Launchpad has imported 17 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=441239.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2008-04-07T11:41:09+00:00 Tomas wrote: Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1686 to the following vulnerability: Quoting oCert advisory: The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input. A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution. Affected version: <= 0.9.0 Fixed version: 0.9.1 Upstream patch in trunk: http://trac.annodex.net/changeset/3536 References: http://www.ocert.org/advisories/ocert-2008-2.html http://lists.xiph.org/pipermail/speex-dev/2008-April/006636.html Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/0 ------------------------------------------------------------------------ On 2008-04-07T12:48:20+00:00 Tomas wrote: oCert-2008-2 was updated to list speex as affected as well: Additional affected packages: Speex <= 1.1.6, the reference implementation from which libfishsound is derived. Current Fedora speex packages are not affected by this problem. Affected speex packages are shipped in Red Hat Enterprise Linux 4 and 5. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/1 ------------------------------------------------------------------------ On 2008-04-07T12:55:52+00:00 Tomas wrote: For speex, fix first occurred in 1.2.0beta1. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/2 ------------------------------------------------------------------------ On 2008-04-07T17:51:19+00:00 Tomas wrote: Some more info in Contrad Parker's blog: http://blog.kfish.org/2008/04/release-libfishsound-091.html Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/3 ------------------------------------------------------------------------ On 2008-04-11T11:24:34+00:00 Tomas wrote: So far, same issue was identified in following other projects: - gstreamer-plugins-good-0.10.6 - vorbis-tools-1.1.1 (ogg123) - sweep-0.9.2 - xine-lib-1.1.11.1 - vlc-0.8.6f (not shipped in Fedora or Red Hat Enterprise Linux) - SDL_sound-1.0.1 Fedora packages seems unaffected, as they do not seem to be linked against libspeex despite --enable-speex and speex-devel BuildRequires Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/4 ------------------------------------------------------------------------ On 2008-04-11T11:25:53+00:00 Tomas wrote: So far, fixed upstream in: - gstreamer-plugins-good http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r1=1.40&r2=1.41 - sweep http://trac.metadecks.org/changeset/554 Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/5 ------------------------------------------------------------------------ On 2008-04-12T17:11:09+00:00 Tomas wrote: Speex upstream added check in speex_packet_to_header(), so that can address this problem for all affected apps, that use speex_packet_to_header and check its return value (all applications seem to do that correctly). For caller of speex_packet_to_header that does not check return value, it will reduce problem to a crash caused by NULL pointer dereference. Patch applied to speex_packet_to_header(): $ svn diff -c 14701 http://svn.xiph.org/trunk/speex/libspeex/ Index: speex_header.c =================================================================== --- speex_header.c (revision 14700) +++ speex_header.c (revision 14701) @@ -178,6 +178,13 @@ ENDIAN_SWITCH(le_header->frames_per_packet); ENDIAN_SWITCH(le_header->extra_headers); + if (le_header->mode >= SPEEX_NB_MODES || le_header->mode < 0) + { + speex_notify("Invalid mode specified in Speex header"); + speex_free (le_header); + return NULL; + } + if (le_header->nb_channels>2) le_header->nb_channels = 2; if (le_header->nb_channels<1) $ svn log -r 14701 http://svn.xiph.org/trunk/speex/libspeex/ ------------------------------------------------------------------------ r14701 | jm | 2008-04-11 05:48:46 +0200 (Fri, 11 Apr 2008) | 5 lines Patch by kfish that checks for headers with invalid mode numbers. Technically, it should have been the application's responsability, but many didn't, so we ended up with security issues. Considering that there's no real use for modes that Speex doesn't know about, this should workaround a lot of problems. ------------------------------------------------------------------------ Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/6 ------------------------------------------------------------------------ On 2008-04-14T15:11:06+00:00 Tomas wrote: Upstream bugreport for ogg123: https://trac.xiph.org/ticket/1347 Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/7 ------------------------------------------------------------------------ On 2008-04-14T16:14:16+00:00 Tomas wrote: Upstream speex commit mentioned in comment #14 is also viewalbe via xiph.org trac: https://trac.xiph.org/changeset/14701 Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/8 ------------------------------------------------------------------------ On 2008-04-15T16:07:35+00:00 Tomas wrote: xine-lib 1.1.12 was released today adding same check to speex decoder used by xine-lib: http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 xine-lib update will not be needed for security reasons after following speex updates are pushed to stable: https://admin.fedoraproject.org/updates/F7/pending/speex-1.2-0.3.beta1 https://admin.fedoraproject.org/updates/F8/pending/speex-1.2-0.4.beta2 Those updates implement check on speex side, based on speex upstream change https://trac.xiph.org/changeset/14701 Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/12 ------------------------------------------------------------------------ On 2008-04-15T18:03:17+00:00 Tomas wrote: xine-lib HG commit: http://hg.debian.org/hg/xine-lib/xine- lib?cmd=changeset;node=66e1654718fb;style=gitweb Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/13 ------------------------------------------------------------------------ On 2008-04-17T03:48:15+00:00 Fedora wrote: libfishsound-0.9.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/14 ------------------------------------------------------------------------ On 2008-04-17T03:52:31+00:00 Fedora wrote: speex-1.2-0.4.beta2 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/15 ------------------------------------------------------------------------ On 2008-04-17T03:56:41+00:00 Fedora wrote: speex-1.2-0.3.beta1 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/16 ------------------------------------------------------------------------ On 2008-04-17T07:42:17+00:00 Tomas wrote: oCERT published advisory oCERT-2008-004 describing affected applications: http://www.ocert.org/advisories/ocert-2008-004.html Speex package update is sufficient to address the issue in all affected applications. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/17 ------------------------------------------------------------------------ On 2008-05-17T22:19:11+00:00 Fedora wrote: libfishsound-0.9.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/30 ------------------------------------------------------------------------ On 2008-06-19T14:28:26+00:00 Red wrote: This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0235.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3117 https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3191 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3059 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3103 Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/33 ** Changed in: speex (Fedora) Importance: Unknown => High -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to speex in Ubuntu. https://bugs.launchpad.net/bugs/218652 Title: CVE-2008-1686: Multiple speex implementations insufficient boundary checks Status in vorbis-tools: Fix Released Status in xine-lib: Fix Released Status in gst-plugins-good0.10 package in Ubuntu: Invalid Status in libannodex package in Ubuntu: Invalid Status in libfishsound package in Ubuntu: Fix Released Status in libsdl-sound1.2 package in Ubuntu: Won't Fix Status in speex package in Ubuntu: Invalid Status in sweep package in Ubuntu: Won't Fix Status in vlc package in Ubuntu: Fix Released Status in vorbis-tools package in Ubuntu: Fix Released Status in xine-lib package in Ubuntu: Fix Released Status in xmms-speex package in Ubuntu: Invalid Status in gst-plugins-good0.10 source package in Dapper: Fix Released Status in libannodex source package in Dapper: Won't Fix Status in libfishsound source package in Dapper: Won't Fix Status in libsdl-sound1.2 source package in Dapper: Won't Fix Status in speex source package in Dapper: Fix Released Status in sweep source package in Dapper: Won't Fix Status in vlc source package in Dapper: Won't Fix Status in vorbis-tools source package in Dapper: Fix Released Status in xine-lib source package in Dapper: Fix Released Status in xmms-speex source package in Dapper: Invalid Status in gst-plugins-good0.10 source package in Feisty: Fix Released Status in libannodex source package in Feisty: Won't Fix Status in libfishsound source package in Feisty: Won't Fix Status in libsdl-sound1.2 source package in Feisty: Won't Fix Status in speex source package in Feisty: Fix Released Status in sweep source package in Feisty: Won't Fix Status in vlc source package in Feisty: Won't Fix Status in vorbis-tools source package in Feisty: Fix Released Status in xine-lib source package in Feisty: Fix Released Status in xmms-speex source package in Feisty: Won't Fix Status in gst-plugins-good0.10 source package in Gutsy: Fix Released Status in libannodex source package in Gutsy: Won't Fix Status in libfishsound source package in Gutsy: Won't Fix Status in libsdl-sound1.2 source package in Gutsy: Won't Fix Status in speex source package in Gutsy: Fix Released Status in sweep source package in Gutsy: Won't Fix Status in vlc source package in Gutsy: Won't Fix Status in vorbis-tools source package in Gutsy: Fix Released Status in xine-lib source package in Gutsy: Fix Released Status in xmms-speex source package in Gutsy: Won't Fix Status in gst-plugins-good0.10 source package in Hardy: Fix Released Status in libannodex source package in Hardy: Won't Fix Status in libfishsound source package in Hardy: Fix Released Status in libsdl-sound1.2 source package in Hardy: Won't Fix Status in speex source package in Hardy: Fix Released Status in sweep source package in Hardy: Won't Fix Status in vlc source package in Hardy: Fix Released Status in vorbis-tools source package in Hardy: Fix Released Status in xine-lib source package in Hardy: Fix Released Status in xmms-speex source package in Hardy: Invalid Status in speex package in Fedora: Fix Released Status in speex package in Gentoo Linux: Fix Released Bug description: Description Uncontrolled array index in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. See: http://www.ocert.org/advisories/ocert-2008-2.html http://www.ocert.org/advisories/ocert-2008-004.html From the oCERT advisory #2008-002: "The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input. A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution. A patch has been committed to the libfishsound public repository. Affected version: <= 0.9.0 Fixed version: 0.9.1 Additional affected packages: Speex <= 1.1.12, the reference implementation from which libfishsound is derived. Illiminable DirectShow Filters, which statically include the libfishsound library. Annodex Plugins for Firefox. Credit: reporter wishes to remain anonymous CVE: CVE-2008-1686" From the oCERT advisory #2008-004: "The reference speex decoder from the Speex library performs insufficient boundary checks on a header structure read from user input, this has been reported in oCERT-2008-002 advisory. Further investigation showed that several packages include similar code and are therefore vulnerable. In order to prevent the usage of incorrect header processing reference code, the speex_packet_to_header() function has been modified to bound the returned mode values in Speex >= 1.2beta3.2. This change automatically fixes applications that use the Speex library dynamically. Affected version: gstreamer-plugins-good <= 0.10.8 SDL_sound <= 1.0.1 Speex <= 1.1.12 (speexdec) Sweep <= 0.9.2 vorbis-tools <= 1.2.0 VLC Media Player <= 0.8.6f xine-lib <= 1.1.11.1 XMMS speex plugin Fixed version: gstreamer-plugins-good, >= 0.10.8 (patched in CVS) SDL_sound, patched in CVS Speex >= 1.2beta3.2 (patched in CVS) Sweep >= 0.9.3 vorbis-tools, patched in CVS VLC Media Player, N/A xine-lib >= 1.1.12 XMMS speex plugin, N/A Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger from the Red Hat Security Response Team for his help in investigating the issue. CVE: CVE-2008-1686" To manage notifications about this bug go to: https://bugs.launchpad.net/vorbis-tools/+bug/218652/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
