[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1251140538.5694.16.camel@mdlinux.technorage.com>
Date: Mon, 24 Aug 2009 15:02:18 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-825-1] libvorbis vulnerability
===========================================================
Ubuntu Security Notice USN-825-1 August 24, 2009
libvorbis vulnerability
CVE-2008-1420, CVE-2009-2663
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
libvorbis0a 1.2.0.dfsg-2ubuntu0.2
Ubuntu 8.10:
libvorbis0a 1.2.0.dfsg-3.1ubuntu0.8.10.1
Ubuntu 9.04:
libvorbis0a 1.2.0.dfsg-3.1ubuntu0.9.04.1
After a standard system upgrade you need to restart any applications that
use libvorbis, such as Totem and gtkpod, to effect the necessary changes.
Details follow:
It was discovered that libvorbis did not correctly handle certain malformed
ogg files. If a user were tricked into opening a specially crafted ogg file
with an application that uses libvorbis, an attacker could execute
arbitrary code with the user's privileges. (CVE-2009-2663)
USN-682-1 provided updated libvorbis packages to fix multiple security
vulnerabilities. The upstream security patch to fix CVE-2008-1420
introduced a regression when reading sound files encoded with libvorbis
1.0beta1. This update corrects the problem.
Original advisory details:
It was discovered that libvorbis did not correctly handle certain
malformed sound files. If a user were tricked into opening a specially
crafted sound file with an application that uses libvorbis, an attacker
could execute arbitrary code with the user's privileges. (CVE-2008-1420)
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.2.diff.gz
Size/MD5: 7638 5ef4a460b5fd50930d7fff2a3ae16525
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.2.dsc
Size/MD5: 936 d8ad7ba3c0193a2f3316bdc5fd1d5e3a
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz
Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_amd64.deb
Size/MD5: 475166 de6d259598243961b3c5182c94100f1b
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_amd64.deb
Size/MD5: 103952 88f017ca397bc19027405bc68a5289ce
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_amd64.deb
Size/MD5: 94498 76e594149cea4b564987e11dbafec73a
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_amd64.deb
Size/MD5: 19140 538a4089efae6cdfc04566fc58b42891
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_i386.deb
Size/MD5: 455682 de7271e005d596055ae7fa9b1b4bc62b
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_i386.deb
Size/MD5: 98852 bd8fa74c395c206003e6e91aadf6deeb
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_i386.deb
Size/MD5: 76234 8504521d4e73b31a0a6c609ab774e8ce
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_i386.deb
Size/MD5: 19986 98e7e407c4b79bd621fa30d2b84f9b2c
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_lpia.deb
Size/MD5: 457660 14ed971b555ea3670d5dd42f611620ce
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_lpia.deb
Size/MD5: 99468 07e87d8d7af71050d53166ced47504fe
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_lpia.deb
Size/MD5: 76374 6c8d29103543fb88fd1a062f1bfe5b0d
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_lpia.deb
Size/MD5: 19988 34bea1bc33491a9f6fc23cfbbe2e6fdd
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_powerpc.deb
Size/MD5: 484518 642acb42cf899742df77c023f611a5c3
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_powerpc.deb
Size/MD5: 108862 1b97fcc0cf8d5d761f4527ceec4ae6c5
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_powerpc.deb
Size/MD5: 83746 b063ec251329025e942c2957c7bec973
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_powerpc.deb
Size/MD5: 23846 9ea8d0f1d7e2feda361483667ee8c98b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_sparc.deb
Size/MD5: 462056 23faf950e87cdc4ca8afbb7e0ebf8efb
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_sparc.deb
Size/MD5: 99760 70afdb67c094d2f0335d6b0fc8613e39
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_sparc.deb
Size/MD5: 80730 e90392526ecb5627c47d0a0d7b0712c5
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_sparc.deb
Size/MD5: 19260 3cb72f75781984eb6d348f09e4892dea
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.1.diff.gz
Size/MD5: 8801 f3917fc3cf6a8e35febf6b334cda2cdf
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.1.dsc
Size/MD5: 1388 4ba46a758620e3fe5d938cfe97ed038f
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz
Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb
Size/MD5: 479182 1eeb2b5e550c6f815c33324df5554f76
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb
Size/MD5: 108578 e960e8b794da2927d930f1cf4334ec23
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb
Size/MD5: 95710 84bbe4ccb1f4b302c0710c2c86f5b89a
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb
Size/MD5: 20338 34698dc57acb94faa3464a9f0b5d2c50
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb
Size/MD5: 459476 9281d6ab6f50761dff11d81a8579a884
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb
Size/MD5: 101988 77988363a0bf4a683b941cae203e6e5e
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb
Size/MD5: 77430 430623540170ef59f74808456daecd5f
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb
Size/MD5: 21394 f46e5ee13b6c7c8adebad46f274caa43
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb
Size/MD5: 461190 ef1e6948c399b4b4d34b4993ca1a0fd8
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb
Size/MD5: 102700 685a266d67332245778e49e208ab60eb
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb
Size/MD5: 77588 266965c986c24dc8acbf9f0ecee6121e
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb
Size/MD5: 21222 4df718e05f80a23ebb5accc4a627933f
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb
Size/MD5: 490558 ffe86da6864c8d83c7f7b5931c9ef0e4
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb
Size/MD5: 114702 b8e2d3ab8557085c3c834ae57ca68490
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb
Size/MD5: 85080 d1d00cca1f654d523fa6a6f054a89df8
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb
Size/MD5: 25152 ea2c19f249936b64a5110b2330394533
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb
Size/MD5: 465326 78eaf19b4bb88f020a41699894f1d502
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb
Size/MD5: 104264 4a602b8bebfb44f3cfa7add1187af42a
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb
Size/MD5: 82016 4ed85df7024e4b2d9826a8191b3cf112
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb
Size/MD5: 20786 d7b24c2778ce94510823f86fd94d1e04
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.1.diff.gz
Size/MD5: 8809 9a4601ba8d5ef852360032dc4f28135b
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.1.dsc
Size/MD5: 1388 7bf6c7ee35a1ca2b0d4b25e8188585b5
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz
Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb
Size/MD5: 479242 f585f7e7ae50de3569efc48dfed2dd55
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb
Size/MD5: 108562 3ba8aada28f378b9776e0c8305e271fc
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb
Size/MD5: 95702 68add631494d9a565d58a8b22a5f9bf0
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb
Size/MD5: 20328 da6cc0a70f79cfa253445d563ee5c250
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb
Size/MD5: 459624 8e285a17020f6b93dc375af4f8284920
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb
Size/MD5: 102166 6148fa7ea86461915751f0dba2ef00c6
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb
Size/MD5: 77442 505253f72260e8f365ce68d947acab36
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb
Size/MD5: 21392 fee6650bfc4b4463a5a71e3dd12528bf
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb
Size/MD5: 461294 24968b96a1ddafaef908011c82a6b9ee
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb
Size/MD5: 102760 30ee010aefe3420151f6ace2e4a92b2b
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb
Size/MD5: 77590 b6c9b556dfb4eae270f45fd1e9670700
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb
Size/MD5: 21216 791d88d0551b48a2f6af17612c4e096e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb
Size/MD5: 490584 dc808a4fd3fdabfb9a76a10ec23f6529
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb
Size/MD5: 114712 cdfdd11b2c932cb2a017c27d1001fbc1
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb
Size/MD5: 85096 6cb5a1202e3db005ce69d7f2e0f8813c
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb
Size/MD5: 25156 9ddf20413d09f546d061b3a0b093ad1e
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb
Size/MD5: 465382 4de8bfe56cdcbf0490c2a69de7bca0e9
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb
Size/MD5: 104286 6a238cd48456d2bd4b1b6dad87a0b506
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb
Size/MD5: 81958 ce25c1cc928142e84a20c8f37caecf52
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb
Size/MD5: 20758 976ef82da1d5cb2de170dc5dcf4532b9
Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists