[Vorbis-dev] can we help with libvorbis release for CVE fixes?

Ralph Giles giles at thaumas.net
Tue Jun 30 15:58:08 UTC 2020 

Yes, the gitlab instance is the correct upstream development
repository. We maintain a mirror at github for the convenience of
developers there.

Cheers,
Ralph

On Mon, 2020-06-29 at 21:27 +0000, Ellen Johnson wrote:
> Hi Ralph and libvorbis developers,
>   I thought the vorbis gitlab project was the main development site (
> https://gitlab.xiph.org/xiph/vorbis) because that's what the NVD CVE
> tracker points to for the two CVEs I mentioned.  But I just realized
> there's also a vorbis github project (https://github.com/xiph/vorbis)
> .  Both appear to have recent activity.
>   Is the gitlab project the correct one to get the CVE fixes from so
> we can patch our 1.3.6 to have latest security fixes?
>   Thanks!
>      ellen
> 
> -----Original Message-----
> From: Ellen Johnson 
> Sent: Friday, June 12, 2020 12:19 PM
> To: Ralph Giles <giles at thaumas.net>; vorbis-dev at xiph.org
> Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE
> fixes?
> 
> Hi Ralph,
>   Thank you for your reply!  
>   For context -- we consider reported CVEs as bugs even if it's in a
> third-party library we use (such as libvorbis).  We first determine
> if the CVE is something that would impact our customer workflows.  In
> this case because of our use of libvorbis for audio I/O, it does
> impact our customers so we need to resolve the CVE as soon as
> possible.
>   In the short term until a new version is released, I'd like to
> patch our libvorbis 1.3.6 with the two CVE fixes that I think are on
> the master branch.  From the gitlab comments, I'm pretty sure CVE-
> 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether
> CVE-2018-10393 is fixed via issue 2334 because of its link to
> duplicate issue 2330 which doesn't exist.  See 
> https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment by
> Monty saying it's a dup of 2330, but Pierre comments that 2330
> doesn't exist so he asked if Monty can point to the fix.
>   In the longer term, we'd love to talk more about how we can help
> move the next release along and contribute to the libvorbis project
> in general.
>   Yes, if you can please verify that both these CVEs are fixed in
> master branch, I'd really appreciate it.
>   Thank you!
>       ellen
>         MATLAB Audio, Video, Image, and Scientific Data Formats
>         MathWorks
> 
> -----Original Message-----
> From: Ralph Giles <giles at thaumas.net>
> Sent: Wednesday, June 10, 2020 6:58 PM
> To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org
> Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE
> fixes?
> 
> Hi Ellen,
> 
> Thanks for your kind offer to help the release along. We have indeed
> been having trouble finding resources for that.
> 
> You can certainly help by testing the git master branch with your
> software and reporting any issues you find. Otherwise, triaging
> outstanding bug reports and patches is always helpful, although
> that's not essential for a security-based release.
> 
> I'll try to find out what the resolution on the reported CVEs was.
> 
> Cheers,
>  -r
> 
> On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:
> > Hi libvorbis developers!
> >    I’m wondering if you had a chance to see my request for
> > releasing a 
> > new libvorvis version – this is to have an official libvorbis
> > release 
> > containing the CVE fixes that appear to be fixed in the master
> > branch.
> >    Is there anything we can do to help with getting a release out?
> > We’re happy to work with you on this.  Please let us know if we can
> > do 
> > anything to help move this along.
> >    Thank you!
> >      Ellen Johnson
> >      MATLAB Audio, Video, Image, and Scientific Data Formats
> >      MathWorks
> >  
> >  
> > From: Ellen Johnson
> > Sent: Tuesday, May 26, 2020 5:48 PM
> > To: vorbis-dev at xiph.org
> > Subject: libvorbis release for recent CVE fixes?
> >  
> > Hi libvorbis developers, 
> >    I hope you all are well!
> >    Here at MathWorks we use libvorbis as part of our MATLAB audio
> > I/O 
> > functionality, and our current version is your latest version
> > 1.3.6.
> > We’ve had the following libvorbis CVEs reported to us which appear
> > to 
> > be fixed in your gitlab master branch and which impact our customer
> > workflows:
> >      CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335)
> >      CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334,
> > but 
> > the link to its duplicate issue 2330 does not work so I’m not 100% 
> > sure if this is fixed)
> >   Can you please do a point release so that we can be security 
> > compliant for our MATLAB customers?
> >   Thank you!
> >      Ellen Johnson
> >      MATLAB Audio, Video, Image, and Scientific Data Formats
> >      MathWorks
> >  
> > _______________________________________________
> > Vorbis-dev mailing list
> > Vorbis-dev at xiph.org
> > http://lists.xiph.org/mailman/listinfo/vorbis-dev.
> > xiph.org

More information about the Vorbis-dev mailing list