Package: vorbis-tools
Version: 1.2.0-1.1
Severity: grave
Tags: patch security
Justification: user security hole
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu hardy ubuntu-patch
vorbis-tools contains embedded speex code, and although vorbis-tools is linked
to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu
is using in its 1.1.1 versions of vorbis-tools (fuzz removed).
Here is a suggested changelog entry:
* SECURITY UPDATE: array index vulnerability
* debian/patches/CVE-2008-1686.diff: fix for ogg123/speex_format.c to
properly validate its input
* References
CVE-2008-1686
diff -u vorbis-tools-1.2.0/debian/changelog vorbis-tools-1.2.0/debian/changelog
diff -u vorbis-tools-1.2.0/debian/patches/series
vorbis-tools-1.2.0/debian/patches/series
--- vorbis-tools-1.2.0/debian/patches/series
+++ vorbis-tools-1.2.0/debian/patches/series
@@ -5,0 +6 @@
+CVE-2008-1686.patch
only in patch2:
unchanged:
--- vorbis-tools-1.2.0.orig/debian/patches/CVE-2008-1686.patch
+++ vorbis-tools-1.2.0/debian/patches/CVE-2008-1686.patch
@@ -0,0 +1,12 @@
+diff -Nur vorbis-tools-1.2.0/ogg123/speex_format.c
vorbis-tools-1.2.0.new/ogg123/speex_format.c
+--- vorbis-tools-1.2.0/ogg123/speex_format.c 2008-03-03 00:37:26.000000000
-0500
++++ vorbis-tools-1.2.0.new/ogg123/speex_format.c 2008-05-07
17:34:31.000000000 -0400
+@@ -475,7 +475,7 @@
+ cb->printf_error(callback_arg, ERROR, _("Cannot read header"));
+ return NULL;
+ }
+- if ((*header)->mode >= SPEEX_NB_MODES) {
++ if ((*header)->mode >= SPEEX_NB_MODES || (*header)->mode < 0) {
+ cb->printf_error(callback_arg, ERROR,
+ _("Mode number %d does not (any longer) exist in this
version"),
+ (*header)->mode);
