Vorbis dev - Jun 2020 - can we help with libvorbis release for CVE fixes?

Hi libvorbis developers!
   I'm wondering if you had a chance to see my request for releasing a new
libvorvis version - this is to have an official libvorbis release containing the
CVE fixes that appear to be fixed in the master branch.
   Is there anything we can do to help with getting a release out?  We're
happy to work with you on this.  Please let us know if we can do anything to
help move this along.
   Thank you!
     Ellen Johnson
     MATLAB Audio, Video, Image, and Scientific Data Formats
     MathWorks


From: Ellen Johnson
Sent: Tuesday, May 26, 2020 5:48 PM
To: vorbis-dev at xiph.org
Subject: libvorbis release for recent CVE fixes?

Hi libvorbis developers,
   I hope you all are well!
   Here at MathWorks we use libvorbis as part of our MATLAB audio I/O
functionality, and our current version is your latest version 1.3.6.  We've
had the following libvorbis CVEs reported to us which appear to be fixed in your
gitlab master branch and which impact our customer workflows:
     CVE-2018-10392 (looks like it's fixed via gitlab issue 2335)
     CVE-2018-10393 (looks like it's fixed via gitlab issue 2334, but the
link to its duplicate issue 2330 does not work so I'm not 100% sure if this
is fixed)
  Can you please do a point release so that we can be security compliant for our
MATLAB customers?
  Thank you!
     Ellen Johnson
     MATLAB Audio, Video, Image, and Scientific Data Formats
     MathWorks

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.xiph.org/pipermail/vorbis-dev/attachments/20200610/28467e14/attachment.html>

Hi Ellen,

Thanks for your kind offer to help the release along. We have indeed
been having trouble finding resources for that.

You can certainly help by testing the git master branch with your
software and reporting any issues you find. Otherwise, triaging
outstanding bug reports and patches is always helpful, although that's
not essential for a security-based release.

I'll try to find out what the resolution on the reported CVEs was.

Cheers,
 -r

On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:
> Hi libvorbis developers!
>    I’m wondering if you had a chance to see my request for releasing
> a new libvorvis version – this is to have an official libvorbis
> release containing the CVE fixes that appear to be fixed in the
> master branch.
>    Is there anything we can do to help with getting a release out?
> We’re happy to work with you on this.  Please let us know if we can
> do anything to help move this along.
>    Thank you!
>      Ellen Johnson
>      MATLAB Audio, Video, Image, and Scientific Data Formats
>      MathWorks
>  
>  
> From: Ellen Johnson 
> Sent: Tuesday, May 26, 2020 5:48 PM
> To: vorbis-dev at xiph.org
> Subject: libvorbis release for recent CVE fixes?
>  
> Hi libvorbis developers, 
>    I hope you all are well!
>    Here at MathWorks we use libvorbis as part of our MATLAB audio I/O
> functionality, and our current version is your latest version 1.3.6. 
> We’ve had the following libvorbis CVEs reported to us which appear to
> be fixed in your gitlab master branch and which impact our customer
> workflows:
>      CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335)
>      CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, but
> the link to its duplicate issue 2330 does not work so I’m not 100%
> sure if this is fixed)
>   Can you please do a point release so that we can be security
> compliant for our MATLAB customers?
>   Thank you!
>      Ellen Johnson
>      MATLAB Audio, Video, Image, and Scientific Data Formats
>      MathWorks
>  
> _______________________________________________
> Vorbis-dev mailing list
> Vorbis-dev at xiph.org
> http://lists.xiph.org/mailman/listinfo/vorbis-dev

Hi Ralph,
  Thank you for your reply!  
  For context -- we consider reported CVEs as bugs even if it's in a
third-party library we use (such as libvorbis).  We first determine if the CVE
is something that would impact our customer workflows.  In this case because of
our use of libvorbis for audio I/O, it does impact our customers so we need to
resolve the CVE as soon as possible.
  In the short term until a new version is released, I'd like to patch our
libvorbis 1.3.6 with the two CVE fixes that I think are on the master branch. 
From the gitlab comments, I'm pretty sure CVE-2018-10392 is fixed via issue
2335, but I'm still fuzzy on whether CVE-2018-10393 is fixed via issue 2334
because of its link to duplicate issue 2330 which doesn't exist.  See
https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment by Monty
saying it's a dup of 2330, but Pierre comments that 2330 doesn't exist
so he asked if Monty can point to the fix.
  In the longer term, we'd love to talk more about how we can help move the
next release along and contribute to the libvorbis project in general.
  Yes, if you can please verify that both these CVEs are fixed in master branch,
I'd really appreciate it.
  Thank you!
      ellen
        MATLAB Audio, Video, Image, and Scientific Data Formats
        MathWorks

-----Original Message-----
From: Ralph Giles <giles at thaumas.net> 
Sent: Wednesday, June 10, 2020 6:58 PM
To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org
Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes?

Hi Ellen,

Thanks for your kind offer to help the release along. We have indeed been having
trouble finding resources for that.

You can certainly help by testing the git master branch with your software and
reporting any issues you find. Otherwise, triaging outstanding bug reports and
patches is always helpful, although that's not essential for a
security-based release.

I'll try to find out what the resolution on the reported CVEs was.

Cheers,
 -r

On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:
> Hi libvorbis developers!
>    I’m wondering if you had a chance to see my request for releasing a 
> new libvorvis version – this is to have an official libvorbis release 
> containing the CVE fixes that appear to be fixed in the master branch.
>    Is there anything we can do to help with getting a release out?
> We’re happy to work with you on this.  Please let us know if we can do 
> anything to help move this along.
>    Thank you!
>      Ellen Johnson
>      MATLAB Audio, Video, Image, and Scientific Data Formats
>      MathWorks
>  
>  
> From: Ellen Johnson
> Sent: Tuesday, May 26, 2020 5:48 PM
> To: vorbis-dev at xiph.org
> Subject: libvorbis release for recent CVE fixes?
>  
> Hi libvorbis developers, 
>    I hope you all are well!
>    Here at MathWorks we use libvorbis as part of our MATLAB audio I/O 
> functionality, and our current version is your latest version 1.3.6.
> We’ve had the following libvorbis CVEs reported to us which appear to 
> be fixed in your gitlab master branch and which impact our customer
> workflows:
>      CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335)
>      CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, but 
> the link to its duplicate issue 2330 does not work so I’m not 100% 
> sure if this is fixed)
>   Can you please do a point release so that we can be security 
> compliant for our MATLAB customers?
>   Thank you!
>      Ellen Johnson
>      MATLAB Audio, Video, Image, and Scientific Data Formats
>      MathWorks
>  
> _______________________________________________
> Vorbis-dev mailing list
> Vorbis-dev at xiph.org
> http://lists.xiph.org/mailman/listinfo/vorbis-dev.
> xiph.org