16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

Bug #1737364 reported by Jeremy Bicha
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
brotli (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

Impact
------
Integer underflow could be targeted as a buffer overflow
https://security-tracker.debian.org/tracker/source-package/brotli

Debdiff attached.

Because brotli is embedded in web browsers for WOFF2 support (to be somewhat fixed by the proposed brotli MIR), this issue was already mentioned in

https://usn.ubuntu.com/usn/USN-2917-1/ (Firefox)
Luke Li discovered a buffer overflow during Brotli decompression in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-1968)

https://usn.ubuntu.com/usn/USN-2895-1/ (Oxide)
An integer underflow was discovered in Brotli. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2016-1624)

Regression Potential
--------------------
This update was published in Debian unstable/testing as 0.3.0+dfsg-3 from late March to mid June 2016 when it was superseded by a newer version. The Ubuntu security sync tool wasn't able to retrieve this version now.

brotli has no reverse dependencies in Ubuntu and is in universe.

Testing Done
------------
Only a simple build test.

There is a build test to ensure basic functionality of brotli with both python2 and python3.

Other Info
----------
The main purpose of this security update is to clear up the security history section of MIR LP: #1737053.

It is mentioned in the MIR bug that it is intended for brotli 1.0.2 to be backported to Ubuntu 16.04 and 17.10 as a security update (and promoted to main there), after 17.04 reaches End of Life.

Tags: patch xenial

CVE References

Revision history for this message
Jeremy Bicha (jbicha) wrote :
tags: added: patch
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #1. Package is building now and will be released as a security update. Thanks!

Changed in brotli (Ubuntu):
status: New → Fix Released
Changed in brotli (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package brotli - 0.3.0+dfsg-2ubuntu1

---------------
brotli (0.3.0+dfsg-2ubuntu1) xenial-security; urgency=medium

  * SECURITY UPDATE: integer underflow in dec/decode.c (LP: #1737364)
    - debian/patches/fix-integer-underflow.patch: upstream patch via Debian
    - CVE-2016-1624
    - CVE-2016-1968

 -- Jeremy Bicha <email address hidden> Sat, 09 Dec 2017 17:45:50 -0500

Changed in brotli (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers