<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi Ralph,<o:p></o:p></p>
<p class="MsoNormal"> Did you have a chance to see my latest request about also including fix for CVE-2018-10392 (issue 2335) in release notes?<o:p></o:p></p>
<p class="MsoNormal"> Thanks!<o:p></o:p></p>
<p class="MsoNormal"> ellen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ellen Johnson <br>
<b>Sent:</b> Tuesday, July 7, 2020 3:01 PM<br>
<b>To:</b> Ralph Giles <giles@thaumas.net>; vorbis-dev@xiph.org<br>
<b>Subject:</b> new 1.3.7 and fix for CVE-2018-10392 (issue 2335)?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Ralph,<o:p></o:p></p>
<p class="MsoNormal"> Again, thanks so much for doing all this! Plus thanks to all the folks who contributed to the new release!<o:p></o:p></p>
<p class="MsoNormal"> Quick clarifying question -- Isn't CVE-2018-10392 (looks like it’s fixed in
<a href="https://gitlab.xiph.org/xiph/vorbis/-/issues/2335">https://gitlab.xiph.org/xiph/vorbis/-/issues/2335</a>) also included in new version 1.3.7? If so can you please add it to release notes?<o:p></o:p></p>
<p class="MsoNormal"> (I asked the same question in <a href="https://gitlab.xiph.org/xiph/vorbis/-/issues/2334">
https://gitlab.xiph.org/xiph/vorbis/-/issues/2334</a>).<o:p></o:p></p>
<p class="MsoNormal"> Thanks again!<o:p></o:p></p>
<p class="MsoNormal"> ellen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ellen Johnson <br>
<b>Sent:</b> Monday, July 6, 2020 4:39 PM<br>
<b>To:</b> Ralph Giles <<a href="mailto:giles@thaumas.net">giles@thaumas.net</a>>;
<a href="mailto:vorbis-dev@xiph.org">vorbis-dev@xiph.org</a><br>
<b>Subject:</b> RE: [Vorbis-dev] can we help with libvorbis release for CVE fixes?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Ralph,<o:p></o:p></p>
<p class="MsoNormal"> Thank you so much for not only tracking down the fix for CVE-2018-10393 and adding the extra bounds check to bark_noise_hybridmp(), but also for releasing an official 1.3.7 release with these fixes and other bug fixes!<o:p></o:p></p>
<p class="MsoNormal"> We really appreciate your work on clarifying the CVE fix. Plus with the new release I can upgrade from 1.3.6 to 1.3.7 instead of having to patch piecemeal from the master branch.<o:p></o:p></p>
<p class="MsoNormal"> Please let us know how MathWorks can help with the libvorbis project moving forward. We’re happy to work with you!<o:p></o:p></p>
<p class="MsoNormal"> Thanks!<br>
ellen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ralph Giles <<a href="mailto:giles@thaumas.net">giles@thaumas.net</a>>
<br>
<b>Sent:</b> Saturday, July 4, 2020 3:19 PM<br>
<b>To:</b> Ellen Johnson <<a href="mailto:ellenj@mathworks.com">ellenj@mathworks.com</a>>;
<a href="mailto:vorbis-dev@xiph.org">vorbis-dev@xiph.org</a><br>
<b>Subject:</b> Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ok,<br>
<br>
I wasn't able to track down the original steps to reproduce this<br>
issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, <br>
both fixed by commit 018ca26dece6.<br>
<br>
Because of the confusion, I added additional bounds checks to<br>
the bark_noise_hybridmp function, which make it clear to local analysis<br>
that no for bugs in this class are possible. This change is in<br>
commit a9eb99a5bd6f.<br>
<br>
Both of these changes are included in the libvorbis 1.3.7 release,<br>
posted today. This upstream release addresses all the CVE issues I'm<br>
aware of. Hopefully that addresses your needs.<br>
<br>
Thanks for your patience while we prepared this release, and thanks to<br>
everyone who contributed patches, testing, and review work.<br>
<br>
Cheers,<br>
Ralph<br>
Xiph.Org Foundation for Open Multimedia<br>
<br>
On Fri, 2020-06-12 at 16:19 +0000, Ellen Johnson wrote:<br>
> Hi Ralph,CVE-2018-10393<br>
> Thank you for your reply! <br>
> For context -- we consider reported CVEs as bugs even if it's in a<br>
> third-party library we use (such as libvorbis). We first determine<br>
> if the CVE is something that would impact our customer workflows. In<br>
> this case because of our use of libvorbis for audio I/O, it does<br>
> impact our customers so we need to resolve the CVE as soon as<br>
> possible.<br>
> In the short term until a new version is released, I'd like to<br>
> patch our libvorbis 1.3.6 with the two CVE fixes that I think are on<br>
> the master branch. From the gitlab comments, I'm pretty sure CVE-<br>
> 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether<br>
> CVE-2018-10393 is fixed via issue 2334 because of its link to<br>
> duplicate issue 2330 which doesn't exist. See <br>
> <a href="https://gitlab.xiph.org/xiph/vorbis/-/issues/2334">
https://gitlab.xiph.org/xiph/vorbis/-/issues/2334</a> and the comment by<br>
> Monty saying it's a dup of 2330, but Pierre comments that 2330<br>
> doesn't exist so he asked if Monty can point to the fix.<br>
> In the longer term, we'd love to talk more about how we can help<br>
> move the next release along and contribute to the libvorbis project<br>
> in general.<br>
> Yes, if you can please verify that both these CVEs are fixed in<br>
> master branch, I'd really appreciate it.<br>
> Thank you!<br>
> ellen<br>
> MATLAB Audio, Video, Image, and Scientific Data Formats<br>
> MathWorks<br>
> <br>
> -----Original Message-----<br>
> From: Ralph Giles <<a href="mailto:giles@thaumas.net">giles@thaumas.net</a>> <br>
> Sent: Wednesday, June 10, 2020 6:58 PM<br>
> To: Ellen Johnson <<a href="mailto:ellenj@mathworks.com">ellenj@mathworks.com</a>>;
<a href="mailto:vorbis-dev@xiph.org">vorbis-dev@xiph.org</a><br>
> Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE<br>
> fixes?<br>
> <br>
> Hi Ellen,<br>
> <br>
> Thanks for your kind offer to help the release along. We have indeed<br>
> been having trouble finding resources for that.<br>
> <br>
> You can certainly help by testing the git master branch with your<br>
> software and reporting any issues you find. Otherwise, triaging<br>
> outstanding bug reports and patches is always helpful, although<br>
> that's not essential for a security-based release.<br>
> <br>
> I'll try to find out what the resolution on the reported CVEs was.<br>
> <br>
> Cheers,<br>
> -r<br>
> <br>
> On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:<br>
> > Hi libvorbis developers!<br>
> > I’m wondering if you had a chance to see my request for<br>
> > releasing a <br>
> > new libvorvis version – this is to have an official libvorbis<br>
> > release <br>
> > containing the CVE fixes that appear to be fixed in the master<br>
> > branch.<br>
> > Is there anything we can do to help with getting a release out?<br>
> > We’re happy to work with you on this. Please let us know if we can<br>
> > do <br>
> > anything to help move this along.<br>
> > Thank you!<br>
> > Ellen Johnson<br>
> > MATLAB Audio, Video, Image, and Scientific Data Formats<br>
> > MathWorks<br>
> > <br>
> > <br>
> > From: Ellen Johnson<br>
> > Sent: Tuesday, May 26, 2020 5:48 PM<br>
> > To: <a href="mailto:vorbis-dev@xiph.org">vorbis-dev@xiph.org</a><br>
> > Subject: libvorbis release for recent CVE fixes?<br>
> > <br>
> > Hi libvorbis developers, <br>
> > I hope you all are well!<br>
> > Here at MathWorks we use libvorbis as part of our MATLAB audio<br>
> > I/O <br>
> > functionality, and our current version is your latest version<br>
> > 1.3.6.<br>
> > We’ve had the following libvorbis CVEs reported to us which appear<br>
> > to <br>
> > be fixed in your gitlab master branch and which impact our customer<br>
> > workflows:<br>
> > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335)<br>
> > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334,<br>
> > but <br>
> > the link to its duplicate issue 2330 does not work so I’m not 100% <br>
> > sure if this is fixed)<br>
> > Can you please do a point release so that we can be security <br>
> > compliant for our MATLAB customers?<br>
> > Thank you!<br>
> > Ellen Johnson<br>
> > MATLAB Audio, Video, Image, and Scientific Data Formats<br>
> > MathWorks<br>
> > <br>
> > _______________________________________________<br>
> > Vorbis-dev mailing list<br>
> > <a href="mailto:Vorbis-dev@xiph.org">Vorbis-dev@xiph.org</a><br>
> > <a href="http://lists.xiph.org/mailman/listinfo/vorbis-dev">
http://lists.xiph.org/mailman/listinfo/vorbis-dev</a>.<br>
> > xiph.org<o:p></o:p></p>
</div>
</body>
</html>