Ubuntu
speex package

  1. Bug #218652
  2. Comment #3

Comment 3 for bug 218652

Revision history for this message
Till Ulen (tillulen) wrote :

Description

Uncontrolled array index in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.

See:
http://www.ocert.org/advisories/ocert-2008-2.html
http://www.ocert.org/advisories/ocert-2008-004.html

From the oCERT advisory #2008-002:

"The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input.

A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution.

A patch has been committed to the libfishsound public repository.

Affected version: <= 0.9.0

Fixed version: 0.9.1

Additional affected packages:

Speex <= 1.1.12, the reference implementation from which libfishsound is derived.

Illiminable DirectShow Filters, which statically include the libfishsound library.

Annodex Plugins for Firefox.

Credit: reporter wishes to remain anonymous

CVE: CVE-2008-1686"

From the oCERT advisory #2008-004:

"The reference speex decoder from the Speex library performs insufficient
boundary checks on a header structure read from user input, this has been
reported in oCERT-2008-002 advisory.

Further investigation showed that several packages include similar code and
are therefore vulnerable.

In order to prevent the usage of incorrect header processing reference code,
the speex_packet_to_header() function has been modified to bound the returned
mode values in Speex >= 1.2beta3.2. This change automatically fixes
applications that use the Speex library dynamically.

Affected version:

gstreamer-plugins-good <= 0.10.8
SDL_sound <= 1.0.1
Speex <= 1.1.12 (speexdec)
Sweep <= 0.9.2
vorbis-tools <= 1.2.0
VLC Media Player <= 0.8.6f
xine-lib <= 1.1.11.1
XMMS speex plugin

Fixed version:

gstreamer-plugins-good, >= 0.10.8 (patched in CVS)
SDL_sound, patched in CVS
Speex >= 1.2beta3.2 (patched in CVS)
Sweep >= 0.9.3
vorbis-tools, patched in CVS
VLC Media Player, N/A
xine-lib >= 1.1.12
XMMS speex plugin, N/A

Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger
from the Red Hat Security Response Team for his help in investigating the
issue.

CVE: CVE-2008-1686"