Executive Summary

Summary
Title libvorbis security update
Informations
Name RHSA-2009:1561 First vendor Publication 2009-11-09
Vendor RedHat Last vendor Modification 2009-11-09
Severity (Vendor) Important Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated libvorbis packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format.

Multiple flaws were found in the libvorbis library. A specially-crafted Ogg Vorbis media format file (Ogg) could cause an application using libvorbis to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3379)

Users of libvorbis should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

531765 - CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2009-1561.html

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10993
 
Oval ID: oval:org.mitre.oval:def:10993
Title: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Description: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Family: unix Class: vulnerability
Reference(s): CVE-2009-3379
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12897
 
Oval ID: oval:org.mitre.oval:def:12897
Title: DSA-1939-1 libvorbis -- several
Description: Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky discovered that libvorbis, a library for the Vorbis general-purpose compressed audio codec, did not correctly handle certain malformed ogg files. An attacher could cause a denial of service or possibly execute arbitrary code via a crafted .ogg file. For the oldstable distribution, these problems have been fixed in version 1.1.2.dfsg-1.4+etch1. For the stable distribution, these problems have been fixed in version 1.2.0.dfsg-3.1+lenny1. For the testing distribution and the unstable distribution, these problems have been fixed in version 1.2.3-1 We recommend that you upgrade your libvorbis packages.
Family: unix Class: patch
Reference(s): DSA-1939-1
CVE-2009-2663
CVE-2009-3379
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): libvorbis
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13944
 
Oval ID: oval:org.mitre.oval:def:13944
Title: USN-861-1 -- libvorbis vulnerabilities
Description: It was discovered that libvorbis did not correctly handle ogg files with underpopulated Huffman trees. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could cause a denial of service. It was discovered that libvorbis did not correctly handle certain malformed ogg files. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could cause a denial of service or possibly execute arbitrary code with the user�s privileges
Family: unix Class: patch
Reference(s): USN-861-1
CVE-2008-2009
CVE-2009-3379
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 8.10
Ubuntu 9.10
Ubuntu 9.04
Product(s): libvorbis
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22503
 
Oval ID: oval:org.mitre.oval:def:22503
Title: ELSA-2009:1561: libvorbis security update (Important)
Description: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Family: unix Class: patch
Reference(s): ELSA-2009:1561-01
CVE-2009-3379
Version: 6
Platform(s): Oracle Linux 5
Product(s): libvorbis
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:29170
 
Oval ID: oval:org.mitre.oval:def:29170
Title: RHSA-2009:1561 -- libvorbis security update (Important)
Description: Updated libvorbis packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format.
Family: unix Class: patch
Reference(s): RHSA-2009:1561
CESA-2009:1561-CentOS 3
CESA-2009:1561-CentOS 5
CVE-2009-3379
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 3
CentOS Linux 5
Product(s): libvorbis
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6582
 
Oval ID: oval:org.mitre.oval:def:6582
Title: Vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4 to cause a denial of service
Description: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3379
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7349
 
Oval ID: oval:org.mitre.oval:def:7349
Title: DSA-1939 libvorbis -- several vulnerabilities
Description: Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky discovered that libvorbis, a library for the Vorbis general-purpose compressed audio codec, did not correctly handle certain malformed ogg files. An attacher could cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file.
Family: unix Class: patch
Reference(s): DSA-1939
CVE-2009-2663
CVE-2009-3379
Version: 3
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): libvorbis
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for libvorbis CESA-2009:1561 centos3 i386
File : nvt/gb_CESA-2009_1561_libvorbis_centos3_i386.nasl
2011-08-09 Name : CentOS Update for libvorbis CESA-2009:1561 centos4 i386
File : nvt/gb_CESA-2009_1561_libvorbis_centos4_i386.nasl
2011-08-09 Name : CentOS Update for libvorbis CESA-2009:1561 centos5 i386
File : nvt/gb_CESA-2009_1561_libvorbis_centos5_i386.nasl
2009-12-03 Name : Debian Security Advisory DSA 1939-1 (libvorbis)
File : nvt/deb_1939_1.nasl
2009-12-03 Name : FreeBSD Ports: libvorbis
File : nvt/freebsd_libvorbis1.nasl
2009-12-03 Name : Ubuntu USN-861-1 (libvorbis)
File : nvt/ubuntu_861_1.nasl
2009-11-17 Name : Fedora Core 10 FEDORA-2009-11169 (libvorbis)
File : nvt/fcore_2009_11169.nasl
2009-11-17 Name : Fedora Core 11 FEDORA-2009-11243 (libvorbis)
File : nvt/fcore_2009_11243.nasl
2009-11-11 Name : RedHat Security Advisory RHSA-2009:1561
File : nvt/RHSA_2009_1561.nasl
2009-11-11 Name : FreeBSD Ports: firefox
File : nvt/freebsd_firefox42.nasl
2009-11-11 Name : CentOS Security Advisory CESA-2009:1561 (libvorbis)
File : nvt/ovcesa2009_1561.nasl
2009-11-11 Name : SLES10: Security update for Mozilla Firefox
File : nvt/sles10_MozillaFirefox7.nasl
2009-11-11 Name : SLES11: Security update for Mozilla Firefox
File : nvt/sles11_MozillaFirefox7.nasl
2009-11-11 Name : SuSE Security Advisory SUSE-SA:2009:052 (MozillaFirefox)
File : nvt/suse_sa_2009_052.nasl
2009-11-02 Name : Mozilla Firefox Multiple Memory Corruption Vulnerabilities Nov-09 (Linux)
File : nvt/gb_firefox_mult_mem_crptn_vuln_nov09_lin.nasl
2009-11-02 Name : Mozilla Firefox Multiple Memory Corruption Vulnerabilities Nov-09 (Win)
File : nvt/gb_firefox_mult_mem_crptn_vuln_nov09_win.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
59386 Mozilla Firefox libvorbis Multiple Unspecified Code Execution Issues

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1561.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1530.nasl - Type : ACT_GATHER_INFO
2013-06-29 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1561.nasl - Type : ACT_GATHER_INFO
2013-01-08 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20091109_libvorbis_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2010-10-11 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_MozillaFirefox-6609.nasl - Type : ACT_GATHER_INFO
2010-07-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-294.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1939.nasl - Type : ACT_GATHER_INFO
2009-11-25 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-861-1.nasl - Type : ACT_GATHER_INFO
2009-11-25 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_94edff42d93d11dea4340211d880e350.nasl - Type : ACT_GATHER_INFO
2009-11-11 Name : The remote Fedora host is missing a security update.
File : fedora_2009-11243.nasl - Type : ACT_GATHER_INFO
2009-11-11 Name : The remote Fedora host is missing a security update.
File : fedora_2009-11169.nasl - Type : ACT_GATHER_INFO
2009-11-10 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1561.nasl - Type : ACT_GATHER_INFO
2009-11-04 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_MozillaFirefox-091030.nasl - Type : ACT_GATHER_INFO
2009-11-04 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_MozillaFirefox-6606.nasl - Type : ACT_GATHER_INFO
2009-10-29 Name : The remote Windows host contains a web browser that is affected by multiple v...
File : mozilla_firefox_354.nasl - Type : ACT_GATHER_INFO
2009-10-29 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_c87aa2d2c3c411deab08000f20797ede.nasl - Type : ACT_GATHER_INFO
2009-10-29 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1530.nasl - Type : ACT_GATHER_INFO
2009-10-28 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1530.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:53:01
  • Multiple Updates