** Changed in: xine-lib Importance: Unknown => High -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to vorbis-tools in Ubuntu. https://bugs.launchpad.net/bugs/218652
Title: CVE-2008-1686: Multiple speex implementations insufficient boundary checks Status in vorbis-tools: Fix Released Status in xine-lib - the Xine Video/Media Player Library: Fix Released Status in “gst-plugins-good0.10” package in Ubuntu: Invalid Status in “libannodex” package in Ubuntu: Invalid Status in “libfishsound” package in Ubuntu: Fix Released Status in “libsdl-sound1.2” package in Ubuntu: Won't Fix Status in “speex” package in Ubuntu: Invalid Status in “sweep” package in Ubuntu: Won't Fix Status in “vlc” package in Ubuntu: Fix Released Status in “vorbis-tools” package in Ubuntu: Fix Released Status in “xine-lib” package in Ubuntu: Fix Released Status in “xmms-speex” package in Ubuntu: Invalid Status in “gst-plugins-good0.10” source package in Dapper: Fix Released Status in “libannodex” source package in Dapper: Won't Fix Status in “libfishsound” source package in Dapper: Won't Fix Status in “libsdl-sound1.2” source package in Dapper: Won't Fix Status in “speex” source package in Dapper: Fix Released Status in “sweep” source package in Dapper: Won't Fix Status in “vlc” source package in Dapper: Won't Fix Status in “vorbis-tools” source package in Dapper: Fix Released Status in “xine-lib” source package in Dapper: Fix Released Status in “xmms-speex” source package in Dapper: Invalid Status in “gst-plugins-good0.10” source package in Feisty: Fix Released Status in “libannodex” source package in Feisty: Won't Fix Status in “libfishsound” source package in Feisty: Won't Fix Status in “libsdl-sound1.2” source package in Feisty: Won't Fix Status in “speex” source package in Feisty: Fix Released Status in “sweep” source package in Feisty: Won't Fix Status in “vlc” source package in Feisty: Won't Fix Status in “vorbis-tools” source package in Feisty: Fix Released Status in “xine-lib” source package in Feisty: Fix Released Status in “xmms-speex” source package in Feisty: Won't Fix Status in “gst-plugins-good0.10” source package in Gutsy: Fix Released Status in “libannodex” source package in Gutsy: Won't Fix Status in “libfishsound” source package in Gutsy: Won't Fix Status in “libsdl-sound1.2” source package in Gutsy: Won't Fix Status in “speex” source package in Gutsy: Fix Released Status in “sweep” source package in Gutsy: Won't Fix Status in “vlc” source package in Gutsy: Won't Fix Status in “vorbis-tools” source package in Gutsy: Fix Released Status in “xine-lib” source package in Gutsy: Fix Released Status in “xmms-speex” source package in Gutsy: Won't Fix Status in “gst-plugins-good0.10” source package in Hardy: Fix Released Status in “libannodex” source package in Hardy: Won't Fix Status in “libfishsound” source package in Hardy: Fix Released Status in “libsdl-sound1.2” source package in Hardy: Won't Fix Status in “speex” source package in Hardy: Fix Released Status in “sweep” source package in Hardy: Won't Fix Status in “vlc” source package in Hardy: Fix Released Status in “vorbis-tools” source package in Hardy: Fix Released Status in “xine-lib” source package in Hardy: Fix Released Status in “xmms-speex” source package in Hardy: Invalid Status in “speex” package in Fedora: Fix Released Status in “speex” package in Gentoo Linux: Fix Released Bug description: Description Uncontrolled array index in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. See: http://www.ocert.org/advisories/ocert-2008-2.html http://www.ocert.org/advisories/ocert-2008-004.html From the oCERT advisory #2008-002: "The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input. A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution. A patch has been committed to the libfishsound public repository. Affected version: <= 0.9.0 Fixed version: 0.9.1 Additional affected packages: Speex <= 1.1.12, the reference implementation from which libfishsound is derived. Illiminable DirectShow Filters, which statically include the libfishsound library. Annodex Plugins for Firefox. Credit: reporter wishes to remain anonymous CVE: CVE-2008-1686" From the oCERT advisory #2008-004: "The reference speex decoder from the Speex library performs insufficient boundary checks on a header structure read from user input, this has been reported in oCERT-2008-002 advisory. Further investigation showed that several packages include similar code and are therefore vulnerable. In order to prevent the usage of incorrect header processing reference code, the speex_packet_to_header() function has been modified to bound the returned mode values in Speex >= 1.2beta3.2. This change automatically fixes applications that use the Speex library dynamically. Affected version: gstreamer-plugins-good <= 0.10.8 SDL_sound <= 1.0.1 Speex <= 1.1.12 (speexdec) Sweep <= 0.9.2 vorbis-tools <= 1.2.0 VLC Media Player <= 0.8.6f xine-lib <= 1.1.11.1 XMMS speex plugin Fixed version: gstreamer-plugins-good, >= 0.10.8 (patched in CVS) SDL_sound, patched in CVS Speex >= 1.2beta3.2 (patched in CVS) Sweep >= 0.9.3 vorbis-tools, patched in CVS VLC Media Player, N/A xine-lib >= 1.1.12 XMMS speex plugin, N/A Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger from the Red Hat Security Response Team for his help in investigating the issue. CVE: CVE-2008-1686" To manage notifications about this bug go to: https://bugs.launchpad.net/vorbis-tools/+bug/218652/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
