*** This bug is a security vulnerability *** Public security bug reported:
Description Uncontrolled array index in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. See: http://www.ocert.org/advisories/ocert-2008-2.html http://www.ocert.org/advisories/ocert-2008-004.html >From the oCERT advisory #2008-002: "The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input. A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution. A patch has been committed to the libfishsound public repository. Affected version: <= 0.9.0 Fixed version: 0.9.1 Additional affected packages: Speex <= 1.1.12, the reference implementation from which libfishsound is derived. Illiminable DirectShow Filters, which statically include the libfishsound library. Annodex Plugins for Firefox. Credit: reporter wishes to remain anonymous CVE: CVE-2008-1686" >From the oCERT advisory #2008-004: "The reference speex decoder from the Speex library performs insufficient boundary checks on a header structure read from user input, this has been reported in oCERT-2008-002 advisory. Further investigation showed that several packages include similar code and are therefore vulnerable. In order to prevent the usage of incorrect header processing reference code, the speex_packet_to_header() function has been modified to bound the returned mode values in Speex >= 1.2beta3.2. This change automatically fixes applications that use the Speex library dynamically. Affected version: gstreamer-plugins-good <= 0.10.8 SDL_sound <= 1.0.1 Speex <= 1.1.12 (speexdec) Sweep <= 0.9.2 vorbis-tools <= 1.2.0 VLC Media Player <= 0.8.6f xine-lib <= 1.1.11.1 XMMS speex plugin Fixed version: gstreamer-plugins-good, >= 0.10.8 (patched in CVS) SDL_sound, patched in CVS Speex >= 1.2beta3.2 (patched in CVS) Sweep >= 0.9.3 vorbis-tools, patched in CVS VLC Media Player, N/A xine-lib >= 1.1.12 XMMS speex plugin, N/A Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger from the Red Hat Security Response Team for his help in investigating the issue. CVE: CVE-2008-1686" ** Affects: gst-plugins-good0.10 (Ubuntu) Importance: Undecided Status: New ** Affects: libannodex (Ubuntu) Importance: Undecided Status: New ** Affects: libfishsound (Ubuntu) Importance: Undecided Status: New ** Affects: libsdl-sound1.2 (Ubuntu) Importance: Undecided Status: New ** Affects: speex (Ubuntu) Importance: Undecided Status: New ** Affects: sweep (Ubuntu) Importance: Undecided Status: New ** Affects: vlc (Ubuntu) Importance: Undecided Status: New ** Affects: vorbis-tools (Ubuntu) Importance: Undecided Status: New ** Affects: xine-lib (Ubuntu) Importance: Undecided Status: New ** Affects: xmms-speex (Ubuntu) Importance: Undecided Status: New ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1686 ** Changed in: speex (Ubuntu) Sourcepackagename: None => speex ** Also affects: libfishsound (Ubuntu) Importance: Undecided Status: New ** Also affects: libannodex (Ubuntu) Importance: Undecided Status: New ** Also affects: gst-plugins-good0.10 (Ubuntu) Importance: Undecided Status: New ** Also affects: libsdl-sound1.2 (Ubuntu) Importance: Undecided Status: New ** Also affects: sweep (Ubuntu) Importance: Undecided Status: New ** Also affects: vorbis-tools (Ubuntu) Importance: Undecided Status: New ** Also affects: vlc (Ubuntu) Importance: Undecided Status: New ** Also affects: xine-lib (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** Also affects: xmms-speex (Ubuntu) Importance: Undecided Status: New -- CVE-2008-1686: Multiple speex implementations insufficient boundary checks https://bugs.launchpad.net/bugs/218652 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
