Ellen Johnson
2020-Jun-12 16:19 UTC
[Vorbis-dev] can we help with libvorbis release for CVE fixes?
Hi Ralph, Thank you for your reply! For context -- we consider reported CVEs as bugs even if it's in a third-party library we use (such as libvorbis). We first determine if the CVE is something that would impact our customer workflows. In this case because of our use of libvorbis for audio I/O, it does impact our customers so we need to resolve the CVE as soon as possible. In the short term until a new version is released, I'd like to patch our libvorbis 1.3.6 with the two CVE fixes that I think are on the master branch. From the gitlab comments, I'm pretty sure CVE-2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether CVE-2018-10393 is fixed via issue 2334 because of its link to duplicate issue 2330 which doesn't exist. See https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment by Monty saying it's a dup of 2330, but Pierre comments that 2330 doesn't exist so he asked if Monty can point to the fix. In the longer term, we'd love to talk more about how we can help move the next release along and contribute to the libvorbis project in general. Yes, if you can please verify that both these CVEs are fixed in master branch, I'd really appreciate it. Thank you! ellen MATLAB Audio, Video, Image, and Scientific Data Formats MathWorks -----Original Message----- From: Ralph Giles <giles at thaumas.net> Sent: Wednesday, June 10, 2020 6:58 PM To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes? Hi Ellen, Thanks for your kind offer to help the release along. We have indeed been having trouble finding resources for that. You can certainly help by testing the git master branch with your software and reporting any issues you find. Otherwise, triaging outstanding bug reports and patches is always helpful, although that's not essential for a security-based release. I'll try to find out what the resolution on the reported CVEs was. Cheers, -r On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:> Hi libvorbis developers! > I’m wondering if you had a chance to see my request for releasing a > new libvorvis version – this is to have an official libvorbis release > containing the CVE fixes that appear to be fixed in the master branch. > Is there anything we can do to help with getting a release out? > We’re happy to work with you on this. Please let us know if we can do > anything to help move this along. > Thank you! > Ellen Johnson > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > > From: Ellen Johnson > Sent: Tuesday, May 26, 2020 5:48 PM > To: vorbis-dev at xiph.org > Subject: libvorbis release for recent CVE fixes? > > Hi libvorbis developers, > I hope you all are well! > Here at MathWorks we use libvorbis as part of our MATLAB audio I/O > functionality, and our current version is your latest version 1.3.6. > We’ve had the following libvorbis CVEs reported to us which appear to > be fixed in your gitlab master branch and which impact our customer > workflows: > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335) > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, but > the link to its duplicate issue 2330 does not work so I’m not 100% > sure if this is fixed) > Can you please do a point release so that we can be security > compliant for our MATLAB customers? > Thank you! > Ellen Johnson > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > _______________________________________________ > Vorbis-dev mailing list > Vorbis-dev at xiph.org > http://lists.xiph.org/mailman/listinfo/vorbis-dev. > xiph.org
Ellen Johnson
2020-Jun-29 21:27 UTC
[Vorbis-dev] can we help with libvorbis release for CVE fixes?
Hi Ralph and libvorbis developers, I thought the vorbis gitlab project was the main development site (https://gitlab.xiph.org/xiph/vorbis) because that's what the NVD CVE tracker points to for the two CVEs I mentioned. But I just realized there's also a vorbis github project (https://github.com/xiph/vorbis). Both appear to have recent activity. Is the gitlab project the correct one to get the CVE fixes from so we can patch our 1.3.6 to have latest security fixes? Thanks! ellen -----Original Message----- From: Ellen Johnson Sent: Friday, June 12, 2020 12:19 PM To: Ralph Giles <giles at thaumas.net>; vorbis-dev at xiph.org Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE fixes? Hi Ralph, Thank you for your reply! For context -- we consider reported CVEs as bugs even if it's in a third-party library we use (such as libvorbis). We first determine if the CVE is something that would impact our customer workflows. In this case because of our use of libvorbis for audio I/O, it does impact our customers so we need to resolve the CVE as soon as possible. In the short term until a new version is released, I'd like to patch our libvorbis 1.3.6 with the two CVE fixes that I think are on the master branch. From the gitlab comments, I'm pretty sure CVE-2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether CVE-2018-10393 is fixed via issue 2334 because of its link to duplicate issue 2330 which doesn't exist. See https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment by Monty saying it's a dup of 2330, but Pierre comments that 2330 doesn't exist so he asked if Monty can point to the fix. In the longer term, we'd love to talk more about how we can help move the next release along and contribute to the libvorbis project in general. Yes, if you can please verify that both these CVEs are fixed in master branch, I'd really appreciate it. Thank you! ellen MATLAB Audio, Video, Image, and Scientific Data Formats MathWorks -----Original Message----- From: Ralph Giles <giles at thaumas.net> Sent: Wednesday, June 10, 2020 6:58 PM To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes? Hi Ellen, Thanks for your kind offer to help the release along. We have indeed been having trouble finding resources for that. You can certainly help by testing the git master branch with your software and reporting any issues you find. Otherwise, triaging outstanding bug reports and patches is always helpful, although that's not essential for a security-based release. I'll try to find out what the resolution on the reported CVEs was. Cheers, -r On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:> Hi libvorbis developers! > I’m wondering if you had a chance to see my request for releasing a > new libvorvis version – this is to have an official libvorbis release > containing the CVE fixes that appear to be fixed in the master branch. > Is there anything we can do to help with getting a release out? > We’re happy to work with you on this. Please let us know if we can do > anything to help move this along. > Thank you! > Ellen Johnson > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > > From: Ellen Johnson > Sent: Tuesday, May 26, 2020 5:48 PM > To: vorbis-dev at xiph.org > Subject: libvorbis release for recent CVE fixes? > > Hi libvorbis developers, > I hope you all are well! > Here at MathWorks we use libvorbis as part of our MATLAB audio I/O > functionality, and our current version is your latest version 1.3.6. > We’ve had the following libvorbis CVEs reported to us which appear to > be fixed in your gitlab master branch and which impact our customer > workflows: > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335) > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, but > the link to its duplicate issue 2330 does not work so I’m not 100% > sure if this is fixed) > Can you please do a point release so that we can be security > compliant for our MATLAB customers? > Thank you! > Ellen Johnson > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > _______________________________________________ > Vorbis-dev mailing list > Vorbis-dev at xiph.org > http://lists.xiph.org/mailman/listinfo/vorbis-dev. > xiph.org
Ralph Giles
2020-Jun-30 15:58 UTC
[Vorbis-dev] can we help with libvorbis release for CVE fixes?
Yes, the gitlab instance is the correct upstream development repository. We maintain a mirror at github for the convenience of developers there. Cheers, Ralph On Mon, 2020-06-29 at 21:27 +0000, Ellen Johnson wrote:> Hi Ralph and libvorbis developers, > I thought the vorbis gitlab project was the main development site ( > https://gitlab.xiph.org/xiph/vorbis) because that's what the NVD CVE > tracker points to for the two CVEs I mentioned. But I just realized > there's also a vorbis github project (https://github.com/xiph/vorbis) > . Both appear to have recent activity. > Is the gitlab project the correct one to get the CVE fixes from so > we can patch our 1.3.6 to have latest security fixes? > Thanks! > ellen > > -----Original Message----- > From: Ellen Johnson > Sent: Friday, June 12, 2020 12:19 PM > To: Ralph Giles <giles at thaumas.net>; vorbis-dev at xiph.org > Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE > fixes? > > Hi Ralph, > Thank you for your reply! > For context -- we consider reported CVEs as bugs even if it's in a > third-party library we use (such as libvorbis). We first determine > if the CVE is something that would impact our customer workflows. In > this case because of our use of libvorbis for audio I/O, it does > impact our customers so we need to resolve the CVE as soon as > possible. > In the short term until a new version is released, I'd like to > patch our libvorbis 1.3.6 with the two CVE fixes that I think are on > the master branch. From the gitlab comments, I'm pretty sure CVE- > 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether > CVE-2018-10393 is fixed via issue 2334 because of its link to > duplicate issue 2330 which doesn't exist. See > https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment by > Monty saying it's a dup of 2330, but Pierre comments that 2330 > doesn't exist so he asked if Monty can point to the fix. > In the longer term, we'd love to talk more about how we can help > move the next release along and contribute to the libvorbis project > in general. > Yes, if you can please verify that both these CVEs are fixed in > master branch, I'd really appreciate it. > Thank you! > ellen > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > -----Original Message----- > From: Ralph Giles <giles at thaumas.net> > Sent: Wednesday, June 10, 2020 6:58 PM > To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org > Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE > fixes? > > Hi Ellen, > > Thanks for your kind offer to help the release along. We have indeed > been having trouble finding resources for that. > > You can certainly help by testing the git master branch with your > software and reporting any issues you find. Otherwise, triaging > outstanding bug reports and patches is always helpful, although > that's not essential for a security-based release. > > I'll try to find out what the resolution on the reported CVEs was. > > Cheers, > -r > > On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote: > > Hi libvorbis developers! > > I’m wondering if you had a chance to see my request for > > releasing a > > new libvorvis version – this is to have an official libvorbis > > release > > containing the CVE fixes that appear to be fixed in the master > > branch. > > Is there anything we can do to help with getting a release out? > > We’re happy to work with you on this. Please let us know if we can > > do > > anything to help move this along. > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > > > From: Ellen Johnson > > Sent: Tuesday, May 26, 2020 5:48 PM > > To: vorbis-dev at xiph.org > > Subject: libvorbis release for recent CVE fixes? > > > > Hi libvorbis developers, > > I hope you all are well! > > Here at MathWorks we use libvorbis as part of our MATLAB audio > > I/O > > functionality, and our current version is your latest version > > 1.3.6. > > We’ve had the following libvorbis CVEs reported to us which appear > > to > > be fixed in your gitlab master branch and which impact our customer > > workflows: > > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335) > > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, > > but > > the link to its duplicate issue 2330 does not work so I’m not 100% > > sure if this is fixed) > > Can you please do a point release so that we can be security > > compliant for our MATLAB customers? > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > _______________________________________________ > > Vorbis-dev mailing list > > Vorbis-dev at xiph.org > > http://lists.xiph.org/mailman/listinfo/vorbis-dev. > > xiph.org
Ralph Giles
2020-Jul-04 19:19 UTC
[Vorbis-dev] can we help with libvorbis release for CVE fixes?
Ok, I wasn't able to track down the original steps to reproduce this issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, both fixed by commit 018ca26dece6. Because of the confusion, I added additional bounds checks to the bark_noise_hybridmp function, which make it clear to local analysis that no for bugs in this class are possible. This change is in commit a9eb99a5bd6f. Both of these changes are included in the libvorbis 1.3.7 release, posted today. This upstream release addresses all the CVE issues I'm aware of. Hopefully that addresses your needs. Thanks for your patience while we prepared this release, and thanks to everyone who contributed patches, testing, and review work. Cheers, Ralph Xiph.Org Foundation for Open Multimedia On Fri, 2020-06-12 at 16:19 +0000, Ellen Johnson wrote:> Hi Ralph,CVE-2018-10393 > Thank you for your reply! > For context -- we consider reported CVEs as bugs even if it's in a > third-party library we use (such as libvorbis). We first determine > if the CVE is something that would impact our customer workflows. In > this case because of our use of libvorbis for audio I/O, it does > impact our customers so we need to resolve the CVE as soon as > possible. > In the short term until a new version is released, I'd like to > patch our libvorbis 1.3.6 with the two CVE fixes that I think are on > the master branch. From the gitlab comments, I'm pretty sure CVE- > 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether > CVE-2018-10393 is fixed via issue 2334 because of its link to > duplicate issue 2330 which doesn't exist. See > https://gitlab.xiph.org/xiph/vorbis/-/issues/2334 and the comment by > Monty saying it's a dup of 2330, but Pierre comments that 2330 > doesn't exist so he asked if Monty can point to the fix. > In the longer term, we'd love to talk more about how we can help > move the next release along and contribute to the libvorbis project > in general. > Yes, if you can please verify that both these CVEs are fixed in > master branch, I'd really appreciate it. > Thank you! > ellen > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > -----Original Message----- > From: Ralph Giles <giles at thaumas.net> > Sent: Wednesday, June 10, 2020 6:58 PM > To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org > Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE > fixes? > > Hi Ellen, > > Thanks for your kind offer to help the release along. We have indeed > been having trouble finding resources for that. > > You can certainly help by testing the git master branch with your > software and reporting any issues you find. Otherwise, triaging > outstanding bug reports and patches is always helpful, although > that's not essential for a security-based release. > > I'll try to find out what the resolution on the reported CVEs was. > > Cheers, > -r > > On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote: > > Hi libvorbis developers! > > I’m wondering if you had a chance to see my request for > > releasing a > > new libvorvis version – this is to have an official libvorbis > > release > > containing the CVE fixes that appear to be fixed in the master > > branch. > > Is there anything we can do to help with getting a release out? > > We’re happy to work with you on this. Please let us know if we can > > do > > anything to help move this along. > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > > > From: Ellen Johnson > > Sent: Tuesday, May 26, 2020 5:48 PM > > To: vorbis-dev at xiph.org > > Subject: libvorbis release for recent CVE fixes? > > > > Hi libvorbis developers, > > I hope you all are well! > > Here at MathWorks we use libvorbis as part of our MATLAB audio > > I/O > > functionality, and our current version is your latest version > > 1.3.6. > > We’ve had the following libvorbis CVEs reported to us which appear > > to > > be fixed in your gitlab master branch and which impact our customer > > workflows: > > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335) > > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, > > but > > the link to its duplicate issue 2330 does not work so I’m not 100% > > sure if this is fixed) > > Can you please do a point release so that we can be security > > compliant for our MATLAB customers? > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > _______________________________________________ > > Vorbis-dev mailing list > > Vorbis-dev at xiph.org > > http://lists.xiph.org/mailman/listinfo/vorbis-dev. > > xiph.org
Ellen Johnson
2020-Jul-06 20:38 UTC
[Vorbis-dev] can we help with libvorbis release for CVE fixes?
Hi Ralph, Thank you so much for not only tracking down the fix for CVE-2018-10393 and adding the extra bounds check to bark_noise_hybridmp(), but also for releasing an official 1.3.7 release with these fixes and other bug fixes! We really appreciate your work on clarifying the CVE fix. Plus with the new release I can upgrade from 1.3.6 to 1.3.7 instead of having to patch piecemeal from the master branch. Please let us know how MathWorks can help with the libvorbis project moving forward. We’re happy to work with you! Thanks! ellen From: Ralph Giles <giles at thaumas.net> Sent: Saturday, July 4, 2020 3:19 PM To: Ellen Johnson <ellenj at mathworks.com>; vorbis-dev at xiph.org Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes? Ok, I wasn't able to track down the original steps to reproduce this issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, both fixed by commit 018ca26dece6. Because of the confusion, I added additional bounds checks to the bark_noise_hybridmp function, which make it clear to local analysis that no for bugs in this class are possible. This change is in commit a9eb99a5bd6f. Both of these changes are included in the libvorbis 1.3.7 release, posted today. This upstream release addresses all the CVE issues I'm aware of. Hopefully that addresses your needs. Thanks for your patience while we prepared this release, and thanks to everyone who contributed patches, testing, and review work. Cheers, Ralph Xiph.Org Foundation for Open Multimedia On Fri, 2020-06-12 at 16:19 +0000, Ellen Johnson wrote:> Hi Ralph,CVE-2018-10393 > Thank you for your reply! > For context -- we consider reported CVEs as bugs even if it's in a > third-party library we use (such as libvorbis). We first determine > if the CVE is something that would impact our customer workflows. In > this case because of our use of libvorbis for audio I/O, it does > impact our customers so we need to resolve the CVE as soon as > possible. > In the short term until a new version is released, I'd like to > patch our libvorbis 1.3.6 with the two CVE fixes that I think are on > the master branch. From the gitlab comments, I'm pretty sure CVE- > 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether > CVE-2018-10393 is fixed via issue 2334 because of its link to > duplicate issue 2330 which doesn't exist. See > https://gitlab.xiph.org/xiph/vorbis/-/issues/2334<https://gitlab.xiph.org/xiph/vorbis/-/issues/2334> and the comment by > Monty saying it's a dup of 2330, but Pierre comments that 2330 > doesn't exist so he asked if Monty can point to the fix. > In the longer term, we'd love to talk more about how we can help > move the next release along and contribute to the libvorbis project > in general. > Yes, if you can please verify that both these CVEs are fixed in > master branch, I'd really appreciate it. > Thank you! > ellen > MATLAB Audio, Video, Image, and Scientific Data Formats > MathWorks > > -----Original Message----- > From: Ralph Giles <giles at thaumas.net<mailto:giles at thaumas.net>> > Sent: Wednesday, June 10, 2020 6:58 PM > To: Ellen Johnson <ellenj at mathworks.com<mailto:ellenj at mathworks.com>>; vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> > Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE > fixes? > > Hi Ellen, > > Thanks for your kind offer to help the release along. We have indeed > been having trouble finding resources for that. > > You can certainly help by testing the git master branch with your > software and reporting any issues you find. Otherwise, triaging > outstanding bug reports and patches is always helpful, although > that's not essential for a security-based release. > > I'll try to find out what the resolution on the reported CVEs was. > > Cheers, > -r > > On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote: > > Hi libvorbis developers! > > I’m wondering if you had a chance to see my request for > > releasing a > > new libvorvis version – this is to have an official libvorbis > > release > > containing the CVE fixes that appear to be fixed in the master > > branch. > > Is there anything we can do to help with getting a release out? > > We’re happy to work with you on this. Please let us know if we can > > do > > anything to help move this along. > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > > > From: Ellen Johnson > > Sent: Tuesday, May 26, 2020 5:48 PM > > To: vorbis-dev at xiph.org<mailto:vorbis-dev at xiph.org> > > Subject: libvorbis release for recent CVE fixes? > > > > Hi libvorbis developers, > > I hope you all are well! > > Here at MathWorks we use libvorbis as part of our MATLAB audio > > I/O > > functionality, and our current version is your latest version > > 1.3.6. > > We’ve had the following libvorbis CVEs reported to us which appear > > to > > be fixed in your gitlab master branch and which impact our customer > > workflows: > > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335) > > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334, > > but > > the link to its duplicate issue 2330 does not work so I’m not 100% > > sure if this is fixed) > > Can you please do a point release so that we can be security > > compliant for our MATLAB customers? > > Thank you! > > Ellen Johnson > > MATLAB Audio, Video, Image, and Scientific Data Formats > > MathWorks > > > > _______________________________________________ > > Vorbis-dev mailing list > > Vorbis-dev at xiph.org<mailto:Vorbis-dev at xiph.org> > > http://lists.xiph.org/mailman/listinfo/vorbis-dev<http://lists.xiph.org/mailman/listinfo/vorbis-dev>. > > xiph.org-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/vorbis-dev/attachments/20200706/aea6f57f/attachment.html>