Home page logo
/

bugtraq logo Bugtraq mailing list archives

[oCERT-2008-004] multiple speex implementations insufficient boundary checks
From: Andrea Barisani <lcars () ocert org>
Date: Thu, 17 Apr 2008 07:32:55 +0000


2008/04/17 #2008-004 multiple speex implementations insufficient boundary
checks

Description:

The reference speex decoder from the Speex library performs insufficient
boundary checks on a header structure read from user input, this has been
reported in oCERT-2008-002 advisory.

Further investigation showed that several packages include similar code and
are therefore vulnerable.

In order to prevent the usage of incorrect header processing reference code,
the speex_packet_to_header() function has been modified to bound the returned
mode values in Speex >= 1.2beta3.2. This change automatically fixes
applications that use the Speex library dynamically.

Affected version:

gstreamer-plugins-good <= 0.10.8
SDL_sound <= 1.0.1
Speex <= 1.1.12 (speexdec)
Sweep <= 0.9.2
vorbis-tools <= 1.2.0
VLC Media Player <= 0.8.6f
xine-lib <= 1.1.11.1
XMMS speex plugin

Fixed version:

gstreamer-plugins-good, >= 0.10.8 (patched in CVS)
SDL_sound, patched in CVS
Speex >= 1.2beta3.2 (patched in CVS)
Sweep >= 0.9.3
vorbis-tools, patched in CVS
VLC Media Player, N/A
xine-lib >= 1.1.12
XMMS speex plugin, N/A

Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger
from the Red Hat Security Response Team for his help in investigating the
issue.

CVE: CVE-2008-1686

Timeline:
2008-04-10: investigation of oCERT-2008-002 leads to discovery of more affected packages
2008-04-10: Speex header processing code fixed in CVS
2008-04-11: contacted upstream maintainers and affected vendors
2008-04-11: gstreamer-plugins-good patched in CVS
2008-04-11: sweep 0.9.3 released
2008-04-11: SDL_sound patched in CVS
2008-04-14: vorbis-tools patched in CVS
2008-04-14: xine-lib 1.1.12 released
2008-04-17: advisory release

References:
http://www.ocert.org/advisories/ocert-2008-2.html
http://trac.xiph.org/changeset/14701
http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r1=1.40&r2=1.41
http://trac.metadecks.org/changeset/554
http://svn.icculus.org/SDL_sound?view=rev&revision=537
http://svn.icculus.org/SDL_sound?view=rev&revision=538
http://trac.xiph.org/changeset/14728
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=66e1654718fb;style=gitweb

Links:
http://gstreamer.freedesktop.org/modules/gst-plugins-good.html
http://icculus.org/SDL_sound
http://www.speex.org
http://www.metadecks.org/software/sweep/
http://xiph.org
http://www.videolan.org/vlc
http://xinehq.de

Permalink:
http://www.ocert.org/advisories/ocert-2008-004.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars () ocert org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"


  By Date           By Thread  

Current thread:
  • [oCERT-2008-004] multiple speex implementations insufficient boundary checks Andrea Barisani (Apr 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]