Executive Summary

Summary
Title libvorbis vulnerabilities
Informations
NameUSN-861-1First vendor Publication2009-11-24
VendorUbuntuLast vendor Modification2009-11-24
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthentificationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
libvorbis0a 1.2.0.dfsg-2ubuntu0.3

Ubuntu 8.10:
libvorbis0a 1.2.0.dfsg-3.1ubuntu0.8.10.2

Ubuntu 9.04:
libvorbis0a 1.2.0.dfsg-3.1ubuntu0.9.04.2

Ubuntu 9.10:
libvorbis0a 1.2.0.dfsg-6ubuntu0.1

After a standard system upgrade you need to restart any applications that
use libvorbis, such as Totem and gtkpod, to effect the necessary changes.

Details follow:

It was discovered that libvorbis did not correctly handle ogg files with
underpopulated Huffman trees. If a user were tricked into opening a
specially crafted ogg file with an application that uses libvorbis, an
attacker could cause a denial of service. (CVE-2008-2009)

It was discovered that libvorbis did not correctly handle certain malformed
ogg files. If a user were tricked into opening a specially crafted ogg file
with an application that uses libvorbis, an attacker could cause a denial
of service or possibly execute arbitrary code with the user's privileges.
(CVE-2009-3379)


Original Source

Url : http://www.ubuntu.com/usn/USN-861-1

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6582
 
Oval ID: oval:org.mitre.oval:def:6582
Title: Vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4 to cause a denial of service
Description: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3379
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
 Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10993
 
Oval ID: oval:org.mitre.oval:def:10993
Title: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Description: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Family: unix Class: vulnerability
Reference(s): CVE-2009-3379
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application3
Application1

Open Source Vulnerability Database (OSVDB)

idDescription
59386Mozilla Firefox libvorbis Multiple Unspecified Code Execution Issues
45413libvorbis OGG File _make_decode_tree Function Huffman Tree Handling Memory Co...