Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217605 - media-video/vlc speex implementations insufficient boundary checks
Summary: media-video/vlc speex implementations insufficient boundary checks
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [upstream]
Keywords:
Depends on: 217715
Blocks:
  Show dependency tree
 
Reported: 2008-04-14 09:31 UTC by Matthias Geerdsen (RETIRED)
Modified: 2008-04-17 10:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-14 09:31:58 UTC 
This bug is not public yet, please do not disclose any information.

vorbis-tools appears to include vulnerable speex code

see http://www.ocert.org/advisories/ocert-2008-2.html
as well as bug 216499 and bug 217373 for similar issuesspee
Comment 1 Alexis Ballier gentoo-dev 2008-04-14 15:46:46 UTC 
Do we have a proof of concept for this ? like a file that would make apps crash to send upstream as the number of affected apps is growing.
Patch is easy but upstream should be contacted first; how can we know if it has been done ?
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-14 16:08:42 UTC 
sorry for the lack of information

Upstream should have been contacted by oCERT, which is were the notification about the affected applications came from.
I asked about which upstreams of affected packages responded and will let you know.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 17:45:36 UTC 
(In reply to comment #1)
> Do we have a proof of concept for this ?

Unfortunately, not.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 22:25:02 UTC 
This does not need to be fixed if we enable the workaround in libspeex, which
is bug 217715.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 09:42:19 UTC 
now public via http://www.ocert.org/advisories/ocert-2008-004.html
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 10:11:32 UTC 
closing, see comment #4.