Control: tags 893130 + pending Dear maintainer,
I've prepared an NMU for libvorbis (versioned as 1.3.5-4.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libvorbis-1.3.5/debian/changelog libvorbis-1.3.5/debian/changelog --- libvorbis-1.3.5/debian/changelog 2017-12-20 17:31:19.000000000 +0100 +++ libvorbis-1.3.5/debian/changelog 2018-03-16 22:26:37.000000000 +0100 @@ -1,3 +1,11 @@ +libvorbis (1.3.5-4.2) unstable; urgency=medium + + * Non-maintainer upload. + * Prevent out-of-bounds write in codebook decoding (CVE-2018-5146) + (Closes: #893130) + + -- Salvatore Bonaccorso <[email protected]> Fri, 16 Mar 2018 22:26:37 +0100 + libvorbis (1.3.5-4.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libvorbis-1.3.5/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch libvorbis-1.3.5/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch --- libvorbis-1.3.5/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvorbis-1.3.5/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch 2018-03-16 22:26:37.000000000 +0100 @@ -0,0 +1,93 @@ +From: Thomas Daede <[email protected]> +Date: Thu, 15 Mar 2018 14:15:31 -0700 +Subject: CVE-2018-5146: Prevent out-of-bounds write in codebook decoding. +Origin: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f +Bug-Debian: https://bugs.debian.org/893130 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5146 + +Codebooks that are not an exact divisor of the partition size are now +truncated to fit within the partition. +--- + lib/codebook.c | 48 ++++++++++-------------------------------------- + 1 file changed, 10 insertions(+), 38 deletions(-) + +diff --git a/lib/codebook.c b/lib/codebook.c +index 321a28f..78672e2 100644 +--- a/lib/codebook.c ++++ b/lib/codebook.c +@@ -386,7 +386,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){ + t[i] = book->valuelist+entry[i]*book->dim; + } + for(i=0,o=0;i<book->dim;i++,o+=step) +- for (j=0;j<step;j++) ++ for (j=0;o+j<n && j<step;j++) + a[o+j]+=t[j][i]; + } + return(0); +@@ -398,41 +398,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){ + int i,j,entry; + float *t; + +- if(book->dim>8){ +- for(i=0;i<n;){ +- entry = decode_packed_entry_number(book,b); +- if(entry==-1)return(-1); +- t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;) +- a[i++]+=t[j++]; +- } +- }else{ +- for(i=0;i<n;){ +- entry = decode_packed_entry_number(book,b); +- if(entry==-1)return(-1); +- t = book->valuelist+entry*book->dim; +- j=0; +- switch((int)book->dim){ +- case 8: +- a[i++]+=t[j++]; +- case 7: +- a[i++]+=t[j++]; +- case 6: +- a[i++]+=t[j++]; +- case 5: +- a[i++]+=t[j++]; +- case 4: +- a[i++]+=t[j++]; +- case 3: +- a[i++]+=t[j++]; +- case 2: +- a[i++]+=t[j++]; +- case 1: +- a[i++]+=t[j++]; +- case 0: +- break; +- } +- } ++ for(i=0;i<n;){ ++ entry = decode_packed_entry_number(book,b); ++ if(entry==-1)return(-1); ++ t = book->valuelist+entry*book->dim; ++ for(j=0;i<n && j<book->dim;) ++ a[i++]+=t[j++]; + } + } + return(0); +@@ -470,12 +441,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch, + long i,j,entry; + int chptr=0; + if(book->used_entries>0){ +- for(i=offset/ch;i<(offset+n)/ch;){ ++ int m=(offset+n)/ch; ++ for(i=offset/ch;i<m;){ + entry = decode_packed_entry_number(book,b); + if(entry==-1)return(-1); + { + const float *t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;j++){ ++ for (j=0;i<m && j<book->dim;j++){ + a[chptr++][i]+=t[j]; + if(chptr==ch){ + chptr=0; +-- +2.16.2 + diff -Nru libvorbis-1.3.5/debian/patches/series libvorbis-1.3.5/debian/patches/series --- libvorbis-1.3.5/debian/patches/series 2017-12-20 17:31:19.000000000 +0100 +++ libvorbis-1.3.5/debian/patches/series 2018-03-16 22:26:37.000000000 +0100 @@ -2,3 +2,4 @@ 0002-Avoid-SIGFPE-when-bytespersample-is-zero.patch CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch +CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
