[libvorbis] [CVE-2007-4066] multiple buffer overflows in libvorbis before 1.2.0
Bug #185031 reported by
disabled.user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvorbis (Fedora) |
Fix Released
|
High
|
|||
libvorbis (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
References:
DSA-1471-1 (http://
Quoting CVE-2007-4066:
"Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow context-dependent attackers to cause a denial of service or have other unspecified impact via a crafted OGG file, aka trac Changesets 13162, 13168, 13169, 13170, 13172, 13211, and 13215, as demonstrated by an overflow in oggenc.exe related to the _psy_noiseguards_8 array."
DSA-1471-1 also mentions CVE-2007-3106 and CVE-2007-4029, which have been fixed in USN-498-1.
Changed in libvorbis: | |
status: | Unknown → Fix Released |
Changed in libvorbis (Fedora): | |
importance: | Unknown → High |
To post a comment you must log in.
Multiple flaws have been found in libvorbis. These are fixed via libvorbis
version 1.2.0.
It should be noted that libvorbis 1.2.0 also fixes the issue described in bug
245991.
The id number of each flaw is the subversion commit id. The descriptions were svn.xiph. org/trunk/ vorbis
provided by Chris Montgomery. The libvorbis subversion repository is located here:
http://
13217: possible seek infinite loop in libvorbisfile 13154,13155, 13167: residue decode vector overflow [heap read/write]
13215: multiplexed/non Vorbis stream support [heap read, potential heap write]
13211: better return value checking of seeks [heap read, potential heap write]
13179: check legal maximum blocksize [static array read]
13169,13170,13172: correctly handle codebooks with zero entires [heap read/write]
13168: low bitrate static mode declaration error [static read, heap read,
potential heap write]
13151,13153,
13162: static initializer declarations, check-before-free error fixes [heap
read/write]
13149: check legal minimum blocksize [static array read]