Debian Bug report logs -
#540958
libvorbis: CVE-2009-2663 vulnerability
Reported by: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Mon, 10 Aug 2009 23:36:01 UTC
Severity: grave
Tags: security
Found in version 1.1.2.dfsg-1.4
Fixed in version libvorbis/1.2.0.dfsg-6
Done: Peter Samuelson <peter@p12n.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#540958; Package libvorbis.
(Mon, 10 Aug 2009 23:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Peter Samuelson <peter@p12n.org>.
(Mon, 10 Aug 2009 23:36:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libvorbis
Version: 1.1.2.dfsg-1.4
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libvorbis.
CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows context-dependent
| attackers to cause a denial of service (memory corruption and
| application crash) or possibly execute arbitrary code via a crafted
| .ogg file.
Please coordinate with the security team to prepare updates for the
stable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663
http://security-tracker.debian.net/tracker/CVE-2009-2663
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#540958; Package libvorbis.
(Tue, 11 Aug 2009 04:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Samuelson <peter@p12n.org>:
Extra info received and forwarded to list.
(Tue, 11 Aug 2009 04:06:05 GMT) (full text, mbox, link).
Message #10 received at 540958@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> CVE-2009-2663[0]:
> | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> | 3.5.x before 3.5.2 and other products, allows context-dependent
> | attackers to cause a denial of service (memory corruption and
> | application crash) or possibly execute arbitrary code via a crafted
> | .ogg file.
Thanks, I'll prepare updates for etch, lenny, and sid. I assume the
Mozillae in Debian use the system libvorbis, not a separate copy.
--
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#540958; Package libvorbis.
(Tue, 11 Aug 2009 06:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Samuelson <peter@p12n.org>:
Extra info received and forwarded to list.
(Tue, 11 Aug 2009 06:15:03 GMT) (full text, mbox, link).
Message #15 received at 540958@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> CVE-2009-2663[0]:
> | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> | 3.5.x before 3.5.2 and other products, allows context-dependent
> | attackers to cause a denial of service (memory corruption and
> | application crash) or possibly execute arbitrary code via a crafted
> | .ogg file.
I've applied upstream's patch[*] to the etch and lenny libvorbis releases:
http://p12n.org/tmp/cve-2009-2663/libvorbis_1.1.2.dfsg-1.4+etch4.dsc
http://p12n.org/tmp/cve-2009-2663/libvorbis_1.2.0.dfsg-3.1+lenny1.dsc
I'm prepared to upload the same patch to sid, as libvorbis 1.2.0.dfsg-6.
(I could upload a new upstream version, but I'd like to try and resolve
a dfsg situation there first.)
[*] svn diff -r16180:16182 http://svn.xiph.org/trunk/vorbis
--
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#540958; Package libvorbis.
(Tue, 11 Aug 2009 15:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>.
(Tue, 11 Aug 2009 15:39:03 GMT) (full text, mbox, link).
Message #20 received at 540958@bugs.debian.org (full text, mbox, reply):
On Mon, 10 Aug 2009 23:01:36 -0500, Peter Samuelson wrote:
>
> > CVE-2009-2663[0]:
> > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> > | 3.5.x before 3.5.2 and other products, allows context-dependent
> > | attackers to cause a denial of service (memory corruption and
> > | application crash) or possibly execute arbitrary code via a crafted
> > | .ogg file.
>
> Thanks, I'll prepare updates for etch, lenny, and sid. I assume the
> Mozillae in Debian use the system libvorbis, not a separate copy.
no, in fact they embed, and i've submitted a bug for that separately.
thanks for working this!
mike
Reply sent
to Peter Samuelson <peter@p12n.org>:
You have taken responsibility.
(Wed, 12 Aug 2009 05:03:06 GMT) (full text, mbox, link).
Notification sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Wed, 12 Aug 2009 05:03:07 GMT) (full text, mbox, link).
Message #25 received at 540958-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Source-Version: 1.2.0.dfsg-6
We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive:
libvorbis-dev_1.2.0.dfsg-6_amd64.deb
to pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6_amd64.deb
libvorbis-dev_1.2.0.dfsg-6_i386.deb
to pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6_i386.deb
libvorbis0a_1.2.0.dfsg-6_amd64.deb
to pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6_amd64.deb
libvorbis0a_1.2.0.dfsg-6_i386.deb
to pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6_i386.deb
libvorbis_1.2.0.dfsg-6.diff.gz
to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-6.diff.gz
libvorbis_1.2.0.dfsg-6.dsc
to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-6.dsc
libvorbisenc2_1.2.0.dfsg-6_amd64.deb
to pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6_amd64.deb
libvorbisenc2_1.2.0.dfsg-6_i386.deb
to pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6_i386.deb
libvorbisfile3_1.2.0.dfsg-6_amd64.deb
to pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6_amd64.deb
libvorbisfile3_1.2.0.dfsg-6_i386.deb
to pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 540958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Samuelson <peter@p12n.org> (supplier of updated libvorbis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 Aug 2009 23:11:11 -0500
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev
Architecture: amd64 i386 source
Version: 1.2.0.dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Peter Samuelson <peter@p12n.org>
Changed-By: Peter Samuelson <peter@p12n.org>
Closes: 504421 540958
Description:
libvorbis-dev - The Vorbis General Audio Compression Codec: development files
libvorbis0a - The Vorbis General Audio Compression Codec: decoder library
libvorbisenc2 - The Vorbis General Audio Compression Codec: encoder library
libvorbisfile3 - The Vorbis General Audio Compression Codec: high-level API
Changes:
libvorbis (1.2.0.dfsg-6) unstable; urgency=high
.
* Fix CVE-2009-2663: two bugs in libvorbis that allowed a crafted ogg
file to corrupt memory. (Closes: #540958)
* patches/CVE-2008-1420.patch: fix a regression playing files generated
by 1.0b1, from upstream trunk. Thanks Michael Gold. (Closes: #504421)
Checksums-Sha1:
2f63e469863d04c41ce6681f3e4e21bb4f5d278e 95702 libvorbisenc2_1.2.0.dfsg-6_amd64.deb
4b6dffb2f0ca515b1e3932a68d7b2c551beb88df 21376 libvorbisfile3_1.2.0.dfsg-6_i386.deb
50b31c351e8ee844a4a0bea7a536b04c1f59fe05 460640 libvorbis-dev_1.2.0.dfsg-6_i386.deb
5e0822b4712c7f629a1347ceb677ed1812fc051b 101828 libvorbis0a_1.2.0.dfsg-6_i386.deb
60f8f3f456440f1aa953f9e1f09fd5cc9990d0ac 77722 libvorbisenc2_1.2.0.dfsg-6_i386.deb
8d625ccccce67949e222154052b58f2b0ccb0cd7 20442 libvorbisfile3_1.2.0.dfsg-6_amd64.deb
8e78219e38096259a20e619c0de76a0ce8bb8f32 10851 libvorbis_1.2.0.dfsg-6.diff.gz
945e7d640e30e15f5c8008b03293e1b393ec0982 1112 libvorbis_1.2.0.dfsg-6.dsc
b6343e69667546c8d08f785c357e5d0762d0f699 108714 libvorbis0a_1.2.0.dfsg-6_amd64.deb
f727b78b8a55df77349e3d07d1b8aa0465d5e143 480906 libvorbis-dev_1.2.0.dfsg-6_amd64.deb
Checksums-Sha256:
2870bb797f12edd4f64f6918054e3ef1496b9499ddcc9e7be3ffca72228457ab 480906 libvorbis-dev_1.2.0.dfsg-6_amd64.deb
3d3b62a24cc743e2d10016c83a4c71de7395bce9cd4f9592b2e77ccd45c4a558 77722 libvorbisenc2_1.2.0.dfsg-6_i386.deb
56f314feac03b78f92f7f45af97677e1658bbb6ae6b382b61b1a3e48bab71eb8 1112 libvorbis_1.2.0.dfsg-6.dsc
5e4658dfcae8c58963da4660c9e4ea2525dabb1cbe4af98c818078ab7835958f 21376 libvorbisfile3_1.2.0.dfsg-6_i386.deb
df11ee7a4955e3e8dbf539dd12ff574c0705cec37f1ebfe3634ce39bb6a9c29f 10851 libvorbis_1.2.0.dfsg-6.diff.gz
72d566508f53b86a2a67bd1abb258b3fc306d88ab6042035c8733ec6b4f4f456 460640 libvorbis-dev_1.2.0.dfsg-6_i386.deb
7749b83ed92006cfd55adc592a33e5243dc42e7d49716e17c70f4215f5505aa7 108714 libvorbis0a_1.2.0.dfsg-6_amd64.deb
c65e2d94589d6a745e387d57fec1b1c08ba4ef72e56c80bf2c5e6065c0c25f15 95702 libvorbisenc2_1.2.0.dfsg-6_amd64.deb
d866121b242a4462fca999c3b1b683fd586f7cb325502a32aeac9cdced69ff96 101828 libvorbis0a_1.2.0.dfsg-6_i386.deb
de85660eef16d534ab52dbeb29219157ba363d4bb4f6b95403cc27b42f8dea62 20442 libvorbisfile3_1.2.0.dfsg-6_amd64.deb
Files:
21dc591cb009dd7363825db1e7f10f93 77722 libs optional libvorbisenc2_1.2.0.dfsg-6_i386.deb
25425a381337a10edc52c7e134b02fd4 480906 libdevel optional libvorbis-dev_1.2.0.dfsg-6_amd64.deb
2c8276c4d1dd1f7f8c84568860e598e3 21376 libs optional libvorbisfile3_1.2.0.dfsg-6_i386.deb
36eeb83b51c12367e61d1b284a1fdd42 1112 libs optional libvorbis_1.2.0.dfsg-6.dsc
5b9df343376d36d66be5ca87d7fb1427 460640 libdevel optional libvorbis-dev_1.2.0.dfsg-6_i386.deb
750bd6222019e923bf3dcb65fd4f1ced 108714 libs optional libvorbis0a_1.2.0.dfsg-6_amd64.deb
9454e0cc91f6d57959aee90412bc65d0 95702 libs optional libvorbisenc2_1.2.0.dfsg-6_amd64.deb
d0e3d32bd18ead398e00aadd21f566e5 101828 libs optional libvorbis0a_1.2.0.dfsg-6_i386.deb
e6a7ca5d0e13454157b65af1f7aa6a1f 20442 libs optional libvorbisfile3_1.2.0.dfsg-6_amd64.deb
eba5720d2bf41256e4c0f298c058f7f7 10851 libs optional libvorbis_1.2.0.dfsg-6.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKgkTuXk7sIRPQRh0RAsF4AJ4/yxnTu1tCpY/Njap1IjcojBXT0ACePZ1z
AkaWCBFW+sQlsbD1SciAlao=
=HXRk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 09 Sep 2009 07:36:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:03:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon