Bug#870341: libvorbis: CVE-2017-11333

Guido Günther agx at sigxcpu.org
Mon Nov 20 16:03:55 UTC 2017

control: clone -1 -2
control: retitle -2 missing error checking when encoding vorbis
control: tags -2 +patch

Hi sox mantainers,
On Mon, Nov 20, 2017 at 04:39:51PM +0100, Guido Günther wrote:
> Hi Petter,
> On Tue, Aug 01, 2017 at 08:02:47PM +0200, Petter Reinholdtsen wrote:
> > Control: retitle -1 libvorbis: CVE-2017-11333 OOM via crafted WAV file
> > 
> > I've tried to figure out of the recently reported security problems are
> > reported upstream, but the upstream bug tracker is being moved from
> > trac.xiph.org to https://gitlab.xiph.org/xiph and the migration is
> > not done yet, so it seem to be impossible to register it with upstream
> > so far.
> The issue is at https://gitlab.xiph.org/xiph/vorbis/issues/2332
> > 
> > Thus I have no idea if there are any patches for this issue yet.  Anyone
> > know?
> The wav file also seems to suffer from too many channels. When I apply
> the patch from #876778 and then the attached patch sox aborts
> correctly. I did not check if there are other issues in the wav file
> besides too many channels.
> (Attaching the patch here since the upstream sox list doesn't seem to
> list my submission).

There seems to be missing error checking in sox


which might cause trouble if libvorbis indicates an error. I've submited
this patch upstream too but it doesn't seem to make it to the
sourceforge list.
 -- Guido

More information about the pkg-multimedia-maintainers mailing list