desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #34063
[Bug 218652]
Thank you for reporting this bug and helping to make Ubuntu better. The
package referred to in this bug is in universe or multiverse and
reported against a release of Ubuntu (hardy) which no longer receives
updates outside of the explicitly supported LTS packages. While the bug
against hardy is being marked "Won't Fix" for now, if you are interested
feel free to post a debdiff for this issue. When a debdiff is available,
members of the security team will review it and publish the package. See
the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'
Please feel free to report any other bugs you may find.
** Changed in: libsdl-sound1.2 (Ubuntu Hardy)
Status: Confirmed => Won't Fix
** Changed in: libfishsound (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: sweep (Ubuntu)
Status: Confirmed => Won't Fix
** Changed in: libsdl-sound1.2 (Ubuntu)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gst-plugins-good0.10 in Ubuntu.
https://bugs.launchpad.net/bugs/218652
Title:
CVE-2008-1686: Multiple speex implementations insufficient boundary
checks
Status in vorbis-tools:
Fix Released
Status in xine-lib - the Xine Video/Media Player Library:
Fix Released
Status in “gst-plugins-good0.10” package in Ubuntu:
Invalid
Status in “libannodex” package in Ubuntu:
Invalid
Status in “libfishsound” package in Ubuntu:
Fix Released
Status in “libsdl-sound1.2” package in Ubuntu:
Won't Fix
Status in “speex” package in Ubuntu:
Invalid
Status in “sweep” package in Ubuntu:
Won't Fix
Status in “vlc” package in Ubuntu:
Fix Released
Status in “vorbis-tools” package in Ubuntu:
Fix Released
Status in “xine-lib” package in Ubuntu:
Fix Released
Status in “xmms-speex” package in Ubuntu:
Invalid
Status in “gst-plugins-good0.10” source package in Dapper:
Fix Released
Status in “libannodex” source package in Dapper:
Won't Fix
Status in “libfishsound” source package in Dapper:
Won't Fix
Status in “libsdl-sound1.2” source package in Dapper:
Won't Fix
Status in “speex” source package in Dapper:
Fix Released
Status in “sweep” source package in Dapper:
Won't Fix
Status in “vlc” source package in Dapper:
Won't Fix
Status in “vorbis-tools” source package in Dapper:
Fix Released
Status in “xine-lib” source package in Dapper:
Fix Released
Status in “xmms-speex” source package in Dapper:
Invalid
Status in “gst-plugins-good0.10” source package in Feisty:
Fix Released
Status in “libannodex” source package in Feisty:
Won't Fix
Status in “libfishsound” source package in Feisty:
Won't Fix
Status in “libsdl-sound1.2” source package in Feisty:
Won't Fix
Status in “speex” source package in Feisty:
Fix Released
Status in “sweep” source package in Feisty:
Won't Fix
Status in “vlc” source package in Feisty:
Won't Fix
Status in “vorbis-tools” source package in Feisty:
Fix Released
Status in “xine-lib” source package in Feisty:
Fix Released
Status in “xmms-speex” source package in Feisty:
Won't Fix
Status in “gst-plugins-good0.10” source package in Gutsy:
Fix Released
Status in “libannodex” source package in Gutsy:
Won't Fix
Status in “libfishsound” source package in Gutsy:
Won't Fix
Status in “libsdl-sound1.2” source package in Gutsy:
Won't Fix
Status in “speex” source package in Gutsy:
Fix Released
Status in “sweep” source package in Gutsy:
Won't Fix
Status in “vlc” source package in Gutsy:
Won't Fix
Status in “vorbis-tools” source package in Gutsy:
Fix Released
Status in “xine-lib” source package in Gutsy:
Fix Released
Status in “xmms-speex” source package in Gutsy:
Won't Fix
Status in “gst-plugins-good0.10” source package in Hardy:
Fix Released
Status in “libannodex” source package in Hardy:
Won't Fix
Status in “libfishsound” source package in Hardy:
Fix Released
Status in “libsdl-sound1.2” source package in Hardy:
Won't Fix
Status in “speex” source package in Hardy:
Fix Released
Status in “sweep” source package in Hardy:
Won't Fix
Status in “vlc” source package in Hardy:
Fix Released
Status in “vorbis-tools” source package in Hardy:
Fix Released
Status in “xine-lib” source package in Hardy:
Fix Released
Status in “xmms-speex” source package in Hardy:
Invalid
Status in “speex” package in Fedora:
Fix Released
Status in “speex” package in Gentoo Linux:
Fix Released
Bug description:
Description
Uncontrolled array index in Speex 1.1.12 and earlier, as used in
libfishsound 0.9.0 and earlier, including Illiminable DirectShow
Filters and Annodex Plugins for Firefox, allows remote attackers to
execute arbitrary code via a header structure containing a negative
offset, which is used to dereference a function pointer.
See:
http://www.ocert.org/advisories/ocert-2008-2.html
http://www.ocert.org/advisories/ocert-2008-004.html
From the oCERT advisory #2008-002:
"The libfishsound decoder library incorrectly implements the
reference speex decoder from the Speex library, performing
insufficient boundary checks on a header structure read from user
input.
A user controlled field in the header structure is used to build a
function pointer. The libfishsound implementation does not check for
negative values for the field, allowing the function pointer to be
pointed at an arbitary position in memory. This allows remote code
execution.
A patch has been committed to the libfishsound public repository.
Affected version: <= 0.9.0
Fixed version: 0.9.1
Additional affected packages:
Speex <= 1.1.12, the reference implementation from which libfishsound
is derived.
Illiminable DirectShow Filters, which statically include the
libfishsound library.
Annodex Plugins for Firefox.
Credit: reporter wishes to remain anonymous
CVE: CVE-2008-1686"
From the oCERT advisory #2008-004:
"The reference speex decoder from the Speex library performs insufficient
boundary checks on a header structure read from user input, this has been
reported in oCERT-2008-002 advisory.
Further investigation showed that several packages include similar code and
are therefore vulnerable.
In order to prevent the usage of incorrect header processing reference code,
the speex_packet_to_header() function has been modified to bound the returned
mode values in Speex >= 1.2beta3.2. This change automatically fixes
applications that use the Speex library dynamically.
Affected version:
gstreamer-plugins-good <= 0.10.8
SDL_sound <= 1.0.1
Speex <= 1.1.12 (speexdec)
Sweep <= 0.9.2
vorbis-tools <= 1.2.0
VLC Media Player <= 0.8.6f
xine-lib <= 1.1.11.1
XMMS speex plugin
Fixed version:
gstreamer-plugins-good, >= 0.10.8 (patched in CVS)
SDL_sound, patched in CVS
Speex >= 1.2beta3.2 (patched in CVS)
Sweep >= 0.9.3
vorbis-tools, patched in CVS
VLC Media Player, N/A
xine-lib >= 1.1.12
XMMS speex plugin, N/A
Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger
from the Red Hat Security Response Team for his help in investigating the
issue.
CVE: CVE-2008-1686"
To manage notifications about this bug go to:
https://bugs.launchpad.net/vorbis-tools/+bug/218652/+subscriptions