lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070726171832.GC1887@isecpartners.com>
Date: Thu, 26 Jul 2007 10:18:33 -0700
From: David Thiel <david@...cpartners.com>
To: bugtraq@...urityfocus.com
Subject: libvorbis 1.1.2 - Multiple memory corruption flaws

iSEC Partners Security Advisory - 2007-003-libvorbis
http://www.isecpartners.com
--------------------------------------------

libvorbis 1.1.2 - Multiple memory corruption flaws

Vendor: Xiph.org
Vendor URL: http://www.xiph.org
Systems Affected: All tested software based upon libvorbis 1.1.2
Severity: High (Heap corruption, Denial of Service, Potential code execution)
Author: David Thiel <david[at]isecpartners[dot]com>

Vendor notified: 2007-06-05
Public release: 2007-07-26
Advisory URL: http://www.isecpartners.com/advisories/2007-003-libvorbis.txt

Summary:
--------

libvorbis 1.1.2 contains several vulnerabilities allowing heap overwrite,
read violations and a function pointer overwrite. These bugs cause a
at least a denial of service, and potentially code execution.

Details:
--------

Invalid blocksize_0 and blocksize_1 values result in a heap overwrite in
the _01inverse() function of res0.c.

An invalid mapping type causes an out of bounds dispatch table
lookup, offset by an attacker-controlled value, during cleanup in
vorbis_info_clear() in info.c.

Additionally, invalid blocksize values cause a segmentation fault on 
read in block.c.

Fix Information:
----------------

These issues are resolved in libvorbis 1.2.0, available at:

http://downloads.xiph.org/releases/vorbis/libvorbis-1.2.0.tar.bz2

Thanks to:
----------

Ralph Giles and Xiphmont of Xiph.org for their detailed help determining
root causes of and fixes for these issues.

About iSEC Partners:
--------------------

iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification, with offices in San Francisco and 
Seattle.

Information on testing media players and codecs to expose and prevent
similar bugs and tools to do the same will be presented at BlackHat USA
2007.

http://www.isecpartners.com
info@...cpartners.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ