Bug#480059: vorbis-tools vulnerable to CVE-2008-1686

Jamie Strandboge jamie at strandboge.com
Wed May 7 22:12:09 UTC 2008


Package: vorbis-tools
Version: 1.2.0-1.1
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu hardy ubuntu-patch

vorbis-tools contains embedded speex code, and although vorbis-tools is linked
to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu
is using in its 1.1.1 versions of vorbis-tools (fuzz removed).

Here is a suggested changelog entry:

  * SECURITY UPDATE: array index vulnerability 
  * debian/patches/CVE-2008-1686.diff: fix for ogg123/speex_format.c to
    properly validate its input
  * References
    CVE-2008-1686
-------------- next part --------------
diff -u vorbis-tools-1.2.0/debian/changelog vorbis-tools-1.2.0/debian/changelog
diff -u vorbis-tools-1.2.0/debian/patches/series vorbis-tools-1.2.0/debian/patches/series
--- vorbis-tools-1.2.0/debian/patches/series
+++ vorbis-tools-1.2.0/debian/patches/series
@@ -5,0 +6 @@
+CVE-2008-1686.patch
only in patch2:
unchanged:
--- vorbis-tools-1.2.0.orig/debian/patches/CVE-2008-1686.patch
+++ vorbis-tools-1.2.0/debian/patches/CVE-2008-1686.patch
@@ -0,0 +1,12 @@
+diff -Nur vorbis-tools-1.2.0/ogg123/speex_format.c vorbis-tools-1.2.0.new/ogg123/speex_format.c
+--- vorbis-tools-1.2.0/ogg123/speex_format.c	2008-03-03 00:37:26.000000000 -0500
++++ vorbis-tools-1.2.0.new/ogg123/speex_format.c	2008-05-07 17:34:31.000000000 -0400
+@@ -475,7 +475,7 @@
+            cb->printf_error(callback_arg, ERROR, _("Cannot read header"));
+      return NULL;
+    }
+-   if ((*header)->mode >= SPEEX_NB_MODES) {
++   if ((*header)->mode >= SPEEX_NB_MODES || (*header)->mode < 0) {
+      cb->printf_error(callback_arg, ERROR, 
+ 		      _("Mode number %d does not (any longer) exist in this version"),
+ 	      (*header)->mode);


More information about the pkg-xiph-maint mailing list