Ubuntu
libvorbis package

[libvorbis] [CVE-2007-4066] multiple buffer overflows in libvorbis before 1.2.0

Bug #185031 reported by disabled.user
254
Affects Status Importance Assigned to Milestone
libvorbis (Fedora)
Fix Released
High
libvorbis (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned

Bug Description

References:
DSA-1471-1 (http://www.debian.org/security/2008/dsa-1471)

Quoting CVE-2007-4066:
"Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow context-dependent attackers to cause a denial of service or have other unspecified impact via a crafted OGG file, aka trac Changesets 13162, 13168, 13169, 13170, 13172, 13211, and 13215, as demonstrated by an overflow in oggenc.exe related to the _psy_noiseguards_8 array."

DSA-1471-1 also mentions CVE-2007-3106 and CVE-2007-4029, which have been fixed in USN-498-1.

CVE References

Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

Multiple flaws have been found in libvorbis. These are fixed via libvorbis
version 1.2.0.

It should be noted that libvorbis 1.2.0 also fixes the issue described in bug
245991.

The id number of each flaw is the subversion commit id. The descriptions were
provided by Chris Montgomery. The libvorbis subversion repository is located here:
http://svn.xiph.org/trunk/vorbis

13217: possible seek infinite loop in libvorbisfile
13215: multiplexed/non Vorbis stream support [heap read, potential heap write]
13211: better return value checking of seeks [heap read, potential heap write]
13179: check legal maximum blocksize [static array read]
13169,13170,13172: correctly handle codebooks with zero entires [heap read/write]
13168: low bitrate static mode declaration error [static read, heap read,
potential heap write]
13151,13153,13154,13155,13167: residue decode vector overflow [heap read/write]
13162: static initializer declarations, check-before-free error fixes [heap
read/write]
13149: check legal minimum blocksize [static array read]

Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

Here is the breakdown of CVE id to libvorbis commit id mapping:

CVE-2007-4065: 13217 (infinite loop)

CVE-2007-4029 covers 2 issues with unknown commit IDs.

  According to Monty these two issues are the commit ids:
  13151, 13154, 13155, 13167
  and
  13149, 13153, 13179

CVE-2007-4066: multiple flaws

      13215: multiplexed/non Vorbis stream support
             [heap read, potential heap write]

      13211: better return value checking of seeks
             [heap read, potential heap write]

      13169,13170,13172: correctly handle codebooks with zero entires
                         [heap read/write]

      13168: low bitrate static mode declaration error
             [static read, heap read, potential heap write]

      13162: static initializer declarations, check-before-free error fixes
             [heap read/write]

Revision history for this message
In , Red (red-redhat-bugs) wrote :

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0845.html
  http://rhn.redhat.com/errata/RHSA-2007-0912.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-1765

Revision history for this message
Adam Buchbinder (adam-buchbinder) wrote :

Gutsy, Hardy, Intrepid and Jaunty all use libvorbis 1.2.0 or higher. Marking as fix-released.

Changed in libvorbis:
status: New → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Dapper still needs this update, marking it as such.

Changed in libvorbis:
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in libvorbis:
status: Unknown → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in libvorbis (Ubuntu Dapper):
status: Triaged → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in libvorbis (Fedora):
importance: Unknown → High
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.