Ubuntu
libsdl-sound1.2 package

CVE-2008-1686: Multiple speex implementations insufficient boundary checks

Bug #218652 reported by Till Ulen
256
Affects Status Importance Assigned to Milestone
vorbis-tools
Fix Released
Unknown
xine-lib
Fix Released
High
gst-plugins-good0.10 (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Fix Released
Medium
Jamie Strandboge
Feisty
Fix Released
Medium
Jamie Strandboge
Gutsy
Fix Released
Medium
Jamie Strandboge
Hardy
Fix Released
Medium
Jamie Strandboge
libannodex (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
libfishsound (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
libsdl-sound1.2 (Ubuntu)
Won't Fix
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
speex (Fedora)
Fix Released
High
speex (Gentoo Linux)
Fix Released
Medium
speex (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Fix Released
Medium
Jamie Strandboge
Feisty
Fix Released
Medium
Jamie Strandboge
Gutsy
Fix Released
Medium
Jamie Strandboge
Hardy
Fix Released
Medium
Jamie Strandboge
sweep (Ubuntu)
Won't Fix
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
vlc (Ubuntu)
Fix Released
Undecided
William Grant
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
William Grant
vorbis-tools (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Medium
Jamie Strandboge
Feisty
Fix Released
Medium
Jamie Strandboge
Gutsy
Fix Released
Medium
Jamie Strandboge
Hardy
Fix Released
Medium
Jamie Strandboge
xine-lib (Ubuntu)
Fix Released
Undecided
Reinhard Tartler
Dapper
Fix Released
Undecided
Jamie Strandboge
Feisty
Fix Released
Undecided
Jamie Strandboge
Gutsy
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Jamie Strandboge
xmms-speex (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned

Bug Description

Description

Uncontrolled array index in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.

See:
http://www.ocert.org/advisories/ocert-2008-2.html
http://www.ocert.org/advisories/ocert-2008-004.html

From the oCERT advisory #2008-002:

"The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input.

A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution.

A patch has been committed to the libfishsound public repository.

Affected version: <= 0.9.0

Fixed version: 0.9.1

Additional affected packages:

Speex <= 1.1.12, the reference implementation from which libfishsound is derived.

Illiminable DirectShow Filters, which statically include the libfishsound library.

Annodex Plugins for Firefox.

Credit: reporter wishes to remain anonymous

CVE: CVE-2008-1686"

From the oCERT advisory #2008-004:

"The reference speex decoder from the Speex library performs insufficient
boundary checks on a header structure read from user input, this has been
reported in oCERT-2008-002 advisory.

Further investigation showed that several packages include similar code and
are therefore vulnerable.

In order to prevent the usage of incorrect header processing reference code,
the speex_packet_to_header() function has been modified to bound the returned
mode values in Speex >= 1.2beta3.2. This change automatically fixes
applications that use the Speex library dynamically.

Affected version:

gstreamer-plugins-good <= 0.10.8
SDL_sound <= 1.0.1
Speex <= 1.1.12 (speexdec)
Sweep <= 0.9.2
vorbis-tools <= 1.2.0
VLC Media Player <= 0.8.6f
xine-lib <= 1.1.11.1
XMMS speex plugin

Fixed version:

gstreamer-plugins-good, >= 0.10.8 (patched in CVS)
SDL_sound, patched in CVS
Speex >= 1.2beta3.2 (patched in CVS)
Sweep >= 0.9.3
vorbis-tools, patched in CVS
VLC Media Player, N/A
xine-lib >= 1.1.12
XMMS speex plugin, N/A

Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger
from the Red Hat Security Response Team for his help in investigating the
issue.

CVE: CVE-2008-1686"

See original description
Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1686 to the following vulnerability:

Quoting oCert advisory:

The libfishsound decoder library incorrectly implements the reference speex
decoder from the Speex library, performing insufficient boundary checks on a
header structure read from user input.

A user controlled field in the header structure is used to build a function
pointer. The libfishsound implementation does not check for negative values for
the field, allowing the function pointer to be pointed at an arbitary position
in memory. This allows remote code execution.

Affected version: <= 0.9.0
Fixed version: 0.9.1

Upstream patch in trunk:
http://trac.annodex.net/changeset/3536

References:
http://www.ocert.org/advisories/ocert-2008-2.html
http://lists.xiph.org/pipermail/speex-dev/2008-April/006636.html

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

oCert-2008-2 was updated to list speex as affected as well:

Additional affected packages:
Speex <= 1.1.6, the reference implementation from which libfishsound is derived.

Current Fedora speex packages are not affected by this problem. Affected speex
packages are shipped in Red Hat Enterprise Linux 4 and 5.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

For speex, fix first occurred in 1.2.0beta1.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Some more info in Contrad Parker's blog:

http://blog.kfish.org/2008/04/release-libfishsound-091.html

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

So far, same issue was identified in following other projects:

- gstreamer-plugins-good-0.10.6
- vorbis-tools-1.1.1 (ogg123)
- sweep-0.9.2
- xine-lib-1.1.11.1
- vlc-0.8.6f (not shipped in Fedora or Red Hat Enterprise Linux)
- SDL_sound-1.0.1
  Fedora packages seems unaffected, as they do not seem to be linked against
  libspeex despite --enable-speex and speex-devel BuildRequires

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

So far, fixed upstream in:

- gstreamer-plugins-good
http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r1=1.40&r2=1.41

- sweep
http://trac.metadecks.org/changeset/554

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Speex upstream added check in speex_packet_to_header(), so that can address this
problem for all affected apps, that use speex_packet_to_header and check its
return value (all applications seem to do that correctly). For caller of
speex_packet_to_header that does not check return value, it will reduce problem
to a crash caused by NULL pointer dereference.

Patch applied to speex_packet_to_header():

$ svn diff -c 14701 http://svn.xiph.org/trunk/speex/libspeex/
Index: speex_header.c
===================================================================
--- speex_header.c (revision 14700)
+++ speex_header.c (revision 14701)
@@ -178,6 +178,13 @@
    ENDIAN_SWITCH(le_header->frames_per_packet);
    ENDIAN_SWITCH(le_header->extra_headers);

+ if (le_header->mode >= SPEEX_NB_MODES || le_header->mode < 0)
+ {
+ speex_notify("Invalid mode specified in Speex header");
+ speex_free (le_header);
+ return NULL;
+ }
+
    if (le_header->nb_channels>2)
       le_header->nb_channels = 2;
    if (le_header->nb_channels<1)

$ svn log -r 14701 http://svn.xiph.org/trunk/speex/libspeex/
------------------------------------------------------------------------
r14701 | jm | 2008-04-11 05:48:46 +0200 (Fri, 11 Apr 2008) | 5 lines

Patch by kfish that checks for headers with invalid mode numbers. Technically,
it should have been the application's responsability, but many didn't, so
we ended up with security issues. Considering that there's no real use for
modes that Speex doesn't know about, this should workaround a lot of problems.

------------------------------------------------------------------------

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Upstream bugreport for ogg123:

https://trac.xiph.org/ticket/1347

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Upstream speex commit mentioned in comment #14 is also viewalbe via xiph.org trac:

https://trac.xiph.org/changeset/14701

Revision history for this message
In , Diego Elio Pettenò (flameeyes) wrote :

Created an attachment (id=43)
oCERT-2008-003

Patch that should fix the issue.

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

xiph's (lib)speex 1.2 beta 3.2 has been tagged that fixes CVE-2008-1686 directly in the the speex_header_to_packet() function which applications use. Sanitations inside applications are therefore unnecessary.

Patch:
  https://trac.xiph.org/changeset/14701

Revision history for this message
In , Darren Salt (dsalt) wrote :

Fixed in 1.1.12.

Revision history for this message
In , ssuominen (ssuominen-gentoo-bugs) wrote :

And we have it in Portage now,

*speex-1.2_beta3_p2 (15 Apr 2008)

  15 Apr 2008; Samuli Suominen <email address hidden> -speex-1.1.7.ebuild,
  +speex-1.2_beta3_p2.ebuild:
  Version bump.

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

Arch Security Liaisons, please test and mark stable:
=media-libs/speex-1.2_beta3_p2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

Revision history for this message
In , armin76 (armin76-gentoo-bugs) wrote :

Adding Tobias for alpha

Revision history for this message
In , fmccor (fmccor-gentoo-bugs) wrote :

Sparc stable (tested with {.wav}).

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

xine-lib 1.1.12 was released today adding same check to speex decoder used by
xine-lib:

http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655

xine-lib update will not be needed for security reasons after following speex
updates are pushed to stable:

https://admin.fedoraproject.org/updates/F7/pending/speex-1.2-0.3.beta1
https://admin.fedoraproject.org/updates/F8/pending/speex-1.2-0.4.beta2

Those updates implement check on speex side, based on speex upstream change
https://trac.xiph.org/changeset/14701

Revision history for this message
In , corsair (corsair-gentoo-bugs) wrote :

ppc64 stable

Revision history for this message
In , ssuominen (ssuominen-gentoo-bugs) wrote :

amd64 stable, tested by playing with ogg123 (vorbis-tools using USE speex) and
converting .spx to .wav and back to .spx using speexdec and speexenc
also tested by an AT (VQuickSilver, Freenode), thanks to him

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

xine-lib HG commit:

http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=66e1654718fb;style=gitweb

Revision history for this message
In , klausman (klausman-gentoo-bugs) wrote :

Stable for alpha.

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

*** Bug 217820 has been marked as a duplicate of this bug. ***

Revision history for this message
In , dertobi123 (dertobi123-gentoo-bugs) wrote :

ppc stable

Revision history for this message
In , maekke (maekke-gentoo-bugs) wrote :

x86 stable

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libfishsound-0.9.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

speex-1.2-0.4.beta2 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

speex-1.2-0.3.beta1 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

oCERT published advisory oCERT-2008-004 describing affected applications:

http://www.ocert.org/advisories/ocert-2008-004.html

Speex package update is sufficient to address the issue in all affected
applications.

Revision history for this message
In , vorlon (vorlon-gentoo-bugs) wrote :

now public via http://www.ocert.org/advisories/ocert-2008-004.html

Revision history for this message
In , vorlon (vorlon-gentoo-bugs) wrote :

removing arch security liaisons, adding missing arches, adding sound herd
hope I didn't forget to remove/add anyone

glsa request filed

Revision history for this message
In , vorlon (vorlon-gentoo-bugs) wrote :

really removing this time

Revision history for this message
In , armin76 (armin76-gentoo-bugs) wrote :

ia64 stable

Revision history for this message
In , klausman (klausman-gentoo-bugs) wrote :

Removing myself since I stood in for ferdy as sec liaison for Alpha.

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

GLSA 200804-17.

Revision history for this message
Till Ulen (tillulen) wrote :

Description

Uncontrolled array index in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.

See:
http://www.ocert.org/advisories/ocert-2008-2.html
http://www.ocert.org/advisories/ocert-2008-004.html

From the oCERT advisory #2008-002:

"The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input.

A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution.

A patch has been committed to the libfishsound public repository.

Affected version: <= 0.9.0

Fixed version: 0.9.1

Additional affected packages:

Speex <= 1.1.12, the reference implementation from which libfishsound is derived.

Illiminable DirectShow Filters, which statically include the libfishsound library.

Annodex Plugins for Firefox.

Credit: reporter wishes to remain anonymous

CVE: CVE-2008-1686"

From the oCERT advisory #2008-004:

"The reference speex decoder from the Speex library performs insufficient
boundary checks on a header structure read from user input, this has been
reported in oCERT-2008-002 advisory.

Further investigation showed that several packages include similar code and
are therefore vulnerable.

In order to prevent the usage of incorrect header processing reference code,
the speex_packet_to_header() function has been modified to bound the returned
mode values in Speex >= 1.2beta3.2. This change automatically fixes
applications that use the Speex library dynamically.

Affected version:

gstreamer-plugins-good <= 0.10.8
SDL_sound <= 1.0.1
Speex <= 1.1.12 (speexdec)
Sweep <= 0.9.2
vorbis-tools <= 1.2.0
VLC Media Player <= 0.8.6f
xine-lib <= 1.1.11.1
XMMS speex plugin

Fixed version:

gstreamer-plugins-good, >= 0.10.8 (patched in CVS)
SDL_sound, patched in CVS
Speex >= 1.2beta3.2 (patched in CVS)
Sweep >= 0.9.3
vorbis-tools, patched in CVS
VLC Media Player, N/A
xine-lib >= 1.1.12
XMMS speex plugin, N/A

Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger
from the Red Hat Security Response Team for his help in investigating the
issue.

CVE: CVE-2008-1686"

Revision history for this message
In , pva (pva-gentoo-bugs) wrote :

Fixed in release snapshot.

Jamie Strandboge (jdstrand)
Changed in gst-plugins-good0.10:
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
Changed in xmms-speex:
status: New → Invalid
status: New → Invalid
status: New → Invalid
Changed in gst-plugins-good0.10:
assignee: nobody → jdstrand
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in speex:
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
Changed in vorbis-tools:
assignee: nobody → jdstrand
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in vorbis-tools:
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in xine-lib:
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in gst-plugins-good0.10:
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
status: New → Confirmed
Changed in speex:
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

1.2~beta3.2-1 in Intrepid is not affected.

Changed in speex:
status: New → Invalid
Changed in vorbis-tools:
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

gst-plugins-good0.10.8 is not affected despite oCERT advisory. From ChangeLog:

2008-04-11 Jan Schmidt <email address hidden>

        * ext/speex/gstspeexdec.c: (speex_dec_chain_parse_header):
        Fix bounds checking of mode in Speex header, which may
        produce negative numbers in speex <= 1.1.12

I also verified the source.

Changed in gst-plugins-good0.10:
status: Confirmed → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package speex - 1.1.12-3ubuntu0.8.04.1

---------------
speex (1.1.12-3ubuntu0.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * fix for libspeex/speex_header.c to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:40:18 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package speex - 1.1.12-3ubuntu0.7.10.1

---------------
speex (1.1.12-3ubuntu0.7.10.1) gutsy-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * fix for libspeex/speex_header.c to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:42:28 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package speex - 1.1.12-3ubuntu0.7.04.1

---------------
speex (1.1.12-3ubuntu0.7.04.1) feisty-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * fix for libspeex/speex_header.c to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:43:25 -0400

Changed in speex:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vorbis-tools - 1.1.1-15ubuntu0.1

---------------
vorbis-tools (1.1.1-15ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * debian/patches/SECURITY_CVE-2008-1686.diff: fix for ogg123/speex_format.c
    to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:53:17 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vorbis-tools - 1.1.1-13ubuntu0.1

---------------
vorbis-tools (1.1.1-13ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * debian/patches/SECURITY_CVE-2008-1686.diff: fix for ogg123/speex_format.c
    to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:57:07 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vorbis-tools - 1.1.1-6ubuntu0.1

---------------
vorbis-tools (1.1.1-6ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * debian/patches/SECURITY_CVE-2008-1686.diff: fix for ogg123/speex_format.c
    to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:58:41 -0400

Changed in vorbis-tools:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gst-plugins-good0.10 - 0.10.7-3ubuntu0.1

---------------
gst-plugins-good0.10 (0.10.7-3ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * debian/patches/99_SECURITY_CVE-2008-1686.patch: fix for
    ext/speex/gstspeexdec.c to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:09:52 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gst-plugins-good0.10 - 0.10.6-0ubuntu4.1

---------------
gst-plugins-good0.10 (0.10.6-0ubuntu4.1) gutsy-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * debian/patches/04_SECURITY_CVE-2008-1686.patch: fix for
    ext/speex/gstspeexdec.c to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:14:21 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gst-plugins-good0.10 - 0.10.5-1ubuntu2.1

---------------
gst-plugins-good0.10 (0.10.5-1ubuntu2.1) feisty-security; urgency=low

  * SECURITY UPDATE: array index vulnerability (LP: #218652)
  * debian/patches/02_SECURITY_CVE-2008-1686.patch: fix for
    ext/speex/gstspeexdec.c to properly validate its input
  * References
    CVE-2008-1686

 -- Jamie Strandboge <email address hidden> Wed, 07 May 2008 13:16:52 -0400

Changed in gst-plugins-good0.10:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in speex:
status: Unknown → Fix Released
status: Unknown → In Progress
Changed in vorbis-tools:
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xine-lib:
status: Unknown → Fix Released
Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libfishsound-0.9.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Bug Watch Updater (bug-watch-updater)
Changed in speex:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in speex:
status: Fix Released → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-611-1

Changed in speex:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-611-2

Changed in vorbis-tools:
status: Fix Committed → Fix Released
Revision history for this message
In , Red (red-redhat-bugs) wrote :

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0235.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3117
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3191
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3059
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3103

Bug Watch Updater (bug-watch-updater)
Changed in speex:
status: In Progress → Fix Released
Revision history for this message
William Grant (wgrant) wrote :

VLC patch at http://trac.videolan.org/vlc/changeset/c1c81073e661f7d80197711ab11753e1e170b44c.

Revision history for this message
Reinhard Tartler (siretart) wrote :

new upstream (1.1.14) fixing this issue is prepared.

Changed in xine-lib:
assignee: nobody → siretart
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xine-lib - 1.1.14-1ubuntu1

---------------
xine-lib (1.1.14-1ubuntu1) intrepid; urgency=low

  * merge from debian unstable. Remaining changes:
    - disable the jack plugin
      in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
    - Modify Maintainer value to match the DebianMaintainerField
      specification.
  * New upstream fixes:
    - playback of MJPEG files LP: #93076
    - CVE-2008-1878 LP: #235904
    - CVE-2008-1686 LP: #218652
  * remove Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1). We don't
    support upgrades from dapper/feisty anymore.

xine-lib (1.1.14-1) unstable; urgency=low

  * The "beat the freeze" release.
  * New upstream release.
    - All patches in 1.1.12-2 are present upstream.
    - MIME types added. (Closes: #472869)
  * Build-depend on libmagick9-dev | libmagick-dev | libmagickwand-dev.
  * Build-depend on ghostscript | gs | gs-gpl.

 -- Reinhard Tartler <email address hidden> Tue, 08 Jul 2008 22:35:48 +0200

Changed in xine-lib:
status: Fix Committed → Fix Released
William Grant (wgrant)
Changed in vlc:
assignee: nobody → wgrant
status: New → Fix Released
assignee: nobody → wgrant
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in xine-lib:
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
Changed in gst-plugins-good0.10:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Debian fixed this in 1.2.0-2, and Intrepid now has 1.2.0-5

Changed in vorbis-tools:
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

My last comment was for vorbis-tools.

William Grant (wgrant)
Changed in vlc:
status: In Progress → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in libannodex:
status: New → Won't Fix
Changed in libfishsound:
status: New → Won't Fix
Changed in libsdl-sound1.2:
status: New → Won't Fix
Changed in sweep:
status: New → Won't Fix
Changed in vlc:
status: New → Won't Fix
Changed in xmms-speex:
status: New → Won't Fix
Kees Cook (kees)
Changed in xmms-speex:
status: New → Confirmed
Changed in libannodex:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Changed in libfishsound:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Changed in libsdl-sound1.2:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Changed in sweep:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Changed in vlc:
status: New → Confirmed
status: New → Confirmed
Kees Cook (kees)
Changed in libannodex:
status: New → Confirmed
Changed in libfishsound:
status: New → Confirmed
Changed in libsdl-sound1.2:
status: New → Confirmed
Changed in sweep:
status: New → Confirmed
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in libannodex (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in libfishsound (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in libsdl-sound1.2 (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in sweep (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in vlc (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in xmms-speex (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Revision history for this message
Brian Thomason (brian-thomason) wrote :

This patch provides the fix from Debian for libfishsound in Hardy.

Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Desktop support has end for Dapper.

Changed in vlc (Ubuntu Dapper):
status: Confirmed → Won't Fix
Changed in libannodex (Ubuntu Dapper):
status: Confirmed → Won't Fix
Changed in libfishsound (Ubuntu Dapper):
status: Confirmed → Won't Fix
Changed in libsdl-sound1.2 (Ubuntu Dapper):
status: Confirmed → Won't Fix
Changed in sweep (Ubuntu Dapper):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

ACK libfishsound for hardy.

tags: removed: patch
Changed in libfishsound (Ubuntu Hardy):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libfishsound - 0.7.0-2.1ubuntu0.1

---------------
libfishsound (0.7.0-2.1ubuntu0.1) hardy-security; urgency=low

  [ Brian Thomason ]
  * SECURITY UPDATE: uncontrolled array index (LP: #218652)
  - src/libfishsound/speex.c - Added check for negative offset.
    Based on Debian patch.
  - CVE-2008-1686

  [ Jamie Strandboge ]
  * debian/control: adjust section from 'unknown' to 'sound'
 -- Brian Thomason <email address hidden> Tue, 29 Jun 2010 16:24:03 -0400

Changed in libfishsound (Ubuntu Hardy):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in speex (Gentoo Linux):
importance: Unknown → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in sweep (Ubuntu Hardy):
status: Confirmed → Won't Fix
Changed in libannodex (Ubuntu):
status: Confirmed → Invalid
Changed in libannodex (Ubuntu Hardy):
status: Confirmed → Won't Fix
Changed in libsdl-sound1.2 (Ubuntu Hardy):
status: Confirmed → Won't Fix
Changed in libfishsound (Ubuntu):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand)
Changed in sweep (Ubuntu):
status: Confirmed → Won't Fix
Changed in libsdl-sound1.2 (Ubuntu):
status: Confirmed → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in xine-lib:
importance: Unknown → High
Bug Watch Updater (bug-watch-updater)
Changed in speex (Fedora):
importance: Unknown → High
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.