Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19688
HistoryApr 17, 2008 - 12:00 a.m.

[oCERT-2008-004] multiple speex implementations insufficient boundary checks

2008-04-1700:00:00
vulners.com
14
JSON

2008/04/17 #2008-004 multiple speex implementations insufficient boundary
checks

Description:

The reference speex decoder from the Speex library performs insufficient
boundary checks on a header structure read from user input, this has been
reported in oCERT-2008-002 advisory.

Further investigation showed that several packages include similar code and
are therefore vulnerable.

In order to prevent the usage of incorrect header processing reference code,
the speex_packet_to_header() function has been modified to bound the returned
mode values in Speex >= 1.2beta3.2. This change automatically fixes
applications that use the Speex library dynamically.

Affected version:

gstreamer-plugins-good <= 0.10.8
SDL_sound <= 1.0.1
Speex <= 1.1.12 (speexdec)
Sweep <= 0.9.2
vorbis-tools <= 1.2.0
VLC Media Player <= 0.8.6f
xine-lib <= 1.1.11.1
XMMS speex plugin

Fixed version:

gstreamer-plugins-good, >= 0.10.8 (patched in CVS)
SDL_sound, patched in CVS
Speex >= 1.2beta3.2 (patched in CVS)
Sweep >= 0.9.3
vorbis-tools, patched in CVS
VLC Media Player, N/A
xine-lib >= 1.1.12
XMMS speex plugin, N/A

Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger
from the Red Hat Security Response Team for his help in investigating the
issue.

CVE: CVE-2008-1686

Timeline:
2008-04-10: investigation of oCERT-2008-002 leads to discovery of more affected packages
2008-04-10: Speex header processing code fixed in CVS
2008-04-11: contacted upstream maintainers and affected vendors
2008-04-11: gstreamer-plugins-good patched in CVS
2008-04-11: sweep 0.9.3 released
2008-04-11: SDL_sound patched in CVS
2008-04-14: vorbis-tools patched in CVS
2008-04-14: xine-lib 1.1.12 released
2008-04-17: advisory release

References:
http://www.ocert.org/advisories/ocert-2008-2.html
http://trac.xiph.org/changeset/14701
http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r1=1.40&amp;r2=1.41
http://trac.metadecks.org/changeset/554
http://svn.icculus.org/SDL_sound?view=rev&amp;revision=537
http://svn.icculus.org/SDL_sound?view=rev&amp;revision=538
http://trac.xiph.org/changeset/14728
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=66e1654718fb;style=gitweb

Links:
http://gstreamer.freedesktop.org/modules/gst-plugins-good.html
http://icculus.org/SDL_sound
http://www.speex.org
http://www.metadecks.org/software/sweep/
http://xiph.org
http://www.videolan.org/vlc
http://xinehq.de

Permalink:
http://www.ocert.org/advisories/ocert-2008-004.html

–
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team

<[email protected]> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"

Related

nessus 32
openvas 44
oraclelinux 1
fedora 4
debian 3
prion 1
securityvulns 3
freebsd 2
seebug 1
ubuntucve 1
cve 1
gentoo 1
ubuntu 4
redhat 1
debiancve 1
slackware 1
centos 1
osv 1
nessus
nessus
Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : xine-lib (SSA:2008-111-01)
2008-04-25 00:00:00
SuSE 10 Security Update : Ogg Vorbis tools (ZYPP Patch Number 5302)
2011-01-27 00:00:00
Mandriva Linux Security Advisory : speex (MDVSA-2008:094)
2009-04-23 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 200804-17 (speex)
2008-09-24 00:00:00
Mandriva Update for xine-lib MDVSA-2008:124 (xine-lib)
2009-04-09 00:00:00
Mandriva Update for gstreamer-plugins-good MDVSA-2008:092 (gstreamer-plugins-good)
2009-04-09 00:00:00
oraclelinux
oraclelinux
speex security update
2008-04-16 00:00:00
fedora
fedora
[SECURITY] Fedora 8 Update: libfishsound-0.9.1-1.fc8
2008-04-17 03:48:20
[SECURITY] Fedora 7 Update: libfishsound-0.9.1-1.fc7
2008-05-17 22:19:28
[SECURITY] Fedora 7 Update: speex-1.2-0.3.beta1
2008-04-17 03:56:54
debian
debian
[SECURITY] [DSA 1585-1] New speex packages fix execution of arbitrary code
2008-05-21 18:15:02
[SECURITY] [DSA 1584-1] New libfissound packages fix execution of arbitrary code
2008-05-21 18:14:25
[SECURITY] [DSA 1586-1] New xine-lib packages fix several vulnerabilities
2008-05-22 17:17:06
prion
prion
Null pointer dereference
2008-04-08 18:05:00
securityvulns
securityvulns
Speex / VLC / gstreamer-plugins-good / sweep / SDL_sound / vorbis-tools / Xine buffer overflow
2008-04-17 00:00:00
libfishsound library integer overflow
2008-05-22 00:00:00
[SECURITY] [DSA 1584-1] New libfissound packages fix execution of arbitrary code
2008-05-22 00:00:00
freebsd
freebsd
libxine -- array index vulnerability
2008-04-06 00:00:00
vorbis-tools -- Speex header processing vulnerability
2008-04-18 00:00:00
seebug
seebug
FishSoundεΊ“θΏœη¨‹Speexθ§£η δ»£η ζ‰§θ‘ŒζΌζ΄ž
2008-04-13 00:00:00
ubuntucve
ubuntucve
CVE-2008-1686
2008-04-08 00:00:00
cve
cve
CVE-2008-1686
2008-04-08 18:05:00
gentoo
gentoo
Speex: User-assisted execution of arbitrary code
2008-04-17 00:00:00
ubuntu
ubuntu
vorbis-tools vulnerability
2008-05-08 00:00:00
GStreamer Good Plugins vulnerability
2008-05-08 00:00:00
Speex vulnerability
2008-05-08 00:00:00
redhat
redhat
(RHSA-2008:0235) Important: speex security update
2008-04-16 00:00:00
debiancve
debiancve
CVE-2008-1686
2008-04-08 18:05:00
slackware
slackware
[slackware-security] xine-lib
2008-04-22 01:47:04
centos
centos
speex security update
2008-04-20 14:10:28
osv
osv
xine-lib - multiple vulnerabilities
2008-05-22 00:00:00
JSON
Related for SECURITYVULNS:DOC:19688
nessus32openvas44oraclelinux1fedora4debian3prion1securityvulns3freebsd2seebug1ubuntucve1cve1gentoo1ubuntu4redhat1debiancve1slackware1centos1osv1