Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222085 (CVE-2008-1419) - media-libs/libvorbis <1.2.1_rc1 arbitrary code execution, DoS (CVE-2008-{1419,1420,1423})
Summary: media-libs/libvorbis <1.2.1_rc1 arbitrary code execution, DoS (CVE-2008-{1419...
Alias: CVE-2008-1419
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2008-05-14 15:01 UTC by Christian Hoffmann (RETIRED)
Modified: 2020-04-08 21:47 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-05-14 15:01:22 UTC
From $URL:

Will Drewry of the Google Security Team reported several flaws in the way
libvorbis processed audio data. An attacker could create a carefully
crafted OGG audio file in such a way that it could cause an application
linked with libvorbis to crash, or execute arbitrary code when it was
opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)

Moreover, additional OGG file sanity-checks have been added to prevent
possible exploitation of similar issues in the future.

Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-05-14 15:10:11 UTC
Setting whiteboard.
Does any software bundle libvorbis? (embedded-code-copies from the security overlay doesn't list any)
Comment 2 Alexis Ballier gentoo-dev 2008-05-17 10:51:41 UTC
1.2.0-r1 has the patches
Comment 3 Giacomo Perale 2008-05-18 08:58:41 UTC
The patches libvorbis-1.2.0-CVE-2008-1419.patch and libvorbis-1.2.0-CVE-2008-1420.patch don't apply here.
Comment 4 Alexis Ballier gentoo-dev 2008-05-18 09:19:13 UTC
(In reply to comment #3)
> The patches libvorbis-1.2.0-CVE-2008-1419.patch and
> libvorbis-1.2.0-CVE-2008-1420.patch don't apply here.

Yep they had dos line endings, thanks to dleverton for pointing that. It should be better now.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-05-18 13:29:24 UTC
Thanks for patching so far. There are some issues that are not covered in our bug report, and so did not make it into your patches:

(1) vorbis comment length checks

(2) "Additional bulletproofing to hufftree decoding"

Both are what was called "additional sanity-checks" at the top, and might lead to buffer-overread / overflow situations.

Furthermore, an 1.2.1-rc1 is out with all the patches, and I guess one could just ping Ralph to release the final:
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-06-10 08:02:30 UTC
Alexis/Sound maintainers, is there any update here? I would really like to have a later version in stable that either includes the additional patches, or is based on a current SVN snapshot. I talked to Ralph Giles, and he confirmed that the 1.2.1 rc1 is good on linux, and so is the current trunk. The reason for the delay of the release was build problems on Windows.
Comment 7 Ben de Groot (RETIRED) gentoo-dev 2008-06-12 12:07:34 UTC
1.2.1_rc1 committed to portage cvs
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-06-12 12:35:36 UTC
Thanks, Ben. Do you want to keep this in ~arch for a few days, or go stabling right away?
Comment 9 Ben de Groot (RETIRED) gentoo-dev 2008-06-12 13:11:41 UTC
I'd say go ahead with stabling, as there are no issues on linux reported upstream, and everything on my end works fine.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-06-12 13:50:53 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-06-12 15:00:36 UTC
Stable for HPPA.
Comment 12 Friedrich Oslage (RETIRED) gentoo-dev 2008-06-12 20:19:37 UTC
stable on sparc
Comment 13 Brent Baude (RETIRED) gentoo-dev 2008-06-12 20:23:37 UTC
ppc64 done
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-13 08:07:42 UTC
x86 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-13 15:24:24 UTC
ppc stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2008-06-13 15:35:19 UTC
ia64 stable
Comment 17 Tobias Klausmann gentoo-dev 2008-06-13 19:24:03 UTC
Stable on alpha.
Comment 18 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-06-13 23:16:10 UTC

1. Compiles fine.
2. Installs with no errors/warnings.
3. All things on my system that depend still link/run with the new libvorbis.

Portage (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8 x86_64)
System uname: 2.6.24-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3400+
Timestamp of tree: Fri, 13 Jun 2008 19:30:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p33
dev-lang/python:     2.4.4-r13
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-march=athlon64 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/svn/env /usr/kde/svn/share/config /usr/kde/svn/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -O2 -pipe"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/usr/portage/local/layman/science /overlay"
USE="X acl aiglx aim amd64 berkdb branding cli cracklib crypt cups dri fortran gdbm gpm gtk iconv imap ipv6 isdnlog midi mmx mpeg3 mudflap ncurses nls nptl nptlonly nvidia opengl openmp pam pcre perl pppd python qt3 readline reflection session sockets spl sqlite3 sse sse2 ssl tcpd unicode vim xcomposite xine xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Comment 19 Richard Freeman gentoo-dev 2008-06-14 14:30:10 UTC
amd64 stable - thanks for testing
Comment 20 Peter Volkov (RETIRED) gentoo-dev 2008-06-16 15:56:53 UTC
Fixed in release snapshot.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-06-23 23:04:50 UTC
GLSA 200806-09