Executive Summary
Summary | |
---|---|
Title | libvorbis vulnerability |
Informations | |||
---|---|---|---|
Name | USN-825-1 | First vendor Publication | 2009-08-24 |
Vendor | Ubuntu | Last vendor Modification | 2009-08-24 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: Ubuntu 8.10: Ubuntu 9.04: After a standard system upgrade you need to restart any applications that use libvorbis, such as Totem and gtkpod, to effect the necessary changes. Details follow: It was discovered that libvorbis did not correctly handle certain malformed ogg files. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could execute arbitrary code with the user's privileges. (CVE-2009-2663) USN-682-1 provided updated libvorbis packages to fix multiple security vulnerabilities. The upstream security patch to fix CVE-2008-1420 introduced a regression when reading sound files encoded with libvorbis 1.0beta1. This update corrects the problem. Original advisory details: It was discovered that libvorbis did not correctly handle certain |
Original Source
Url : http://www.ubuntu.com/usn/USN-825-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-399 | Resource Management Errors |
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13839 | |||
Oval ID: | oval:org.mitre.oval:def:13839 | ||
Title: | USN-825-1 -- libvorbis vulnerability | ||
Description: | It was discovered that libvorbis did not correctly handle certain malformed ogg files. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could execute arbitrary code with the user�s privileges. USN-682-1 provided updated libvorbis packages to fix multiple security vulnerabilities. The upstream security patch to fix CVE-2008-1420 introduced a regression when reading sound files encoded with libvorbis 1.0beta1. This update corrects the problem. Original advisory details: It was discovered that libvorbis did not correctly handle certain malformed sound files. If a user were tricked into opening a specially crafted sound file with an application that uses libvorbis, an attacker could execute arbitrary code with the user�s privileges | ||
Family: | unix | Class: | patch |
Reference(s): | USN-825-1 CVE-2009-2663 CVE-2008-1420 | Version: | 5 |
Platform(s): | Ubuntu 8.10 Ubuntu 8.04 Ubuntu 9.04 | Product(s): | libvorbis |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22634 | |||
Oval ID: | oval:org.mitre.oval:def:22634 | ||
Title: | ELSA-2009:1219: libvorbis security update (Important) | ||
Description: | libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1219-01 CVE-2009-2663 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | libvorbis |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29217 | |||
Oval ID: | oval:org.mitre.oval:def:29217 | ||
Title: | RHSA-2009:1219 -- libvorbis security update (Important) | ||
Description: | Updated libvorbis packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:1219 CESA-2009:1219-CentOS 5 CESA-2009:1219-CentOS 3 CVE-2009-2663 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 5 CentOS Linux 3 | Product(s): | libvorbis |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9500 | |||
Oval ID: | oval:org.mitre.oval:def:9500 | ||
Title: | Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. | ||
Description: | Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-1420 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9506 | |||
Oval ID: | oval:org.mitre.oval:def:9506 | ||
Title: | libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. | ||
Description: | libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-2663 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for libvorbis CESA-2009:1219 centos3 i386 File : nvt/gb_CESA-2009_1219_libvorbis_centos3_i386.nasl |
2011-08-09 | Name : CentOS Update for libvorbis CESA-2009:1219 centos5 i386 File : nvt/gb_CESA-2009_1219_libvorbis_centos5_i386.nasl |
2009-12-03 | Name : Debian Security Advisory DSA 1939-1 (libvorbis) File : nvt/deb_1939_1.nasl |
2009-12-03 | Name : FreeBSD Ports: libvorbis File : nvt/freebsd_libvorbis1.nasl |
2009-11-17 | Name : Fedora Core 10 FEDORA-2009-11169 (libvorbis) File : nvt/fcore_2009_11169.nasl |
2009-11-17 | Name : Fedora Core 11 FEDORA-2009-11243 (libvorbis) File : nvt/fcore_2009_11243.nasl |
2009-10-27 | Name : SuSE Security Advisory SUSE-SA:2009:048 (MozillaFirefox) File : nvt/suse_sa_2009_048.nasl |
2009-10-13 | Name : SLES10: Security update for Mozilla Firefox File : nvt/sles10_MozillaFirefox2.nasl |
2009-10-13 | Name : SLES10: Security update for libvorbis File : nvt/sles10_libvorbis.nasl |
2009-10-11 | Name : SLES11: Security update for Mozilla Firefox File : nvt/sles11_MozillaFirefox5.nasl |
2009-10-10 | Name : SLES9: Security update for libvorbis File : nvt/sles9p5026120.nasl |
2009-09-09 | Name : Gentoo Security Advisory GLSA 200909-02 (libvorbis) File : nvt/glsa_200909_02.nasl |
2009-09-02 | Name : Ubuntu USN-825-1 (libvorbis) File : nvt/ubuntu_825_1.nasl |
2009-09-02 | Name : CentOS Security Advisory CESA-2009:1219 (libvorbis) File : nvt/ovcesa2009_1219.nasl |
2009-09-02 | Name : RedHat Security Advisory RHSA-2009:1219 File : nvt/RHSA_2009_1219.nasl |
2009-08-17 | Name : Fedora Core 10 FEDORA-2009-8445 (libvorbis) File : nvt/fcore_2009_8445.nasl |
2009-08-17 | Name : Fedora Core 10 FEDORA-2009-8288 (perl-Gtk2-MozEmbed) File : nvt/fcore_2009_8288.nasl |
2009-08-17 | Name : Fedora Core 11 FEDORA-2009-8279 (xulrunner) File : nvt/fcore_2009_8279.nasl |
2009-08-07 | Name : Mozilla Firefox Multiple Memory Corruption Vulnerabilities Aug-09 (Linux) File : nvt/gb_firefox_mult_mem_crptn_vuln_aug09_lin.nasl |
2009-08-07 | Name : Mozilla Firefox Multiple Memory Corruption Vulnerabilities Aug-09 (Win) File : nvt/gb_firefox_mult_mem_crptn_vuln_aug09_win.nasl |
2009-04-09 | Name : Mandriva Update for libvorbis MDVSA-2008:102 (libvorbis) File : nvt/gb_mandriva_MDVSA_2008_102.nasl |
2009-03-23 | Name : Ubuntu Update for libvorbis vulnerabilities USN-682-1 File : nvt/gb_ubuntu_USN_682_1.nasl |
2009-03-06 | Name : RedHat Update for libvorbis RHSA-2008:0271-01 File : nvt/gb_RHSA-2008_0271-01_libvorbis.nasl |
2009-03-06 | Name : RedHat Update for libvorbis RHSA-2008:0270-01 File : nvt/gb_RHSA-2008_0270-01_libvorbis.nasl |
2009-02-27 | Name : CentOS Update for libvorbis CESA-2008:0271-01 centos2 i386 File : nvt/gb_CESA-2008_0271-01_libvorbis_centos2_i386.nasl |
2009-02-27 | Name : CentOS Update for libvorbis CESA-2008:0270 centos3 x86_64 File : nvt/gb_CESA-2008_0270_libvorbis_centos3_x86_64.nasl |
2009-02-27 | Name : CentOS Update for libvorbis CESA-2008:0270 centos3 i386 File : nvt/gb_CESA-2008_0270_libvorbis_centos3_i386.nasl |
2009-02-17 | Name : Fedora Update for libvorbis FEDORA-2008-3934 File : nvt/gb_fedora_2008_3934_libvorbis_fc8.nasl |
2009-02-17 | Name : Fedora Update for libvorbis FEDORA-2008-3910 File : nvt/gb_fedora_2008_3910_libvorbis_fc9.nasl |
2009-02-17 | Name : Fedora Update for libvorbis FEDORA-2008-3898 File : nvt/gb_fedora_2008_3898_libvorbis_fc7.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200806-09 (libvorbis) File : nvt/glsa_200806_09.nasl |
2008-09-04 | Name : FreeBSD Ports: libvorbis File : nvt/freebsd_libvorbis0.nasl |
2008-06-11 | Name : Debian Security Advisory DSA 1591-1 (libvorbis) File : nvt/deb_1591_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
56722 | libvorbis vorbis_codebook.c vorbis_book_decodevv_add Function Memory Corruption |
45156 | libvorbis OGG File Residue Partition Values Processing Overflow |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-08-26 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_3dac84c9bce141999784d68af1eb7b2e.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1430.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1219.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0270.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080514_libvorbis_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090818_libvorbis_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libvorbis-100528.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libvorbis-7057.nasl - Type : ACT_GATHER_INFO |
2010-07-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libvorbis-100528.nasl - Type : ACT_GATHER_INFO |
2010-07-05 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12620.nasl - Type : ACT_GATHER_INFO |
2010-07-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libvorbis-100528.nasl - Type : ACT_GATHER_INFO |
2010-07-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libvorbis-100528.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1939.nasl - Type : ACT_GATHER_INFO |
2009-11-25 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_94edff42d93d11dea4340211d880e350.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-6495.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_MozillaFirefox-090812.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_MozillaFirefox-6433.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12159.nasl - Type : ACT_GATHER_INFO |
2009-09-11 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1430.nasl - Type : ACT_GATHER_INFO |
2009-09-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1430.nasl - Type : ACT_GATHER_INFO |
2009-09-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200909-02.nasl - Type : ACT_GATHER_INFO |
2009-08-25 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-825-1.nasl - Type : ACT_GATHER_INFO |
2009-08-20 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1219.nasl - Type : ACT_GATHER_INFO |
2009-08-20 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_MozillaFirefox-090812.nasl - Type : ACT_GATHER_INFO |
2009-08-20 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_MozillaFirefox-090812.nasl - Type : ACT_GATHER_INFO |
2009-08-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1219.nasl - Type : ACT_GATHER_INFO |
2009-08-11 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2009-8445.nasl - Type : ACT_GATHER_INFO |
2009-08-05 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2009-8288.nasl - Type : ACT_GATHER_INFO |
2009-08-05 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2009-8279.nasl - Type : ACT_GATHER_INFO |
2009-08-04 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_352.nasl - Type : ACT_GATHER_INFO |
2009-08-04 | Name : The remote Windows host contains a web browser that is affected by multiple f... File : mozilla_firefox_3013.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-102.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-682-1.nasl - Type : ACT_GATHER_INFO |
2008-06-24 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200806-09.nasl - Type : ACT_GATHER_INFO |
2008-06-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1591.nasl - Type : ACT_GATHER_INFO |
2008-05-29 | Name : The remote openSUSE host is missing a security update. File : suse_libvorbis-5258.nasl - Type : ACT_GATHER_INFO |
2008-05-29 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libvorbis-5259.nasl - Type : ACT_GATHER_INFO |
2008-05-20 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f5a76faf244c11ddb1430211d880e350.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0270.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3898.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3910.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3934.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0270.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0271.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:06:13 |
|
2013-05-11 00:56:08 |
|