory ASA-201803-12
==========================================

Severity: Critical
Date    : 2018-03-16
CVE-ID  : CVE-2017-14632 CVE-2017-14633 CVE-2018-5146
Package : libvorbis
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-367

Summary
=======

The package libvorbis before version 1.3.6-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
==========

Upgrade to 1.3.6-1.

# pacman -Syu "libvorbis>=1.3.6-1"

The problems have been fixed upstream in version 1.3.6.

Workaround
==========

None.

Description
===========

- CVE-2017-14632 (arbitrary code execution)

fXiph.Org libvorbis before 1.3.6 allows remote code execution upon
freeing uninitialized memory in the function
vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar
issue to Mozilla bug 550184.

- CVE-2017-14633 (denial of service)

In Xiph.Org libvorbis before 1.3.6, an out-of-bounds array read
vulnerability exists in the function mapping0_forward() in mapping0.c,
which may lead to DoS when operating on a crafted audio file with
vorbis_analysis().

- CVE-2018-5146 (arbitrary code execution)

An out of bounds memory write vulnerability has been discovered in
libvorbis before 1.3.6 while processing Vorbis audio data related to
codebooks that are not an exact divisor of the partition size.

Impact
======

A remote attacker is able to execute arbitrary code or crash the
application by tricking the user into playing a specially crafted
vorbis file.

References
==========

https://github.com/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f
https://github.com/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
https://github.com/xiph/vorbis/commit/667ceb4aab60c1f74060143bb24e5f427b3cce5f
http://seclists.org/oss-sec/2018/q1/243
https://security.archlinux.org/CVE-2017-14632
https://security.archlinux.org/CVE-2017-14633
https://security.archlinux.org/CVE-2018-5146
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180319/d65b0db2/attachment.asc>

More information about the arch-security mailing list