BugTraq
[oCERT-2008-004] multiple speex implementations insufficientboundary checks Apr 17 2008 07:32AM
Andrea Barisani (lcars ocert org)

2008/04/17 #2008-004 multiple speex implementations insufficient boundary
checks

Description:

The reference speex decoder from the Speex library performs insufficient
boundary checks on a header structure read from user input, this has been
reported in oCERT-2008-002 advisory.

Further investigation showed that several packages include similar code and
are therefore vulnerable.

In order to prevent the usage of incorrect header processing reference code,
the speex_packet_to_header() function has been modified to bound the returned
mode values in Speex >= 1.2beta3.2. This change automatically fixes
applications that use the Speex library dynamically.

Affected version:

gstreamer-plugins-good <= 0.10.8
SDL_sound <= 1.0.1
Speex <= 1.1.12 (speexdec)
Sweep <= 0.9.2
vorbis-tools <= 1.2.0
VLC Media Player <= 0.8.6f
xine-lib <= 1.1.11.1
XMMS speex plugin

Fixed version:

gstreamer-plugins-good, >= 0.10.8 (patched in CVS)
SDL_sound, patched in CVS
Speex >= 1.2beta3.2 (patched in CVS)
Sweep >= 0.9.3
vorbis-tools, patched in CVS
VLC Media Player, N/A
xine-lib >= 1.1.12
XMMS speex plugin, N/A

Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger
from the Red Hat Security Response Team for his help in investigating the
issue.

CVE: CVE-2008-1686

Timeline:
2008-04-10: investigation of oCERT-2008-002 leads to discovery of more affected packages
2008-04-10: Speex header processing code fixed in CVS
2008-04-11: contacted upstream maintainers and affected vendors
2008-04-11: gstreamer-plugins-good patched in CVS
2008-04-11: sweep 0.9.3 released
2008-04-11: SDL_sound patched in CVS
2008-04-14: vorbis-tools patched in CVS
2008-04-14: xine-lib 1.1.12 released
2008-04-17: advisory release

References:
http://www.ocert.org/advisories/ocert-2008-2.html
http://trac.xiph.org/changeset/14701
http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstsp
eexdec.c?r1=1.40&r2=1.41
http://trac.metadecks.org/changeset/554
http://svn.icculus.org/SDL_sound?view=rev&revision=537
http://svn.icculus.org/SDL_sound?view=rev&revision=538
http://trac.xiph.org/changeset/14728
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=66e1654718f
b;style=gitweb

Links:
http://gstreamer.freedesktop.org/modules/gst-plugins-good.html
http://icculus.org/SDL_sound
http://www.speex.org
http://www.metadecks.org/software/sweep/
http://xiph.org
http://www.videolan.org/vlc
http://xinehq.de

Permalink:
http://www.ocert.org/advisories/ocert-2008-004.html

--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team

<lcars (at) ocert (dot) org [email concealed]> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus