• Bug#1091633: Info received (libtheora: CVE-2024-56431)

    From Petter Reinholdtsen@21:1/5 to All on Sun Mar 9 11:50:01 2025
    Control: forwarded -1 https://gitlab.xiph.org/xiph/theora/-/merge_requests/28

    A fix for this is believed to be pending in the upstream git now.
    --
    Happy hacking
    Petter Reinholdtsen

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Petter Reinholdtsen@21:1/5 to All on Sat Mar 15 10:00:01 2025
    Control: tags -1 + patch

    This patch has been applied upstream to fix this security problem. It
    is also included in the 1.2.0beta1 release which was tagged upstream
    today.

    commit 5665f86b8fd8345bb09469990e79221562ac204b
    Author: Petter Reinholdtsen <pere@debian.org>
    Date: Mon Mar 10 22:45:57 2025 +0100

    Avoid negative bit shift operatoin in huffdec.c (CVE-2024-56431).

    A crash was discovered using input fuzzying, in th_decode_ceaderin()
    where the len value in the oc_fuff_tree_unpack() can end up as -1.
    Added a check to ensure this do not happen.

    Based on feedback from Timothy B. Terriberry.

    The issue was discovered using gcc sanitazion, which reported the following:

    huffdec.c:228:27: runtime error: shift exponent -1 is negative
    #0 0x5d471012bfd0 in oc_huff_tree_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:228
    #1 0x5d471012c134 in oc_huff_trees_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:392
    #2 0x5d471010a98c in oc_setup_unpack /home/uos/libtheora-18570/theora/lib/decinfo.c:169
    #3 0x5d471010a98c in oc_dec_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:238
    #4 0x5d471010a98c in th_decode_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:266
    #5 0x5d47100fd638 in TheoraDecoder::initialize() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66
    #6 0x5d47100ffa76 in TheoraDecoder::Run() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180
    #7 0x5d47100ffe48 in main /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240
    #8 0x7cc9a5e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x5d47100f9964 in _start (/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964)

    Fixes github pull request #19.

    diff --git a/lib/huffdec.c b/lib/huffdec.c
    index cc1828d..1bab3dd 100644
    --- a/lib/huffdec.c
    +++ b/lib/huffdec.c
    @@ -224,6 +224,7 @@ int oc_huff_tree_unpack(oc_pack_buf *_opb,unsigned char _tokens[256][2]){
    _tokens[ntokens][1]=(unsigned char)(len+neb);
    ntokens++;
    }
    + if(len<=0)break;
    code_bit=0x80000000U>>len-1;
    while(len>0&&(code&code_bit)){
    code^=code_bit;

    --
    Happy hacking
    Petter Reinholdtsen

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Petter Reinholdtsen@21:1/5 to All on Sun Mar 16 05:50:01 2025
    Control: found -1 1.2.0~alpha1+dfsg-1
    Control: notfound -1 1.1.1+dfsg.1-1
    Control: notfound -1 1.1.1+dfsg.1-15
    Control: notfound -1 1.1.1+dfsg.1-16.1
    Control: notfound -1 1.1.1+dfsg.1-17

    I had a look at applying the security fix to the stable release in
    Debian, version 1.1.1+dfsg.1-16.1, but am unable to find the
    problematic left shift in the code.

    Trying to reproduce the error reported in this issue did not work with
    version 1.1.1, but it exposed other unrelated issues already fixed in 1.2.0beta1. (for example using <<3 instead of *8 on negative numbers
    which is undefined behaviour with recent GCC editions). I'll handle
    these in a stable update I am working on.

    --
    Happy hacking
    Petter Reinholdtsen

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)