Ubuntu
libid3tag package

[CVE-2008-2109] Denial of service via the ID3_FIELD_TYPE_STRINGLIST field

Bug #230620 reported by Till Ulen on 2008-05-15

252

Affects		Status	Importance	Assigned to	Milestone
	libid3tag (Debian)	Fix Released	Unknown	debbugs #480187
	libid3tag (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

CVE-2008-2109 description:

"field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2109
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2109

Despite its version number, libid3tag0 version 0.15.1b-10 from Hardy does contain the vulnerable code. So do the versions from previous releases, I guess.

CVE References

2008-2109

Bug Watch Updater (bug-watch-updater) on 2008-06-24

Changed in libid3tag:
status:	Unknown → Fix Released

Revision history for this message

William Grant (wgrant) wrote on 2008-06-24:

It looks like Debian patched this years ago.

Kees Cook (kees) on 2009-01-23

Changed in libid3tag:
status:	New → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #480187
[done important patch security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntulibid3tag package