Ellen Johnson
2020-Jul-07 19:00 UTC
[Vorbis-dev] new 1.3.7 and fix for CVE-2018-10392 (issue 2335)?
Hi Ralph, Again, thanks so much for doing all this! Plus thanks to all the folks who contributed to the new release! Quick clarifying question -- Isn't CVE-2018-10392 (looks like it’s fixed in https://gitlab.xiph.org/xiph/vorbis/-/issues/2335) also included in new version 1.3.7? If so can you please add it to release notes? (I asked the same question in https://gitlab.xiph.org/xiph/vorbis/-/issues/2334). Thanks again! ellen From: Ellen Johnson Sent: Monday, July 6, 2020 4:39 PM To: Ralph Giles <giles at thaumas.net>; vorbis-dev at xiph.org Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE fixes? Hi Ralph, Thank you so much for not only tracking down the fix for CVE-2018-10393 and adding the extra bounds check to bark_noise_hybridmp(), but also for releasing an official 1.3.7 release with these fixes and other bug fixes! We really appreciate your work on clarifying the CVE fix. Plus with the new release I can upgrade from 1.3.6 to 1.3.7 instead of having to patch piecemeal from the master branch. Please let us know how MathWorks can help with the libvorbis project moving forward. We’re happy to work with you! Thanks! ellen From: Ralph Giles <giles at thaumas.net<mailto:giles at thaumas.net>> Sent: Saturday, July 4, 2020 3:19 PM To: Ellen Johnson <ellenj at mathworks.com<mailto:ellenj at mathworks.com>>; vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes? Ok, I wasn't able to track down the original steps to reproduce this issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, both fixed by commit 018ca26dece6. Because of the confusion, I added additional bounds checks to the bark_noise_hybridmp function, which make it clear to local analysis that no for bugs in this class are possible. This change is in commit a9eb99a5bd6f. Both of these changes are included in the libvorbis 1.3.7 release, posted today. This upstream release addresses all the CVE issues I'm aware of. Hopefully that addresses your needs. Thanks for your patience while we prepared this release, and thanks to everyone who contributed patches, testing, and review work. Cheers, Ralph Xiph.Org Foundation for Open Multimedia On Fri, 2020-06-12 at 16:19 +0000, Ellen Johnson wrote:> Hi Ralph,CVE-2018-10393 > Thank you for your reply! > For context -- we consider reported CVEs as bugs even if it's in a > third-party library we use (such as libvorbis). We first determine > if the CVE is something that would impact our customer workflows. In > this case because of our use of libvorbis for audio I/O, it does > impact our customers so we need to resolve the CVE as soon as > possible. > In the short term until a new version is released, I'd like to > patch our libvorbis 1.3.6 with the two CVE fixes that I think are on > the master branch. From the gitlab comments, I'm pretty sure CVE- > 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether > CVE-2018-10393 is fixed via issue 2334 because of its link to > duplicate issue 2330 which doesn't exist. See > https://gitlab.xiph.org/xiph/vorbis/-/issues/2334<https://gitlab.xiph.org/xiph/vorbis/-/issues/2334> and the comment by > Monty saying it's a dup of 2330, but Pierre comments that 2330 > doesn't exist so he asked if Monty can point to the fix. > In the longer term, we'd love to talk more about how we can help > move the next release along and contribute to the libvorbis project > in general. > Yes, if you can please verify that both these CVEs are fixed in > master branch, I'd really appreciate it. > Thank you! > ellen > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > -----Original Message----- > From: Ralph Giles <giles at thaumas.net<mailto:giles at thaumas.net>> > Sent: Wednesday, June 10, 2020 6:58 PM > To: Ellen Johnson <ellenj at mathworks.com<mailto:ellenj at mathworks.com>>; vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> > Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE > fixes? > > Hi Ellen, > > Thanks for your kind offer to help the release along. We have indeed > been having trouble finding resources for that. > > You can certainly help by testing the git master branch with your > software and reporting any issues you find. Otherwise, triaging > outstanding bug reports and patches is always helpful, although > that's not essential for a security-based release. > > I'll try to find out what the resolution on the reported CVEs was. > > Cheers, > -r > > On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote: > > Hi libvorbis developers! > > I’m wondering if you had a chance to see my request for > > releasing a > > new libvorvis version – this is to have an official libvorbis > > release > > containing the CVE fixes that appear to be fixed in the master > > branch. > > Is there anything we can do to help with getting a release out? > > We’re happy to work with you on this. Please let us know if we can > > do > > anything to help move this along. > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > > > From: Ellen Johnson > > Sent: Tuesday, May 26, 2020 5:48 PM > > To: vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> > > Subject: libvorbis release for recent CVE fixes? > > > > Hi libvorbis developers, > > I hope you all are well! > > Here at MathWorks we use libvorbis as part of our MATLAB audio > > I/O > > functionality, and our current version is your latest version > > 1.3.6. > > We’ve had the following libvorbis CVEs reported to us which appear > > to > > be fixed in your gitlab master branch and which impact our customer > > workflows: > > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335) > > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, > > but > > the link to its duplicate issue 2330 does not work so I’m not 100% > > sure if this is fixed) > > Can you please do a point release so that we can be security > > compliant for our MATLAB customers? > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > _______________________________________________ > > Vorbis-dev mailing list > > Vorbis-dev at xiph.org<mailto:Vorbis-dev at xiph.org> > > http://lists.xiph.org/mailman/listinfo/vorbis-dev<http://lists.xiph.org/mailman/listinfo/vorbis-dev>. > > xiph.org-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/vorbis-dev/attachments/20200707/147c61c4/attachment.html>
Ellen Johnson
2020-Jul-13 15:21 UTC
[Vorbis-dev] new 1.3.7 and fix for CVE-2018-10392 (issue 2335)?
Hi Ralph, Did you have a chance to see my latest request about also including fix for CVE-2018-10392 (issue 2335) in release notes? Thanks! ellen From: Ellen Johnson Sent: Tuesday, July 7, 2020 3:01 PM To: Ralph Giles <giles at thaumas.net>; vorbis-dev at xiph.org Subject: new 1.3.7 and fix for CVE-2018-10392 (issue 2335)? Hi Ralph, Again, thanks so much for doing all this! Plus thanks to all the folks who contributed to the new release! Quick clarifying question -- Isn't CVE-2018-10392 (looks like it’s fixed in https://gitlab.xiph.org/xiph/vorbis/-/issues/2335) also included in new version 1.3.7? If so can you please add it to release notes? (I asked the same question in https://gitlab.xiph.org/xiph/vorbis/-/issues/2334). Thanks again! ellen From: Ellen Johnson Sent: Monday, July 6, 2020 4:39 PM To: Ralph Giles <giles at thaumas.net<mailto:giles at thaumas.net>>; vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE fixes? Hi Ralph, Thank you so much for not only tracking down the fix for CVE-2018-10393 and adding the extra bounds check to bark_noise_hybridmp(), but also for releasing an official 1.3.7 release with these fixes and other bug fixes! We really appreciate your work on clarifying the CVE fix. Plus with the new release I can upgrade from 1.3.6 to 1.3.7 instead of having to patch piecemeal from the master branch. Please let us know how MathWorks can help with the libvorbis project moving forward. We’re happy to work with you! Thanks! ellen From: Ralph Giles <giles at thaumas.net<mailto:giles at thaumas.net>> Sent: Saturday, July 4, 2020 3:19 PM To: Ellen Johnson <ellenj at mathworks.com<mailto:ellenj at mathworks.com>>; vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes? Ok, I wasn't able to track down the original steps to reproduce this issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, both fixed by commit 018ca26dece6. Because of the confusion, I added additional bounds checks to the bark_noise_hybridmp function, which make it clear to local analysis that no for bugs in this class are possible. This change is in commit a9eb99a5bd6f. Both of these changes are included in the libvorbis 1.3.7 release, posted today. This upstream release addresses all the CVE issues I'm aware of. Hopefully that addresses your needs. Thanks for your patience while we prepared this release, and thanks to everyone who contributed patches, testing, and review work. Cheers, Ralph Xiph.Org Foundation for Open Multimedia On Fri, 2020-06-12 at 16:19 +0000, Ellen Johnson wrote:> Hi Ralph,CVE-2018-10393 > Thank you for your reply! > For context -- we consider reported CVEs as bugs even if it's in a > third-party library we use (such as libvorbis). We first determine > if the CVE is something that would impact our customer workflows. In > this case because of our use of libvorbis for audio I/O, it does > impact our customers so we need to resolve the CVE as soon as > possible. > In the short term until a new version is released, I'd like to > patch our libvorbis 1.3.6 with the two CVE fixes that I think are on > the master branch. From the gitlab comments, I'm pretty sure CVE- > 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether > CVE-2018-10393 is fixed via issue 2334 because of its link to > duplicate issue 2330 which doesn't exist. See > https://gitlab.xiph.org/xiph/vorbis/-/issues/2334<https://gitlab.xiph.org/xiph/vorbis/-/issues/2334> and the comment by > Monty saying it's a dup of 2330, but Pierre comments that 2330 > doesn't exist so he asked if Monty can point to the fix. > In the longer term, we'd love to talk more about how we can help > move the next release along and contribute to the libvorbis project > in general. > Yes, if you can please verify that both these CVEs are fixed in > master branch, I'd really appreciate it. > Thank you! > ellen > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > -----Original Message----- > From: Ralph Giles <giles at thaumas.net<mailto:giles at thaumas.net>> > Sent: Wednesday, June 10, 2020 6:58 PM > To: Ellen Johnson <ellenj at mathworks.com<mailto:ellenj at mathworks.com>>; vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> > Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE > fixes? > > Hi Ellen, > > Thanks for your kind offer to help the release along. We have indeed > been having trouble finding resources for that. > > You can certainly help by testing the git master branch with your > software and reporting any issues you find. Otherwise, triaging > outstanding bug reports and patches is always helpful, although > that's not essential for a security-based release. > > I'll try to find out what the resolution on the reported CVEs was. > > Cheers, > -r > > On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote: > > Hi libvorbis developers! > > I’m wondering if you had a chance to see my request for > > releasing a > > new libvorvis version – this is to have an official libvorbis > > release > > containing the CVE fixes that appear to be fixed in the master > > branch. > > Is there anything we can do to help with getting a release out? > > We’re happy to work with you on this. Please let us know if we can > > do > > anything to help move this along. > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > > > From: Ellen Johnson > > Sent: Tuesday, May 26, 2020 5:48 PM > > To: vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> > > Subject: libvorbis release for recent CVE fixes? > > > > Hi libvorbis developers, > > I hope you all are well! > > Here at MathWorks we use libvorbis as part of our MATLAB audio > > I/O > > functionality, and our current version is your latest version > > 1.3.6. > > We’ve had the following libvorbis CVEs reported to us which appear > > to > > be fixed in your gitlab master branch and which impact our customer > > workflows: > > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335) > > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, > > but > > the link to its duplicate issue 2330 does not work so I’m not 100% > > sure if this is fixed) > > Can you please do a point release so that we can be security > > compliant for our MATLAB customers? > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > _______________________________________________ > > Vorbis-dev mailing list > > Vorbis-dev at xiph.org<mailto:Vorbis-dev at xiph.org> > > http://lists.xiph.org/mailman/listinfo/vorbis-dev<http://lists.xiph.org/mailman/listinfo/vorbis-dev>. > > xiph.org-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/vorbis-dev/attachments/20200713/07a38ff4/attachment-0001.html>
Ralph Giles
2020-Jul-20 16:18 UTC
[Vorbis-dev] new 1.3.7 and fix for CVE-2018-10392 (issue 2335)?
Yes, CVE-2018-10392 is fixed in the 1.3.7 release. I've updated the release notes on the gitlab and github projects, and the CHANGES file in the repository itself. I did not update the 1.3.7 source packages or tag, since those are published artefacts. Thanks for pointing out this oversight, Ralph On Tue, 2020-07-07 at 19:00 +0000, Ellen Johnson wrote:> Hi Ralph, > Again, thanks so much for doing all this! Plus thanks to all the > folks who contributed to the new release! > Quick clarifying question -- Isn't CVE-2018-10392 (looks like it’s > fixed in https://gitlab.xiph.org/xiph/vorbis/-/issues/2335) also > included in new version 1.3.7? If so can you please add it to release > notes? > (I asked the same question in > https://gitlab.xiph.org/xiph/vorbis/-/issues/2334). > Thanks again! > ellen > > From: Ellen Johnson > Sent: Monday, July 6, 2020 4:39 PM > To: Ralph Giles <giles at thaumas.net>; vorbis-dev at xiph.org > Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE > fixes? > > Hi Ralph, > Thank you so much for not only tracking down the fix for CVE-2018- > 10393 and adding the extra bounds check to bark_noise_hybridmp(), but > also for releasing an official 1.3.7 release with these fixes and > other bug fixes! > We really appreciate your work on clarifying the CVE fix. Plus > with the new release I can upgrade from 1.3.6 to 1.3.7 instead of > having to patch piecemeal from the master branch. > Please let us know how MathWorks can help with the libvorbis > project moving forward. We’re happy to work with you! > Thanks! > ellen > > From: Ralph Giles <giles at thaumas.net> > Sent: Saturday, July 4, 2020 3:19 PM > To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org > Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE > fixes? > > Ok, > > I wasn't able to track down the original steps to reproduce this > issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017- > 14160, > both fixed by commit 018ca26dece6. > > Because of the confusion, I added additional bounds checks to > the bark_noise_hybridmp function, which make it clear to local > analysis > that no for bugs in this class are possible. This change is in > commit a9eb99a5bd6f. > > Both of these changes are included in the libvorbis 1.3.7 release, > posted today. This upstream release addresses all the CVE issues I'm > aware of. Hopefully that addresses your needs. > > Thanks for your patience while we prepared this release, and thanks > to > everyone who contributed patches, testing, and review work. > > Cheers, > Ralph > Xiph.Org Foundation for Open Multimedia > > On Fri, 2020-06-12 at 16:19 +0000, Ellen Johnson wrote: > > Hi Ralph,CVE-2018-10393 > > Thank you for your reply! > > For context -- we consider reported CVEs as bugs even if it's in a > > third-party library we use (such as libvorbis). We first determine > > if the CVE is something that would impact our customer workflows. > In > > this case because of our use of libvorbis for audio I/O, it does > > impact our customers so we need to resolve the CVE as soon as > > possible. > > In the short term until a new version is released, I'd like to > > patch our libvorbis 1.3.6 with the two CVE fixes that I think are > on > > the master branch. From the gitlab comments, I'm pretty sure CVE- > > 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether > > CVE-2018-10393 is fixed via issue 2334 because of its link to > > duplicate issue 2330 which doesn't exist. See > > https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment > by > > Monty saying it's a dup of 2330, but Pierre comments that 2330 > > doesn't exist so he asked if Monty can point to the fix. > > In the longer term, we'd love to talk more about how we can help > > move the next release along and contribute to the libvorbis project > > in general. > > Yes, if you can please verify that both these CVEs are fixed in > > master branch, I'd really appreciate it. > > Thank you! > > ellen > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > -----Original Message----- > > From: Ralph Giles <giles at thaumas.net> > > Sent: Wednesday, June 10, 2020 6:58 PM > > To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org > > Subject: Re: [Vorbis-dev] can we help with libvorbis release for > CVE > > fixes? > > > > Hi Ellen, > > > > Thanks for your kind offer to help the release along. We have > indeed > > been having trouble finding resources for that. > > > > You can certainly help by testing the git master branch with your > > software and reporting any issues you find. Otherwise, triaging > > outstanding bug reports and patches is always helpful, although > > that's not essential for a security-based release. > > > > I'll try to find out what the resolution on the reported CVEs was. > > > > Cheers, > > -r > > > > On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote: > > > Hi libvorbis developers! > > > I’m wondering if you had a chance to see my request for > > > releasing a > > > new libvorvis version – this is to have an official libvorbis > > > release > > > containing the CVE fixes that appear to be fixed in the master > > > branch. > > > Is there anything we can do to help with getting a release out? > > > We’re happy to work with you on this. Please let us know if we > can > > > do > > > anything to help move this along. > > > Thank you! > > > Ellen Johnson > > > MATLAB Audio, Video, Image, and Scientific Data Formats > > > MathWorks > > > > > > > > > From: Ellen Johnson > > > Sent: Tuesday, May 26, 2020 5:48 PM > > > To: vorbis-dev at xiph.org > > > Subject: libvorbis release for recent CVE fixes? > > > > > > Hi libvorbis developers, > > > I hope you all are well! > > > Here at MathWorks we use libvorbis as part of our MATLAB audio > > > I/O > > > functionality, and our current version is your latest version > > > 1.3.6. > > > We’ve had the following libvorbis CVEs reported to us which > appear > > > to > > > be fixed in your gitlab master branch and which impact our > customer > > > workflows: > > > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335) > > > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, > > > but > > > the link to its duplicate issue 2330 does not work so I’m not > 100% > > > sure if this is fixed) > > > Can you please do a point release so that we can be security > > > compliant for our MATLAB customers? > > > Thank you! > > > Ellen Johnson > > > MATLAB Audio, Video, Image, and Scientific Data Formats > > > MathWorks > > > > > > _______________________________________________ > > > Vorbis-dev mailing list > > > Vorbis-dev at xiph.org > > > http://lists.xiph.org/mailman/listinfo/vorbis-dev. > > > xiph.org