Bug 216499

Summary:	media-libs/libfishsound < 0.9.0: speex remote code execution (CVE-2008-1686)
Product:	Gentoo Security	Reporter:	Christian Hoffmann (RETIRED) <hoffie>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	sound
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://www.ocert.org/advisories/ocert-2008-2.html
Whiteboard:	~2? [ebuild]
Package list:		Runtime testing required:	---
Bug Depends on:	217715
Bug Blocks:

Description Christian Hoffmann (RETIRED) gentoo-dev

2008-04-06 10:59:26 UTC

From $URL:
--------------------------
The libfishsound  decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input.

A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution.

A patch has been committed to the libfishsound public repository.

[...]

References:
http://trac.annodex.net/changeset/3535
http://trac.annodex.net/changeset/3536
http://www.annodex.net/software/libfishsound
--------------------------


We have 0.8.1 in the tree, but there is no stable version at all.

lcars reported it on #gentoo-security.

Comment 1 Christian Hoffmann (RETIRED) gentoo-dev

2008-04-06 11:02:32 UTC

Attempting to set whiteboard... :)

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-04-06 12:08:26 UTC

I'd rate it ~2 since you probably need to open a file or url to be affected, so it qualifies for user-assisted.

Comment 3 Alexis Ballier gentoo-dev

2008-04-06 20:15:57 UTC

the (patched) 0.9.0 is now in the tree

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-04-07 00:33:47 UTC

Thanks, closing [noglsa] then.

btw, "2008-04-07: libfishsound 0.9.1 is released"