Steffen Joeris
2008-May-23 09:10 UTC
[Secure-testing-team] Bug#482518: libvorbis0a: possible integer overflows and DoS attacks
Package: libvorbis0a Version: 1.2.0.dfsg-3.1 Severity: grave Tags: security, patch Justification: user security hole Hi The following CVEs(0,1,2) have been issued against libvorbis. CVE-2008-1423: Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow. CVE-2008-1420: Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. CVE-2008-1419: Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow. Possible patches are attached. Since the misc.c file does not exist, it should be enough to just patch the misc.h file, but please feel free to review. Please also mention the CVE ids in your changelog, when you fix these issues. Cheers Steffen (0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1423 (1): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1420 (2): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1419 -------------- next part -------------- A non-text attachment was scrubbed... Name: CVE-2008-1420.patch Type: text/x-c Size: 1522 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080523/bfacc4ed/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: CVE-2008-1423+CVE-2008-1419.patch Type: text/x-c Size: 678 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080523/bfacc4ed/attachment-0001.bin