[Vorbis-dev] can we help with libvorbis release for CVE fixes?

Ellen Johnson ellenj at mathworks.com
Fri Jun 12 16:19:07 UTC 2020


Hi Ralph,
  Thank you for your reply!  
  For context -- we consider reported CVEs as bugs even if it's in a third-party library we use (such as libvorbis).  We first determine if the CVE is something that would impact our customer workflows.  In this case because of our use of libvorbis for audio I/O, it does impact our customers so we need to resolve the CVE as soon as possible.
  In the short term until a new version is released, I'd like to patch our libvorbis 1.3.6 with the two CVE fixes that I think are on the master branch.  From the gitlab comments, I'm pretty sure CVE-2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether CVE-2018-10393 is fixed via issue 2334 because of its link to duplicate issue 2330 which doesn't exist.  See https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment by Monty saying it's a dup of 2330, but Pierre comments that 2330 doesn't exist so he asked if Monty can point to the fix.
  In the longer term, we'd love to talk more about how we can help move the next release along and contribute to the libvorbis project in general.
  Yes, if you can please verify that both these CVEs are fixed in master branch, I'd really appreciate it.
  Thank you!
      ellen
        MATLAB Audio, Video, Image, and Scientific Data Formats
        MathWorks

-----Original Message-----
From: Ralph Giles <giles at thaumas.net> 
Sent: Wednesday, June 10, 2020 6:58 PM
To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org
Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes?

Hi Ellen,

Thanks for your kind offer to help the release along. We have indeed been having trouble finding resources for that.

You can certainly help by testing the git master branch with your software and reporting any issues you find. Otherwise, triaging outstanding bug reports and patches is always helpful, although that's not essential for a security-based release.

I'll try to find out what the resolution on the reported CVEs was.

Cheers,
 -r

On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:
> Hi libvorbis developers!
>    I’m wondering if you had a chance to see my request for releasing a 
> new libvorvis version – this is to have an official libvorbis release 
> containing the CVE fixes that appear to be fixed in the master branch.
>    Is there anything we can do to help with getting a release out?
> We’re happy to work with you on this.  Please let us know if we can do 
> anything to help move this along.
>    Thank you!
>      Ellen Johnson
>      MATLAB Audio, Video, Image, and Scientific Data Formats
>      MathWorks
>  
>  
> From: Ellen Johnson
> Sent: Tuesday, May 26, 2020 5:48 PM
> To: vorbis-dev at xiph.org
> Subject: libvorbis release for recent CVE fixes?
>  
> Hi libvorbis developers, 
>    I hope you all are well!
>    Here at MathWorks we use libvorbis as part of our MATLAB audio I/O 
> functionality, and our current version is your latest version 1.3.6.
> We’ve had the following libvorbis CVEs reported to us which appear to 
> be fixed in your gitlab master branch and which impact our customer
> workflows:
>      CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335)
>      CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, but 
> the link to its duplicate issue 2330 does not work so I’m not 100% 
> sure if this is fixed)
>   Can you please do a point release so that we can be security 
> compliant for our MATLAB customers?
>   Thank you!
>      Ellen Johnson
>      MATLAB Audio, Video, Image, and Scientific Data Formats
>      MathWorks
>  
> _______________________________________________
> Vorbis-dev mailing list
> Vorbis-dev at xiph.org
> http://lists.xiph.org/mailman/listinfo/vorbis-dev.
> xiph.org



More information about the Vorbis-dev mailing list