[Secure-testing-team] Bug#482518: libvorbis0a: possible integer overflows and DoS attacks

Steffen Joeris steffen.joeris at skolelinux.de
Fri May 23 09:10:58 UTC 2008 

Package: libvorbis0a
Version: 1.2.0.dfsg-3.1
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

The following CVEs(0,1,2) have been issued against libvorbis.


CVE-2008-1423:

Integer overflow in a certain quantvals and quantlist calculation in
Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a
denial of service (crash) or execute arbitrary code via a crafted OGG
file with a large virtual space for its codebook, which triggers a heap
overflow.


CVE-2008-1420:

Integer overflow in residue partition value (aka partvals) evaluation in
Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute
arbitrary code via a crafted OGG file, which triggers a heap overflow.


CVE-2008-1419:

Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero
value for codebook.dim, which allows remote attackers to cause a denial
of service (crash or infinite loop) or trigger an integer overflow.


Possible patches are attached. Since the misc.c file does not exist, it
should be enough to just patch the misc.h file, but please feel free to
review.

Please also mention the CVE ids in your changelog, when you fix these issues.

Cheers
Steffen

(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1423

(1): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1420

(2): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1419
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2008-1420.patch
Type: text/x-c
Size: 1522 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080523/bfacc4ed/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2008-1423+CVE-2008-1419.patch
Type: text/x-c
Size: 678 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080523/bfacc4ed/attachment-0001.bin

More information about the Secure-testing-team mailing list