=========================================================== Ubuntu Security Notice USN-825-1 August 24, 2009 libvorbis vulnerability CVE-2008-1420, CVE-2009-2663 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libvorbis0a 1.2.0.dfsg-2ubuntu0.2 Ubuntu 8.10: libvorbis0a 1.2.0.dfsg-3.1ubuntu0.8.10.1 Ubuntu 9.04: libvorbis0a 1.2.0.dfsg-3.1ubuntu0.9.04.1 After a standard system upgrade you need to restart any applications that use libvorbis, such as Totem and gtkpod, to effect the necessary changes. Details follow: It was discovered that libvorbis did not correctly handle certain malformed ogg files. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could execute arbitrary code with the user's privileges. (CVE-2009-2663) USN-682-1 provided updated libvorbis packages to fix multiple security vulnerabilities. The upstream security patch to fix CVE-2008-1420 introduced a regression when reading sound files encoded with libvorbis 1.0beta1. This update corrects the problem. Original advisory details: It was discovered that libvorbis did not correctly handle certain malformed sound files. If a user were tricked into opening a specially crafted sound file with an application that uses libvorbis, an attacker could execute arbitrary code with the user's privileges. (CVE-2008-1420) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.2.diff.gz Size/MD5: 7638 5ef4a460b5fd50930d7fff2a3ae16525 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.2.dsc Size/MD5: 936 d8ad7ba3c0193a2f3316bdc5fd1d5e3a http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_amd64.deb Size/MD5: 475166 de6d259598243961b3c5182c94100f1b http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_amd64.deb Size/MD5: 103952 88f017ca397bc19027405bc68a5289ce http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_amd64.deb Size/MD5: 94498 76e594149cea4b564987e11dbafec73a http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_amd64.deb Size/MD5: 19140 538a4089efae6cdfc04566fc58b42891 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_i386.deb Size/MD5: 455682 de7271e005d596055ae7fa9b1b4bc62b http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_i386.deb Size/MD5: 98852 bd8fa74c395c206003e6e91aadf6deeb http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_i386.deb Size/MD5: 76234 8504521d4e73b31a0a6c609ab774e8ce http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_i386.deb Size/MD5: 19986 98e7e407c4b79bd621fa30d2b84f9b2c lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_lpia.deb Size/MD5: 457660 14ed971b555ea3670d5dd42f611620ce http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_lpia.deb Size/MD5: 99468 07e87d8d7af71050d53166ced47504fe http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_lpia.deb Size/MD5: 76374 6c8d29103543fb88fd1a062f1bfe5b0d http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_lpia.deb Size/MD5: 19988 34bea1bc33491a9f6fc23cfbbe2e6fdd powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_powerpc.deb Size/MD5: 484518 642acb42cf899742df77c023f611a5c3 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_powerpc.deb Size/MD5: 108862 1b97fcc0cf8d5d761f4527ceec4ae6c5 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_powerpc.deb Size/MD5: 83746 b063ec251329025e942c2957c7bec973 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_powerpc.deb Size/MD5: 23846 9ea8d0f1d7e2feda361483667ee8c98b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_sparc.deb Size/MD5: 462056 23faf950e87cdc4ca8afbb7e0ebf8efb http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_sparc.deb Size/MD5: 99760 70afdb67c094d2f0335d6b0fc8613e39 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_sparc.deb Size/MD5: 80730 e90392526ecb5627c47d0a0d7b0712c5 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_sparc.deb Size/MD5: 19260 3cb72f75781984eb6d348f09e4892dea Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.1.diff.gz Size/MD5: 8801 f3917fc3cf6a8e35febf6b334cda2cdf http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.1.dsc Size/MD5: 1388 4ba46a758620e3fe5d938cfe97ed038f http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb Size/MD5: 479182 1eeb2b5e550c6f815c33324df5554f76 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb Size/MD5: 108578 e960e8b794da2927d930f1cf4334ec23 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb Size/MD5: 95710 84bbe4ccb1f4b302c0710c2c86f5b89a http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb Size/MD5: 20338 34698dc57acb94faa3464a9f0b5d2c50 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb Size/MD5: 459476 9281d6ab6f50761dff11d81a8579a884 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb Size/MD5: 101988 77988363a0bf4a683b941cae203e6e5e http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb Size/MD5: 77430 430623540170ef59f74808456daecd5f http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb Size/MD5: 21394 f46e5ee13b6c7c8adebad46f274caa43 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb Size/MD5: 461190 ef1e6948c399b4b4d34b4993ca1a0fd8 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb Size/MD5: 102700 685a266d67332245778e49e208ab60eb http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb Size/MD5: 77588 266965c986c24dc8acbf9f0ecee6121e http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb Size/MD5: 21222 4df718e05f80a23ebb5accc4a627933f powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb Size/MD5: 490558 ffe86da6864c8d83c7f7b5931c9ef0e4 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb Size/MD5: 114702 b8e2d3ab8557085c3c834ae57ca68490 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb Size/MD5: 85080 d1d00cca1f654d523fa6a6f054a89df8 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb Size/MD5: 25152 ea2c19f249936b64a5110b2330394533 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb Size/MD5: 465326 78eaf19b4bb88f020a41699894f1d502 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb Size/MD5: 104264 4a602b8bebfb44f3cfa7add1187af42a http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb Size/MD5: 82016 4ed85df7024e4b2d9826a8191b3cf112 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb Size/MD5: 20786 d7b24c2778ce94510823f86fd94d1e04 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.1.diff.gz Size/MD5: 8809 9a4601ba8d5ef852360032dc4f28135b http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.1.dsc Size/MD5: 1388 7bf6c7ee35a1ca2b0d4b25e8188585b5 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb Size/MD5: 479242 f585f7e7ae50de3569efc48dfed2dd55 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb Size/MD5: 108562 3ba8aada28f378b9776e0c8305e271fc http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb Size/MD5: 95702 68add631494d9a565d58a8b22a5f9bf0 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb Size/MD5: 20328 da6cc0a70f79cfa253445d563ee5c250 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb Size/MD5: 459624 8e285a17020f6b93dc375af4f8284920 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb Size/MD5: 102166 6148fa7ea86461915751f0dba2ef00c6 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb Size/MD5: 77442 505253f72260e8f365ce68d947acab36 http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb Size/MD5: 21392 fee6650bfc4b4463a5a71e3dd12528bf lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb Size/MD5: 461294 24968b96a1ddafaef908011c82a6b9ee http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb Size/MD5: 102760 30ee010aefe3420151f6ace2e4a92b2b http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb Size/MD5: 77590 b6c9b556dfb4eae270f45fd1e9670700 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb Size/MD5: 21216 791d88d0551b48a2f6af17612c4e096e powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb Size/MD5: 490584 dc808a4fd3fdabfb9a76a10ec23f6529 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb Size/MD5: 114712 cdfdd11b2c932cb2a017c27d1001fbc1 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb Size/MD5: 85096 6cb5a1202e3db005ce69d7f2e0f8813c http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb Size/MD5: 25156 9ddf20413d09f546d061b3a0b093ad1e sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb Size/MD5: 465382 4de8bfe56cdcbf0490c2a69de7bca0e9 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb Size/MD5: 104286 6a238cd48456d2bd4b1b6dad87a0b506 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb Size/MD5: 81958 ce25c1cc928142e84a20c8f37caecf52 http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb Size/MD5: 20758 976ef82da1d5cb2de170dc5dcf4532b9
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/