Debian Bug report logs - #540958
libvorbis: CVE-2009-2663 vulnerability

version graph

Package: libvorbis; Maintainer for libvorbis is Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>;

Reported by: Michael S Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 10 Aug 2009 23:36:01 UTC

Severity: grave

Tags: security

Found in version 1.1.2.dfsg-1.4

Fixed in version libvorbis/1.2.0.dfsg-6

Done: Peter Samuelson <peter@p12n.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#540958; Package libvorbis. (Mon, 10 Aug 2009 23:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael S Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Peter Samuelson <peter@p12n.org>. (Mon, 10 Aug 2009 23:36:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael S Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: libvorbis: CVE-2009-2663 vulnerability
Date: Mon, 10 Aug 2009 19:30:54 -0400
Package: libvorbis
Version: 1.1.2.dfsg-1.4
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libvorbis.

CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows context-dependent
| attackers to cause a denial of service (memory corruption and
| application crash) or possibly execute arbitrary code via a crafted
| .ogg file.

Please coordinate with the security team to prepare updates for the
stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663
    http://security-tracker.debian.net/tracker/CVE-2009-2663




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#540958; Package libvorbis. (Tue, 11 Aug 2009 04:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Samuelson <peter@p12n.org>:
Extra info received and forwarded to list. (Tue, 11 Aug 2009 04:06:05 GMT) Full text and rfc822 format available.

Message #10 received at 540958@bugs.debian.org (full text, mbox):

From: Peter Samuelson <peter@p12n.org>
To: Michael S Gilbert <michael.s.gilbert@gmail.com>, 540958@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#540958: libvorbis: CVE-2009-2663 vulnerability
Date: Mon, 10 Aug 2009 23:01:36 -0500
[Message part 1 (text/plain, inline)]
> CVE-2009-2663[0]:
> | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> | 3.5.x before 3.5.2 and other products, allows context-dependent
> | attackers to cause a denial of service (memory corruption and
> | application crash) or possibly execute arbitrary code via a crafted
> | .ogg file.

Thanks, I'll prepare updates for etch, lenny, and sid.  I assume the
Mozillae in Debian use the system libvorbis, not a separate copy.
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#540958; Package libvorbis. (Tue, 11 Aug 2009 06:15:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Samuelson <peter@p12n.org>:
Extra info received and forwarded to list. (Tue, 11 Aug 2009 06:15:03 GMT) Full text and rfc822 format available.

Message #15 received at 540958@bugs.debian.org (full text, mbox):

From: Peter Samuelson <peter@p12n.org>
To: 540958@bugs.debian.org, security@debian.org
Subject: Re: Bug#540958: libvorbis: CVE-2009-2663 vulnerability
Date: Tue, 11 Aug 2009 01:12:29 -0500
[Message part 1 (text/plain, inline)]
> CVE-2009-2663[0]:
> | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> | 3.5.x before 3.5.2 and other products, allows context-dependent
> | attackers to cause a denial of service (memory corruption and
> | application crash) or possibly execute arbitrary code via a crafted
> | .ogg file.

I've applied upstream's patch[*] to the etch and lenny libvorbis releases:

    http://p12n.org/tmp/cve-2009-2663/libvorbis_1.1.2.dfsg-1.4+etch1.dsc
    http://p12n.org/tmp/cve-2009-2663/libvorbis_1.2.0.dfsg-3.1+lenny1.dsc

I'm prepared to upload the same patch to sid, as libvorbis 1.2.0.dfsg-6.
(I could upload a new upstream version, but I'd like to try and resolve
a dfsg situation there first.)

[*] svn diff -r16180:16182 http://svn.xiph.org/trunk/vorbis
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#540958; Package libvorbis. (Tue, 11 Aug 2009 15:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Tue, 11 Aug 2009 15:39:03 GMT) Full text and rfc822 format available.

Message #20 received at 540958@bugs.debian.org (full text, mbox):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: 540958@bugs.debian.org, security@debian.org
Subject: Re: Bug#540958: libvorbis: CVE-2009-2663 vulnerability
Date: Tue, 11 Aug 2009 11:39:22 -0400
On Mon, 10 Aug 2009 23:01:36 -0500, Peter Samuelson wrote:
> 
> > CVE-2009-2663[0]:
> > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> > | 3.5.x before 3.5.2 and other products, allows context-dependent
> > | attackers to cause a denial of service (memory corruption and
> > | application crash) or possibly execute arbitrary code via a crafted
> > | .ogg file.
> 
> Thanks, I'll prepare updates for etch, lenny, and sid.  I assume the
> Mozillae in Debian use the system libvorbis, not a separate copy.

no, in fact they embed, and i've submitted a bug for that separately.
thanks for working this!

mike




Reply sent to Peter Samuelson <peter@p12n.org>:
You have taken responsibility. (Wed, 12 Aug 2009 05:03:06 GMT) Full text and rfc822 format available.

Notification sent to Michael S Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Wed, 12 Aug 2009 05:03:07 GMT) Full text and rfc822 format available.

Message #25 received at 540958-close@bugs.debian.org (full text, mbox):

From: Peter Samuelson <peter@p12n.org>
To: 540958-close@bugs.debian.org
Subject: Bug#540958: fixed in libvorbis 1.2.0.dfsg-6
Date: Wed, 12 Aug 2009 04:47:09 +0000
Source: libvorbis
Source-Version: 1.2.0.dfsg-6

We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive:

libvorbis-dev_1.2.0.dfsg-6_amd64.deb
  to pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6_amd64.deb
libvorbis-dev_1.2.0.dfsg-6_i386.deb
  to pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6_i386.deb
libvorbis0a_1.2.0.dfsg-6_amd64.deb
  to pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6_amd64.deb
libvorbis0a_1.2.0.dfsg-6_i386.deb
  to pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6_i386.deb
libvorbis_1.2.0.dfsg-6.diff.gz
  to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-6.diff.gz
libvorbis_1.2.0.dfsg-6.dsc
  to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-6.dsc
libvorbisenc2_1.2.0.dfsg-6_amd64.deb
  to pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6_amd64.deb
libvorbisenc2_1.2.0.dfsg-6_i386.deb
  to pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6_i386.deb
libvorbisfile3_1.2.0.dfsg-6_amd64.deb
  to pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6_amd64.deb
libvorbisfile3_1.2.0.dfsg-6_i386.deb
  to pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 540958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Samuelson <peter@p12n.org> (supplier of updated libvorbis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 10 Aug 2009 23:11:11 -0500
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev
Architecture: amd64 i386 source 
Version: 1.2.0.dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Peter Samuelson <peter@p12n.org>
Changed-By: Peter Samuelson <peter@p12n.org>
Closes: 504421 540958
Description:
 libvorbis-dev - The Vorbis General Audio Compression Codec: development files
 libvorbis0a - The Vorbis General Audio Compression Codec: decoder library
 libvorbisenc2 - The Vorbis General Audio Compression Codec: encoder library
 libvorbisfile3 - The Vorbis General Audio Compression Codec: high-level API
Changes:
 libvorbis (1.2.0.dfsg-6) unstable; urgency=high
 .
   * Fix CVE-2009-2663: two bugs in libvorbis that allowed a crafted ogg
     file to corrupt memory.  (Closes: #540958)
   * patches/CVE-2008-1420.patch: fix a regression playing files generated
     by 1.0b1, from upstream trunk.  Thanks Michael Gold.  (Closes: #504421)
Checksums-Sha1: 
 2f63e469863d04c41ce6681f3e4e21bb4f5d278e 95702 libvorbisenc2_1.2.0.dfsg-6_amd64.deb
 4b6dffb2f0ca515b1e3932a68d7b2c551beb88df 21376 libvorbisfile3_1.2.0.dfsg-6_i386.deb
 50b31c351e8ee844a4a0bea7a536b04c1f59fe05 460640 libvorbis-dev_1.2.0.dfsg-6_i386.deb
 5e0822b4712c7f629a1347ceb677ed1812fc051b 101828 libvorbis0a_1.2.0.dfsg-6_i386.deb
 60f8f3f456440f1aa953f9e1f09fd5cc9990d0ac 77722 libvorbisenc2_1.2.0.dfsg-6_i386.deb
 8d625ccccce67949e222154052b58f2b0ccb0cd7 20442 libvorbisfile3_1.2.0.dfsg-6_amd64.deb
 8e78219e38096259a20e619c0de76a0ce8bb8f32 10851 libvorbis_1.2.0.dfsg-6.diff.gz
 945e7d640e30e15f5c8008b03293e1b393ec0982 1112 libvorbis_1.2.0.dfsg-6.dsc
 b6343e69667546c8d08f785c357e5d0762d0f699 108714 libvorbis0a_1.2.0.dfsg-6_amd64.deb
 f727b78b8a55df77349e3d07d1b8aa0465d5e143 480906 libvorbis-dev_1.2.0.dfsg-6_amd64.deb
Checksums-Sha256: 
 2870bb797f12edd4f64f6918054e3ef1496b9499ddcc9e7be3ffca72228457ab 480906 libvorbis-dev_1.2.0.dfsg-6_amd64.deb
 3d3b62a24cc743e2d10016c83a4c71de7395bce9cd4f9592b2e77ccd45c4a558 77722 libvorbisenc2_1.2.0.dfsg-6_i386.deb
 56f314feac03b78f92f7f45af97677e1658bbb6ae6b382b61b1a3e48bab71eb8 1112 libvorbis_1.2.0.dfsg-6.dsc
 5e4658dfcae8c58963da4660c9e4ea2525dabb1cbe4af98c818078ab7835958f 21376 libvorbisfile3_1.2.0.dfsg-6_i386.deb
 df11ee7a4955e3e8dbf539dd12ff574c0705cec37f1ebfe3634ce39bb6a9c29f 10851 libvorbis_1.2.0.dfsg-6.diff.gz
 72d566508f53b86a2a67bd1abb258b3fc306d88ab6042035c8733ec6b4f4f456 460640 libvorbis-dev_1.2.0.dfsg-6_i386.deb
 7749b83ed92006cfd55adc592a33e5243dc42e7d49716e17c70f4215f5505aa7 108714 libvorbis0a_1.2.0.dfsg-6_amd64.deb
 c65e2d94589d6a745e387d57fec1b1c08ba4ef72e56c80bf2c5e6065c0c25f15 95702 libvorbisenc2_1.2.0.dfsg-6_amd64.deb
 d866121b242a4462fca999c3b1b683fd586f7cb325502a32aeac9cdced69ff96 101828 libvorbis0a_1.2.0.dfsg-6_i386.deb
 de85660eef16d534ab52dbeb29219157ba363d4bb4f6b95403cc27b42f8dea62 20442 libvorbisfile3_1.2.0.dfsg-6_amd64.deb
Files: 
 21dc591cb009dd7363825db1e7f10f93 77722 libs optional libvorbisenc2_1.2.0.dfsg-6_i386.deb
 25425a381337a10edc52c7e134b02fd4 480906 libdevel optional libvorbis-dev_1.2.0.dfsg-6_amd64.deb
 2c8276c4d1dd1f7f8c84568860e598e3 21376 libs optional libvorbisfile3_1.2.0.dfsg-6_i386.deb
 36eeb83b51c12367e61d1b284a1fdd42 1112 libs optional libvorbis_1.2.0.dfsg-6.dsc
 5b9df343376d36d66be5ca87d7fb1427 460640 libdevel optional libvorbis-dev_1.2.0.dfsg-6_i386.deb
 750bd6222019e923bf3dcb65fd4f1ced 108714 libs optional libvorbis0a_1.2.0.dfsg-6_amd64.deb
 9454e0cc91f6d57959aee90412bc65d0 95702 libs optional libvorbisenc2_1.2.0.dfsg-6_amd64.deb
 d0e3d32bd18ead398e00aadd21f566e5 101828 libs optional libvorbis0a_1.2.0.dfsg-6_i386.deb
 e6a7ca5d0e13454157b65af1f7aa6a1f 20442 libs optional libvorbisfile3_1.2.0.dfsg-6_amd64.deb
 eba5720d2bf41256e4c0f298c058f7f7 10851 libs optional libvorbis_1.2.0.dfsg-6.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKgkTuXk7sIRPQRh0RAsF4AJ4/yxnTu1tCpY/Njap1IjcojBXT0ACePZ1z
AkaWCBFW+sQlsbD1SciAlao=
=HXRk
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 09 Sep 2009 07:36:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:55:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.