[Vorbis-dev] can we help with libvorbis release for CVE fixes?

Tue Jun 30 16:46:12 UTC 2020

Hi Ralph and Monty,
  Also – for https://gitlab.xiph.org/xiph/vorbis/-/issues/2334:  Can you please update the issue to point to the fix?  Monty commented that it’s a dup of issue 2330, but that issue doesn’t exist or isn’t visible.  I’ll comment on the gitlab as well.  Someone else had the same question – meaning the CVE trackers link to the solution as issue 2334 which indicates it’s a dup of 2330, but that issue doesn’t exist.
  Thanks!
     ellen

From: Ralph Giles <giles at thaumas.net>
Sent: Tuesday, June 30, 2020 11:58 AM
To: Ellen Johnson <ellenj at mathworks.com>; Vorbis Codec Mailing List <vorbis-dev at xiph.org>
Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes?

Yes, the gitlab instance is the correct upstream development
repository. We maintain a mirror at github for the convenience of
developers there.

Cheers,
Ralph

On Mon, 2020-06-29 at 21:27 +0000, Ellen Johnson wrote:
> Hi Ralph and libvorbis developers,
> I thought the vorbis gitlab project was the main development site (
> https://gitlab.xiph.org/xiph/vorbis<https://gitlab.xiph.org/xiph/vorbis>) because that's what the NVD CVE
> tracker points to for the two CVEs I mentioned. But I just realized
> there's also a vorbis github project (https://github.com/xiph/vorbis<https://github.com/xiph/vorbis>)
> . Both appear to have recent activity.
> Is the gitlab project the correct one to get the CVE fixes from so
> we can patch our 1.3.6 to have latest security fixes?
> Thanks!
> ellen
>
> -----Original Message-----
> From: Ellen Johnson
> Sent: Friday, June 12, 2020 12:19 PM
> To: Ralph Giles <giles at thaumas.net<mailto:giles at thaumas.net>>; vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org>
> Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE
> fixes?
>
> Hi Ralph,
> Thank you for your reply!
> For context -- we consider reported CVEs as bugs even if it's in a
> third-party library we use (such as libvorbis). We first determine
> if the CVE is something that would impact our customer workflows. In
> this case because of our use of libvorbis for audio I/O, it does
> impact our customers so we need to resolve the CVE as soon as
> possible.
> In the short term until a new version is released, I'd like to
> patch our libvorbis 1.3.6 with the two CVE fixes that I think are on
> the master branch. From the gitlab comments, I'm pretty sure CVE-
> 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether
> CVE-2018-10393 is fixed via issue 2334 because of its link to
> duplicate issue 2330 which doesn't exist. See
> https://gitlab.xiph.org/xiph/vorbis/-/issues/2334<https://gitlab.xiph.org/xiph/vorbis/-/issues/2334> and the comment by
> Monty saying it's a dup of 2330, but Pierre comments that 2330
> doesn't exist so he asked if Monty can point to the fix.
> In the longer term, we'd love to talk more about how we can help
> move the next release along and contribute to the libvorbis project
> in general.
> Yes, if you can please verify that both these CVEs are fixed in
> master branch, I'd really appreciate it.
> Thank you!
> ellen
> MATLAB Audio, Video, Image, and Scientific Data Formats
> MathWorks
>
> -----Original Message-----
> From: Ralph Giles <giles at thaumas.net<mailto:giles at thaumas.net>>
> Sent: Wednesday, June 10, 2020 6:58 PM
> To: Ellen Johnson <ellenj at mathworks.com<mailto:ellenj at mathworks.com>>; vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org>
> Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE
> fixes?
>
> Hi Ellen,
>
> Thanks for your kind offer to help the release along. We have indeed
> been having trouble finding resources for that.
>
> You can certainly help by testing the git master branch with your
> software and reporting any issues you find. Otherwise, triaging
> outstanding bug reports and patches is always helpful, although
> that's not essential for a security-based release.
>
> I'll try to find out what the resolution on the reported CVEs was.
>
> Cheers,
> -r
>
> On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:
> > Hi libvorbis developers!
> > I’m wondering if you had a chance to see my request for
> > releasing a
> > new libvorvis version – this is to have an official libvorbis
> > release
> > containing the CVE fixes that appear to be fixed in the master
> > branch.
> > Is there anything we can do to help with getting a release out?
> > We’re happy to work with you on this. Please let us know if we can
> > do
> > anything to help move this along.
> > Thank you!
> > Ellen Johnson
> > MATLAB Audio, Video, Image, and Scientific Data Formats
> > MathWorks
> >
> >
> > From: Ellen Johnson
> > Sent: Tuesday, May 26, 2020 5:48 PM
> > To: vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org>
> > Subject: libvorbis release for recent CVE fixes?
> >
> > Hi libvorbis developers,
> > I hope you all are well!
> > Here at MathWorks we use libvorbis as part of our MATLAB audio
> > I/O
> > functionality, and our current version is your latest version
> > 1.3.6.
> > We’ve had the following libvorbis CVEs reported to us which appear
> > to
> > be fixed in your gitlab master branch and which impact our customer
> > workflows:
> > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335)
> > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334,
> > but
> > the link to its duplicate issue 2330 does not work so I’m not 100%
> > sure if this is fixed)
> > Can you please do a point release so that we can be security
> > compliant for our MATLAB customers?
> > Thank you!
> > Ellen Johnson
> > MATLAB Audio, Video, Image, and Scientific Data Formats
> > MathWorks
> >
> > _______________________________________________
> > Vorbis-dev mailing list
> > Vorbis-dev at xiph.org<mailto:Vorbis-dev at xiph.org>
> > http://lists.xiph.org/mailman/listinfo/vorbis-dev<http://lists.xiph.org/mailman/listinfo/vorbis-dev>.
> > xiph.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/vorbis-dev/attachments/20200630/048eda93/attachment.html>