desktop-packages team mailing list archive

Thread
Date
[Bug 218652]

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Fri, 14 Oct 2011 17:50:45 -0000
Reply-to: Bug 218652 <218652@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Thank you for reporting this bug and helping to make Ubuntu better. The
package referred to in this bug is in universe or multiverse and
reported against a release of Ubuntu (hardy) which no longer receives
updates outside of the explicitly supported LTS packages. While the bug
against hardy is being marked "Won't Fix" for now, if you are interested
feel free to post a debdiff for this issue. When a debdiff is available,
members of the security team will review it and publish the package. See
the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

** Changed in: libannodex (Ubuntu Hardy)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gst-plugins-good0.10 in Ubuntu.
https://bugs.launchpad.net/bugs/218652

Title:
  CVE-2008-1686: Multiple speex implementations insufficient boundary
  checks

Status in vorbis-tools:
  Fix Released
Status in xine-lib - the Xine Video/Media Player Library:
  Fix Released
Status in “gst-plugins-good0.10” package in Ubuntu:
  Invalid
Status in “libannodex” package in Ubuntu:
  Invalid
Status in “libfishsound” package in Ubuntu:
  Fix Released
Status in “libsdl-sound1.2” package in Ubuntu:
  Won't Fix
Status in “speex” package in Ubuntu:
  Invalid
Status in “sweep” package in Ubuntu:
  Won't Fix
Status in “vlc” package in Ubuntu:
  Fix Released
Status in “vorbis-tools” package in Ubuntu:
  Fix Released
Status in “xine-lib” package in Ubuntu:
  Fix Released
Status in “xmms-speex” package in Ubuntu:
  Invalid
Status in “gst-plugins-good0.10” source package in Dapper:
  Fix Released
Status in “libannodex” source package in Dapper:
  Won't Fix
Status in “libfishsound” source package in Dapper:
  Won't Fix
Status in “libsdl-sound1.2” source package in Dapper:
  Won't Fix
Status in “speex” source package in Dapper:
  Fix Released
Status in “sweep” source package in Dapper:
  Won't Fix
Status in “vlc” source package in Dapper:
  Won't Fix
Status in “vorbis-tools” source package in Dapper:
  Fix Released
Status in “xine-lib” source package in Dapper:
  Fix Released
Status in “xmms-speex” source package in Dapper:
  Invalid
Status in “gst-plugins-good0.10” source package in Feisty:
  Fix Released
Status in “libannodex” source package in Feisty:
  Won't Fix
Status in “libfishsound” source package in Feisty:
  Won't Fix
Status in “libsdl-sound1.2” source package in Feisty:
  Won't Fix
Status in “speex” source package in Feisty:
  Fix Released
Status in “sweep” source package in Feisty:
  Won't Fix
Status in “vlc” source package in Feisty:
  Won't Fix
Status in “vorbis-tools” source package in Feisty:
  Fix Released
Status in “xine-lib” source package in Feisty:
  Fix Released
Status in “xmms-speex” source package in Feisty:
  Won't Fix
Status in “gst-plugins-good0.10” source package in Gutsy:
  Fix Released
Status in “libannodex” source package in Gutsy:
  Won't Fix
Status in “libfishsound” source package in Gutsy:
  Won't Fix
Status in “libsdl-sound1.2” source package in Gutsy:
  Won't Fix
Status in “speex” source package in Gutsy:
  Fix Released
Status in “sweep” source package in Gutsy:
  Won't Fix
Status in “vlc” source package in Gutsy:
  Won't Fix
Status in “vorbis-tools” source package in Gutsy:
  Fix Released
Status in “xine-lib” source package in Gutsy:
  Fix Released
Status in “xmms-speex” source package in Gutsy:
  Won't Fix
Status in “gst-plugins-good0.10” source package in Hardy:
  Fix Released
Status in “libannodex” source package in Hardy:
  Won't Fix
Status in “libfishsound” source package in Hardy:
  Fix Released
Status in “libsdl-sound1.2” source package in Hardy:
  Won't Fix
Status in “speex” source package in Hardy:
  Fix Released
Status in “sweep” source package in Hardy:
  Won't Fix
Status in “vlc” source package in Hardy:
  Fix Released
Status in “vorbis-tools” source package in Hardy:
  Fix Released
Status in “xine-lib” source package in Hardy:
  Fix Released
Status in “xmms-speex” source package in Hardy:
  Invalid
Status in “speex” package in Fedora:
  Fix Released
Status in “speex” package in Gentoo Linux:
  Fix Released

Bug description:
  Description

  Uncontrolled array index in Speex 1.1.12 and earlier, as used in
  libfishsound 0.9.0 and earlier, including Illiminable DirectShow
  Filters and Annodex Plugins for Firefox, allows remote attackers to
  execute arbitrary code via a header structure containing a negative
  offset, which is used to dereference a function pointer.

  See:
  http://www.ocert.org/advisories/ocert-2008-2.html
  http://www.ocert.org/advisories/ocert-2008-004.html

  From the oCERT advisory #2008-002:

  "The libfishsound  decoder library incorrectly implements the
  reference speex decoder from the Speex library, performing
  insufficient boundary checks on a header structure read from user
  input.

  A user controlled field in the header structure is used to build a
  function pointer. The libfishsound implementation does not check for
  negative values for the field, allowing the function pointer to be
  pointed at an arbitary position in memory. This allows remote code
  execution.

  A patch has been committed to the libfishsound public repository.

  Affected version: <= 0.9.0

  Fixed version: 0.9.1

  Additional affected packages:

  Speex <= 1.1.12, the reference implementation from which libfishsound
  is derived.

  Illiminable DirectShow Filters, which statically include the
  libfishsound library.

  Annodex Plugins for Firefox.

  Credit: reporter wishes to remain anonymous

  CVE: CVE-2008-1686"

  
  From the oCERT advisory #2008-004:

  "The reference speex decoder from the Speex library performs insufficient
  boundary checks on a header structure read from user input, this has been
  reported in oCERT-2008-002 advisory.

  Further investigation showed that several packages include similar code and
  are therefore vulnerable.

  In order to prevent the usage of incorrect header processing reference code,
  the speex_packet_to_header() function has been modified to bound the returned
  mode values in Speex >= 1.2beta3.2. This change automatically fixes
  applications that use the Speex library dynamically.

  Affected version:

  gstreamer-plugins-good <= 0.10.8
  SDL_sound <= 1.0.1
  Speex <= 1.1.12 (speexdec)
  Sweep <= 0.9.2
  vorbis-tools <= 1.2.0
  VLC Media Player <= 0.8.6f
  xine-lib <= 1.1.11.1
  XMMS speex plugin

  Fixed version:

  gstreamer-plugins-good, >= 0.10.8 (patched in CVS)
  SDL_sound, patched in CVS
  Speex >= 1.2beta3.2 (patched in CVS)
  Sweep >= 0.9.3
  vorbis-tools, patched in CVS
  VLC Media Player, N/A
  xine-lib >= 1.1.12
  XMMS speex plugin, N/A

  Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger
  from the Red Hat Security Response Team for his help in investigating the
  issue.

  CVE: CVE-2008-1686"

To manage notifications about this bug go to:
https://bugs.launchpad.net/vorbis-tools/+bug/218652/+subscriptions