Computer Security Global Security Mag Online anti virus spywares job oofers telecom and network security

Several vulnerabilities of libvorbis lead to a denial of service or to code execution when the victim opens an OGG audio file.

Gravity: 3/4

CVSS: 6.8/10

Consequences: user access/rights, denial of service of client

Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 14/05/2008

Identifier: VIGILANCE-VUL-7825

AFFECTED PRODUCTS

 Red Hat Enterprise Linux versions AS 2.1, AW 2.1, ES 2.1, WS 2.1 [with libvorbis < 1.0rc2-9.el2]
 Red Hat Enterprise Linux versions AS 3, Desktop 3, ES 3, WS 3 [with libvorbis < 1.0-10.el3]
 Red Hat Enterprise Linux versions AS 4, Desktop 4, ES 4, WS 4 [with libvorbis < 1.1.0-3.el4]
 Red Hat Enterprise Linux versions Client 5, Server 5 [with libvorbis < 1.1.2-3.el5_1.2] Similar products or versions inferior to those indicated may also be affected.

DESCRIPTION

The libvorbis library implements the Ogg Vorbis audio format. This library is used in software to create or listen OGG files. Four vulnerabilities were announced in libvorbis.

A short codebook creates an infinite loop or a heap overflow. [grav:3/4; CVE-2008-1419]

A computation error in partvals creates an integer overflow. [grav:2/4; CVE-2008-1420]

A long codebook creates an integer overflow. [grav:2/4; CVE-2008-1423]

A memory corruption occurs in the _make_decode_tree() function, used to decode a Huffman tree. [grav:3/4; CVE-2008-2009]

An attacker can therefore create a denial of service or execute code when the victim opens an OGG audio file.

CHARACTERISTICS

Identifiers: CVE-2008-1419, CVE-2008-1420, CVE-2008-1423, CVE-2008-2009, RHSA-2008:0270-01, RHSA-2008:0271-01, VIGILANCE-VUL-7825
CVSS score: 6.8/10 https://vigilance.aql.fr/tree/1/7825