[Vorbis-dev] new 1.3.7 and fix for CVE-2018-10392 (issue 2335)?

Ralph Giles giles at thaumas.net
Mon Jul 20 16:18:56 UTC 2020 

Yes, CVE-2018-10392 is fixed in the 1.3.7 release. I've updated the
release notes on the gitlab and github projects, and the CHANGES file
in the repository itself. I did not update the 1.3.7 source packages or
tag, since those are published artefacts.

Thanks for pointing out this oversight,
Ralph

On Tue, 2020-07-07 at 19:00 +0000, Ellen Johnson wrote:
> Hi Ralph,
>   Again, thanks so much for doing all this!  Plus thanks to all the
> folks who contributed to the new release!
>   Quick clarifying question -- Isn't CVE-2018-10392 (looks like it’s
> fixed in https://gitlab.xiph.org/xiph/vorbis/-/issues/2335) also
> included in new version 1.3.7? If so can you please add it to release
> notes?
>   (I asked the same question  in 
> https://gitlab.xiph.org/xiph/vorbis/-/issues/2334).
>   Thanks again!
>      ellen
>  
> From: Ellen Johnson 
> Sent: Monday, July 6, 2020 4:39 PM
> To: Ralph Giles <giles at thaumas.net>; vorbis-dev at xiph.org
> Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE
> fixes?
>  
> Hi Ralph,
>   Thank you so much for not only tracking down the fix for CVE-2018-
> 10393 and adding the extra bounds check to bark_noise_hybridmp(), but
> also for releasing an official 1.3.7 release with these fixes and
> other bug fixes!
>   We really appreciate your work on clarifying the CVE fix.  Plus
> with the new release I can upgrade from 1.3.6 to 1.3.7 instead of
> having to patch piecemeal from the master branch.
>   Please let us know how MathWorks can help with the libvorbis
> project moving forward.  We’re happy to work with you!
>   Thanks!
>     ellen
>  
> From: Ralph Giles <giles at thaumas.net> 
> Sent: Saturday, July 4, 2020 3:19 PM
> To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org
> Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE
> fixes?
>  
> Ok,
> 
> I wasn't able to track down the original steps to reproduce this
> issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017-
> 14160, 
> both fixed by commit 018ca26dece6.
> 
> Because of the confusion, I added additional bounds checks to
> the bark_noise_hybridmp function, which make it clear to local
> analysis
> that no for bugs in this class are possible. This change is in
> commit a9eb99a5bd6f.
> 
> Both of these changes are included in the libvorbis 1.3.7 release,
> posted today. This upstream release addresses all the CVE issues I'm
> aware of. Hopefully that addresses your needs.
> 
> Thanks for your patience while we prepared this release, and thanks
> to
> everyone who contributed patches, testing, and review work.
> 
> Cheers,
> Ralph
> Xiph.Org Foundation for Open Multimedia
> 
> On Fri, 2020-06-12 at 16:19 +0000, Ellen Johnson wrote:
> > Hi Ralph,CVE-2018-10393
> > Thank you for your reply! 
> > For context -- we consider reported CVEs as bugs even if it's in a
> > third-party library we use (such as libvorbis). We first determine
> > if the CVE is something that would impact our customer workflows.
> In
> > this case because of our use of libvorbis for audio I/O, it does
> > impact our customers so we need to resolve the CVE as soon as
> > possible.
> > In the short term until a new version is released, I'd like to
> > patch our libvorbis 1.3.6 with the two CVE fixes that I think are
> on
> > the master branch. From the gitlab comments, I'm pretty sure CVE-
> > 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether
> > CVE-2018-10393 is fixed via issue 2334 because of its link to
> > duplicate issue 2330 which doesn't exist. See 
> > https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment
> by
> > Monty saying it's a dup of 2330, but Pierre comments that 2330
> > doesn't exist so he asked if Monty can point to the fix.
> > In the longer term, we'd love to talk more about how we can help
> > move the next release along and contribute to the libvorbis project
> > in general.
> > Yes, if you can please verify that both these CVEs are fixed in
> > master branch, I'd really appreciate it.
> > Thank you!
> > ellen
> > MATLAB Audio, Video, Image, and Scientific Data Formats
> > MathWorks
> > 
> > -----Original Message-----
> > From: Ralph Giles <giles at thaumas.net> 
> > Sent: Wednesday, June 10, 2020 6:58 PM
> > To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org
> > Subject: Re: [Vorbis-dev] can we help with libvorbis release for
> CVE
> > fixes?
> > 
> > Hi Ellen,
> > 
> > Thanks for your kind offer to help the release along. We have
> indeed
> > been having trouble finding resources for that.
> > 
> > You can certainly help by testing the git master branch with your
> > software and reporting any issues you find. Otherwise, triaging
> > outstanding bug reports and patches is always helpful, although
> > that's not essential for a security-based release.
> > 
> > I'll try to find out what the resolution on the reported CVEs was.
> > 
> > Cheers,
> > -r
> > 
> > On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:
> > > Hi libvorbis developers!
> > > I’m wondering if you had a chance to see my request for
> > > releasing a 
> > > new libvorvis version – this is to have an official libvorbis
> > > release 
> > > containing the CVE fixes that appear to be fixed in the master
> > > branch.
> > > Is there anything we can do to help with getting a release out?
> > > We’re happy to work with you on this. Please let us know if we
> can
> > > do 
> > > anything to help move this along.
> > > Thank you!
> > > Ellen Johnson
> > > MATLAB Audio, Video, Image, and Scientific Data Formats
> > > MathWorks
> > > 
> > > 
> > > From: Ellen Johnson
> > > Sent: Tuesday, May 26, 2020 5:48 PM
> > > To: vorbis-dev at xiph.org
> > > Subject: libvorbis release for recent CVE fixes?
> > > 
> > > Hi libvorbis developers, 
> > > I hope you all are well!
> > > Here at MathWorks we use libvorbis as part of our MATLAB audio
> > > I/O 
> > > functionality, and our current version is your latest version
> > > 1.3.6.
> > > We’ve had the following libvorbis CVEs reported to us which
> appear
> > > to 
> > > be fixed in your gitlab master branch and which impact our
> customer
> > > workflows:
> > > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335)
> > > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334,
> > > but 
> > > the link to its duplicate issue 2330 does not work so I’m not
> 100% 
> > > sure if this is fixed)
> > > Can you please do a point release so that we can be security 
> > > compliant for our MATLAB customers?
> > > Thank you!
> > > Ellen Johnson
> > > MATLAB Audio, Video, Image, and Scientific Data Formats
> > > MathWorks
> > > 
> > > _______________________________________________
> > > Vorbis-dev mailing list
> > > Vorbis-dev at xiph.org
> > > http://lists.xiph.org/mailman/listinfo/vorbis-dev.
> > > xiph.org

More information about the Vorbis-dev mailing list