Bug 1081833 - (CVE-2017-11333) VUL-1: CVE-2017-11333: libvorbis: Memory exhaustion in vorbis_analysis_wrote function in lib/block.c
(CVE-2017-11333)
VUL-1: CVE-2017-11333: libvorbis: Memory exhaustion in vorbis_analysis_wrote ...
Status: RESOLVED DUPLICATE of bug 1059811
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/200457/
CVSSv3:SUSE:CVE-2017-11333:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-20 16:41 UTC by Johannes Segitz
Modified: 2020-06-29 06:32 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (6.09 KB, audio/x-wav)
2018-02-20 16:41 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-02-20 16:41:40 UTC
Created attachment 760885 [details]
Reproducer

rh#1480643

The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5
allows remote attackers to cause a denial of service (OOM) via a crafted wav
file.

Same as with bsc#1081829. Reproducer triggers for me, but (while using a lot of memory) causing a segfault instead of running into the OOM killer.
[----------------------------------registers-----------------------------------]
RAX: 0x615120 --> 0x1
RBX: 0x744c64c0 --> 0x0
RCX: 0x1
RDX: 0x7c89d8c0 --> 0xc2c20000c2a80000
RSI: 0x612910 --> 0x200
RDI: 0x6398d0 --> 0xc13c71c8c13c71c8
RBP: 0x7fffffffd7e0 --> 0x106576a0 --> 0x7fffee7ee010 --> 0x10651910 --> 0x0
RSP: 0x7ffffff7de80 --> 0x683479d0 --> 0xc43f115cc43f115c
RIP: 0x7ffff53897e7 (<mapping0_forward+1543>:   movsxd rax,DWORD PTR [r14+0x404])
R8 : 0x683475d0 --> 0xc2a11c72c2871c72
R9 : 0x744c64c0 --> 0x0
R10: 0x100
R11: 0x614ac0 --> 0xc2c8000000000000
R12: 0x7fffee66f918 --> 0x7c8c03a0 --> 0x0
R13: 0x683479d0 --> 0xc43f115cc43f115c
R14: 0x115766540
R15: 0x100
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff53897d5 <mapping0_forward+1525>:      mov    rax,QWORD PTR [rbp-0xa0]
   0x7ffff53897dc <mapping0_forward+1532>:      mov    rsi,QWORD PTR [rbp-0x90]
   0x7ffff53897e3 <mapping0_forward+1539>:      lea    r14,[rax+r14*4]
=> 0x7ffff53897e7 <mapping0_forward+1543>:      movsxd rax,DWORD PTR [r14+0x404]
   0x7ffff53897ee <mapping0_forward+1550>:      cmp    DWORD PTR [rsi+rax*4+0x528],0x1
   0x7ffff53897f6 <mapping0_forward+1558>:      jne    0x7ffff5389de6 <mapping0_forward+3078>
   0x7ffff53897fc <mapping0_forward+1564>:      mov    rsi,QWORD PTR [rbp-0x70]
   0x7ffff5389800 <mapping0_forward+1568>:      mov    r8,QWORD PTR [r12]
[------------------------------------stack-------------------------------------]
0000| 0x7ffffff7de80 --> 0x683479d0 --> 0xc43f115cc43f115c
0008| 0x7ffffff7de88 --> 0x0
0016| 0x7ffffff7de90 --> 0x0
0024| 0x7ffffff7de98 --> 0x0
0032| 0x7ffffff7dea0 --> 0xc3d3e194c3d3e194
0040| 0x7ffffff7dea8 --> 0xc3d3e194c3d3e194
0048| 0x7ffffff7deb0 --> 0xc3d3e194c3d3e194
0056| 0x7ffffff7deb8 --> 0xc3d3e194c3d3e194
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff53897e7 in mapping0_forward (vb=<optimized out>) at mapping0.c:506
506     mapping0.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff53897e7 in mapping0_forward (vb=<optimized out>) at mapping0.c:506
#1  0x00007ffff537e9fc in vorbis_analysis (vb=vb@entry=0x612808, op=op@entry=0x612748) at analysis.c:47
#2  0x00007ffff7ba6deb in write_samples (ft=0x611f90, buf=buf@entry=0x0, len=len@entry=0x0) at vorbis.c:362
#3  0x00007ffff7ba6eb5 in stopwrite (ft=<optimized out>) at vorbis.c:398
#4  0x00007ffff7b5d0c8 in sox_close (ft=0x611f90) at formats.c:1006
#5  0x0000000000406108 in cleanup () at sox.c:246
#6  0x0000000000403719 in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffdae8) at sox.c:3050
#7  0x00007ffff72aa6d5 in __libc_start_main (main=0x402c70 <main>, argc=0x3, argv=0x7fffffffdae8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdad8) at libc-start.c:289
#8  0x0000000000403f09 in _start () at ../sysdeps/x86_64/start.S:118


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1480643
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11333
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11333.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11333
http://seclists.org/fulldisclosure/2017/Jul/82
Comment 1 Takashi Iwai 2018-02-24 08:05:02 UTC
No fix seems seen in upstream yet.
Comment 2 Victor Pereira 2018-03-19 08:07:07 UTC
Hi Takashi,

Upstream released a patch for the issue https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
Comment 3 Takashi Iwai 2018-03-19 08:11:49 UTC
If so, it's the same issue as CVE-2017-14633, and all branches have been already covered.
Comment 6 Marcus Meissner 2018-09-10 13:47:42 UTC
fixed
Comment 7 Marcus Meissner 2018-09-10 13:48:02 UTC

*** This bug has been marked as a duplicate of bug 1059811 ***