[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [USN-825-1] libvorbis vulnerability



===========================================================
Ubuntu Security Notice USN-825-1            August 24, 2009
libvorbis vulnerability
CVE-2008-1420, CVE-2009-2663
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  libvorbis0a                     1.2.0.dfsg-2ubuntu0.2

Ubuntu 8.10:
  libvorbis0a                     1.2.0.dfsg-3.1ubuntu0.8.10.1

Ubuntu 9.04:
  libvorbis0a                     1.2.0.dfsg-3.1ubuntu0.9.04.1

After a standard system upgrade you need to restart any applications that
use libvorbis, such as Totem and gtkpod, to effect the necessary changes.

Details follow:

It was discovered that libvorbis did not correctly handle certain malformed
ogg files. If a user were tricked into opening a specially crafted ogg file
with an application that uses libvorbis, an attacker could execute
arbitrary code with the user's privileges. (CVE-2009-2663)

USN-682-1 provided updated libvorbis packages to fix multiple security
vulnerabilities. The upstream security patch to fix CVE-2008-1420
introduced a regression when reading sound files encoded with libvorbis
1.0beta1. This update corrects the problem.

Original advisory details:

 It was discovered that libvorbis did not correctly handle certain
 malformed sound files. If a user were tricked into opening a specially
 crafted sound file with an application that uses libvorbis, an attacker
 could execute arbitrary code with the user's privileges. (CVE-2008-1420)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.2.diff.gz
      Size/MD5:     7638 5ef4a460b5fd50930d7fff2a3ae16525
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.2.dsc
      Size/MD5:      936 d8ad7ba3c0193a2f3316bdc5fd1d5e3a
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz
      Size/MD5:  1477935 3c7fff70c0989ab3c1c85366bf670818

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_amd64.deb
      Size/MD5:   475166 de6d259598243961b3c5182c94100f1b
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_amd64.deb
      Size/MD5:   103952 88f017ca397bc19027405bc68a5289ce
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_amd64.deb
      Size/MD5:    94498 76e594149cea4b564987e11dbafec73a
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_amd64.deb
      Size/MD5:    19140 538a4089efae6cdfc04566fc58b42891

  i386 architecture (x86 compatible Intel/AMD):

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_i386.deb
      Size/MD5:   455682 de7271e005d596055ae7fa9b1b4bc62b
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_i386.deb
      Size/MD5:    98852 bd8fa74c395c206003e6e91aadf6deeb
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_i386.deb
      Size/MD5:    76234 8504521d4e73b31a0a6c609ab774e8ce
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_i386.deb
      Size/MD5:    19986 98e7e407c4b79bd621fa30d2b84f9b2c

  lpia architecture (Low Power Intel Architecture):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_lpia.deb
      Size/MD5:   457660 14ed971b555ea3670d5dd42f611620ce
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_lpia.deb
      Size/MD5:    99468 07e87d8d7af71050d53166ced47504fe
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_lpia.deb
      Size/MD5:    76374 6c8d29103543fb88fd1a062f1bfe5b0d
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_lpia.deb
      Size/MD5:    19988 34bea1bc33491a9f6fc23cfbbe2e6fdd

  powerpc architecture (Apple Macintosh G3/G4/G5):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_powerpc.deb
      Size/MD5:   484518 642acb42cf899742df77c023f611a5c3
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_powerpc.deb
      Size/MD5:   108862 1b97fcc0cf8d5d761f4527ceec4ae6c5
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_powerpc.deb
      Size/MD5:    83746 b063ec251329025e942c2957c7bec973
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_powerpc.deb
      Size/MD5:    23846 9ea8d0f1d7e2feda361483667ee8c98b

  sparc architecture (Sun SPARC/UltraSPARC):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_sparc.deb
      Size/MD5:   462056 23faf950e87cdc4ca8afbb7e0ebf8efb
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_sparc.deb
      Size/MD5:    99760 70afdb67c094d2f0335d6b0fc8613e39
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_sparc.deb
      Size/MD5:    80730 e90392526ecb5627c47d0a0d7b0712c5
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_sparc.deb
      Size/MD5:    19260 3cb72f75781984eb6d348f09e4892dea

Updated packages for Ubuntu 8.10:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.1.diff.gz
      Size/MD5:     8801 f3917fc3cf6a8e35febf6b334cda2cdf
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.1.dsc
      Size/MD5:     1388 4ba46a758620e3fe5d938cfe97ed038f
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz
      Size/MD5:  1477935 3c7fff70c0989ab3c1c85366bf670818

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb
      Size/MD5:   479182 1eeb2b5e550c6f815c33324df5554f76
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb
      Size/MD5:   108578 e960e8b794da2927d930f1cf4334ec23
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb
      Size/MD5:    95710 84bbe4ccb1f4b302c0710c2c86f5b89a
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb
      Size/MD5:    20338 34698dc57acb94faa3464a9f0b5d2c50

  i386 architecture (x86 compatible Intel/AMD):

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb
      Size/MD5:   459476 9281d6ab6f50761dff11d81a8579a884
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb
      Size/MD5:   101988 77988363a0bf4a683b941cae203e6e5e
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb
      Size/MD5:    77430 430623540170ef59f74808456daecd5f
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb
      Size/MD5:    21394 f46e5ee13b6c7c8adebad46f274caa43

  lpia architecture (Low Power Intel Architecture):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb
      Size/MD5:   461190 ef1e6948c399b4b4d34b4993ca1a0fd8
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb
      Size/MD5:   102700 685a266d67332245778e49e208ab60eb
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb
      Size/MD5:    77588 266965c986c24dc8acbf9f0ecee6121e
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb
      Size/MD5:    21222 4df718e05f80a23ebb5accc4a627933f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb
      Size/MD5:   490558 ffe86da6864c8d83c7f7b5931c9ef0e4
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb
      Size/MD5:   114702 b8e2d3ab8557085c3c834ae57ca68490
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb
      Size/MD5:    85080 d1d00cca1f654d523fa6a6f054a89df8
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb
      Size/MD5:    25152 ea2c19f249936b64a5110b2330394533

  sparc architecture (Sun SPARC/UltraSPARC):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb
      Size/MD5:   465326 78eaf19b4bb88f020a41699894f1d502
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb
      Size/MD5:   104264 4a602b8bebfb44f3cfa7add1187af42a
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb
      Size/MD5:    82016 4ed85df7024e4b2d9826a8191b3cf112
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb
      Size/MD5:    20786 d7b24c2778ce94510823f86fd94d1e04

Updated packages for Ubuntu 9.04:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.1.diff.gz
      Size/MD5:     8809 9a4601ba8d5ef852360032dc4f28135b
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.1.dsc
      Size/MD5:     1388 7bf6c7ee35a1ca2b0d4b25e8188585b5
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz
      Size/MD5:  1477935 3c7fff70c0989ab3c1c85366bf670818

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb
      Size/MD5:   479242 f585f7e7ae50de3569efc48dfed2dd55
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb
      Size/MD5:   108562 3ba8aada28f378b9776e0c8305e271fc
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb
      Size/MD5:    95702 68add631494d9a565d58a8b22a5f9bf0
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb
      Size/MD5:    20328 da6cc0a70f79cfa253445d563ee5c250

  i386 architecture (x86 compatible Intel/AMD):

    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb
      Size/MD5:   459624 8e285a17020f6b93dc375af4f8284920
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb
      Size/MD5:   102166 6148fa7ea86461915751f0dba2ef00c6
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb
      Size/MD5:    77442 505253f72260e8f365ce68d947acab36
    
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb
      Size/MD5:    21392 fee6650bfc4b4463a5a71e3dd12528bf

  lpia architecture (Low Power Intel Architecture):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb
      Size/MD5:   461294 24968b96a1ddafaef908011c82a6b9ee
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb
      Size/MD5:   102760 30ee010aefe3420151f6ace2e4a92b2b
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb
      Size/MD5:    77590 b6c9b556dfb4eae270f45fd1e9670700
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb
      Size/MD5:    21216 791d88d0551b48a2f6af17612c4e096e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb
      Size/MD5:   490584 dc808a4fd3fdabfb9a76a10ec23f6529
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb
      Size/MD5:   114712 cdfdd11b2c932cb2a017c27d1001fbc1
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb
      Size/MD5:    85096 6cb5a1202e3db005ce69d7f2e0f8813c
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb
      Size/MD5:    25156 9ddf20413d09f546d061b3a0b093ad1e

  sparc architecture (Sun SPARC/UltraSPARC):

    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb
      Size/MD5:   465382 4de8bfe56cdcbf0490c2a69de7bca0e9
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb
      Size/MD5:   104286 6a238cd48456d2bd4b1b6dad87a0b506
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb
      Size/MD5:    81958 ce25c1cc928142e84a20c8f37caecf52
    
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb
      Size/MD5:    20758 976ef82da1d5cb2de170dc5dcf4532b9



Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/