From $URL: -------------------------- The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input. A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution. A patch has been committed to the libfishsound public repository. [...] References: http://trac.annodex.net/changeset/3535 http://trac.annodex.net/changeset/3536 http://www.annodex.net/software/libfishsound -------------------------- We have 0.8.1 in the tree, but there is no stable version at all. lcars reported it on #gentoo-security.
Attempting to set whiteboard... :)
I'd rate it ~2 since you probably need to open a file or url to be affected, so it qualifies for user-assisted.
the (patched) 0.9.0 is now in the tree
Thanks, closing [noglsa] then. btw, "2008-04-07: libfishsound 0.9.1 is released"