Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 280590 (CVE-2009-2663) - <media-libs/libvorbis-1.2.3 vorbis_book_decodevv_add() arbitrary code execution (CVE-2009-2663)
Summary: <media-libs/libvorbis-1.2.3 vorbis_book_decodevv_add() arbitrary code executi...
Status: RESOLVED FIXED
Alias: CVE-2009-2663
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-06 19:47 UTC by Robert Buchholz (RETIRED)
Modified: 2009-09-07 00:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
0001-First-half-of-fix-for-Mozilla-BZ-500254.patch (0001-First-half-of-fix-for-Mozilla-BZ-500254.patch,1.18 KB, patch)
2009-08-06 19:48 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
0002-Second-half-of-fix-to-Mozilla-BZ-5000254-sanity-chec.patch (0002-Second-half-of-fix-to-Mozilla-BZ-5000254-sanity-chec.patch,1.83 KB, patch)
2009-08-06 19:48 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:47:51 UTC
CVE-2009-2663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2663):
  libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
  3.5.x before 3.5.2 and other products, allows context-dependent
  attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via a crafted
  .ogg file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:48:44 UTC
Created attachment 200418 [details, diff]
0001-First-half-of-fix-for-Mozilla-BZ-500254.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:48:54 UTC
Created attachment 200419 [details, diff]
0002-Second-half-of-fix-to-Mozilla-BZ-5000254-sanity-chec.patch
Comment 3 Samuli Suominen gentoo-dev 2009-08-06 20:30:28 UTC
These are in 1.2.3. I verified by checking the code line by line. It can go stable.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 20:40:14 UTC
Thanks for the fast check ;-)
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 20:40:20 UTC
Arches, please test and mark stable:
=media-libs/libvorbis-1.2.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-08-06 23:02:04 UTC
media-libs/fmod (both slots) bundle a libvorbis interfaces; whether this is libVorbis itself, tremor or nothing at all I cannot tell (since it's proprietary closed source).
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-07 05:37:04 UTC
x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-08-08 15:07:19 UTC
ppc64 done
Comment 9 Jeroen Roovers gentoo-dev 2009-08-09 14:23:35 UTC
Stable for HPPA.
Comment 10 Tobias Klausmann gentoo-dev 2009-08-10 15:45:37 UTC
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2009-08-10 22:32:13 UTC
amd64 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-08-16 11:15:53 UTC
arm/ia64/sh/sparc stable
Comment 13 nixnut (RETIRED) gentoo-dev 2009-08-23 09:06:24 UTC
ppc stable
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-31 07:27:13 UTC
GLSA request filed.
Comment 15 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-07 00:59:34 UTC
GLSA 200909-02