Comment 31 for bug 218652

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1686 to the following vulnerability:

Quoting oCert advisory:

The libfishsound decoder library incorrectly implements the reference speex
decoder from the Speex library, performing insufficient boundary checks on a
header structure read from user input.

A user controlled field in the header structure is used to build a function
pointer. The libfishsound implementation does not check for negative values for
the field, allowing the function pointer to be pointed at an arbitary position
in memory. This allows remote code execution.

Affected version: <= 0.9.0
Fixed version: 0.9.1

Upstream patch in trunk:
http://trac.annodex.net/changeset/3536

References:
http://www.ocert.org/advisories/ocert-2008-2.html
http://lists.xiph.org/pipermail/speex-dev/2008-April/006636.html