Executive Summary

Summary
Title libvorbis vulnerabilities
Informations
NameUSN-861-1First vendor Publication2009-11-24
VendorUbuntuLast vendor Modification2009-11-24
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 8.04 LTS:
libvorbis0a 1.2.0.dfsg-2ubuntu0.3

Ubuntu 8.10:
libvorbis0a 1.2.0.dfsg-3.1ubuntu0.8.10.2

Ubuntu 9.04:
libvorbis0a 1.2.0.dfsg-3.1ubuntu0.9.04.2

Ubuntu 9.10:
libvorbis0a 1.2.0.dfsg-6ubuntu0.1

After a standard system upgrade you need to restart any applications that use libvorbis, such as Totem and gtkpod, to effect the necessary changes.

Details follow:

It was discovered that libvorbis did not correctly handle ogg files with underpopulated Huffman trees. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could cause a denial of service. (CVE-2008-2009)

It was discovered that libvorbis did not correctly handle certain malformed ogg files. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could cause a denial of service or possibly execute arbitrary code with the user's privileges. (CVE-2009-3379)

Original Source

Url : http://www.ubuntu.com/usn/USN-861-1

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:7349
 
Oval ID: oval:org.mitre.oval:def:7349
Title: DSA-1939 libvorbis -- several vulnerabilities
Description: Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky discovered that libvorbis, a library for the Vorbis general-purpose compressed audio codec, did not correctly handle certain malformed ogg files. An attacher could cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file.
Family: unix Class: patch
Reference(s): DSA-1939
CVE-2009-2663
CVE-2009-3379
Version: 3
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): libvorbis
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6582
 
Oval ID: oval:org.mitre.oval:def:6582
Title: Vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4 to cause a denial of service
Description: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3379
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13944
 
Oval ID: oval:org.mitre.oval:def:13944
Title: USN-861-1 -- libvorbis vulnerabilities
Description: It was discovered that libvorbis did not correctly handle ogg files with underpopulated Huffman trees. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could cause a denial of service. It was discovered that libvorbis did not correctly handle certain malformed ogg files. If a user were tricked into opening a specially crafted ogg file with an application that uses libvorbis, an attacker could cause a denial of service or possibly execute arbitrary code with the user�s privileges
Family: unix Class: patch
Reference(s): USN-861-1
CVE-2008-2009
CVE-2009-3379
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 8.10
Ubuntu 9.10
Ubuntu 9.04
Product(s): libvorbis
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12897
 
Oval ID: oval:org.mitre.oval:def:12897
Title: DSA-1939-1 libvorbis -- several
Description: Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky discovered that libvorbis, a library for the Vorbis general-purpose compressed audio codec, did not correctly handle certain malformed ogg files. An attacher could cause a denial of service or possibly execute arbitrary code via a crafted .ogg file. For the oldstable distribution, these problems have been fixed in version 1.1.2.dfsg-1.4+etch1. For the stable distribution, these problems have been fixed in version 1.2.0.dfsg-3.1+lenny1. For the testing distribution and the unstable distribution, these problems have been fixed in version 1.2.3-1 We recommend that you upgrade your libvorbis packages.
Family: unix Class: patch
Reference(s): DSA-1939-1
CVE-2009-2663
CVE-2009-3379
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): libvorbis
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10993
 
Oval ID: oval:org.mitre.oval:def:10993
Title: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Description: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Family: unix Class: vulnerability
Reference(s): CVE-2009-3379
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22503
 
Oval ID: oval:org.mitre.oval:def:22503
Title: ELSA-2009:1561: libvorbis security update (Important)
Description: Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Family: unix Class: patch
Reference(s): ELSA-2009:1561-01
CVE-2009-3379
Version: 6
Platform(s): Oracle Linux 5
Product(s): libvorbis
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application3
Application1

OpenVAS Exploits

DateDescription
2011-08-09Name : CentOS Update for libvorbis CESA-2009:1561 centos5 i386
File : nvt/gb_CESA-2009_1561_libvorbis_centos5_i386.nasl
2011-08-09Name : CentOS Update for libvorbis CESA-2009:1561 centos3 i386
File : nvt/gb_CESA-2009_1561_libvorbis_centos3_i386.nasl
2011-08-09Name : CentOS Update for libvorbis CESA-2009:1561 centos4 i386
File : nvt/gb_CESA-2009_1561_libvorbis_centos4_i386.nasl
2009-12-03Name : Ubuntu USN-861-1 (libvorbis)
File : nvt/ubuntu_861_1.nasl
2009-12-03Name : Debian Security Advisory DSA 1939-1 (libvorbis)
File : nvt/deb_1939_1.nasl
2009-12-03Name : FreeBSD Ports: libvorbis
File : nvt/freebsd_libvorbis1.nasl
2009-11-17Name : Fedora Core 10 FEDORA-2009-11169 (libvorbis)
File : nvt/fcore_2009_11169.nasl
2009-11-17Name : Fedora Core 11 FEDORA-2009-11243 (libvorbis)
File : nvt/fcore_2009_11243.nasl
2009-11-11Name : SLES10: Security update for Mozilla Firefox
File : nvt/sles10_MozillaFirefox7.nasl
2009-11-11Name : SLES11: Security update for Mozilla Firefox
File : nvt/sles11_MozillaFirefox7.nasl
2009-11-11Name : CentOS Security Advisory CESA-2009:1561 (libvorbis)
File : nvt/ovcesa2009_1561.nasl
2009-11-11Name : FreeBSD Ports: firefox
File : nvt/freebsd_firefox42.nasl
2009-11-11Name : SuSE Security Advisory SUSE-SA:2009:052 (MozillaFirefox)
File : nvt/suse_sa_2009_052.nasl
2009-11-11Name : RedHat Security Advisory RHSA-2009:1561
File : nvt/RHSA_2009_1561.nasl
2009-11-02Name : Mozilla Firefox Multiple Memory Corruption Vulnerabilities Nov-09 (Linux)
File : nvt/gb_firefox_mult_mem_crptn_vuln_nov09_lin.nasl
2009-11-02Name : Mozilla Firefox Multiple Memory Corruption Vulnerabilities Nov-09 (Win)
File : nvt/gb_firefox_mult_mem_crptn_vuln_nov09_win.nasl
2009-03-06Name : RedHat Update for libvorbis RHSA-2008:0271-01
File : nvt/gb_RHSA-2008_0271-01_libvorbis.nasl
2009-02-27Name : CentOS Update for libvorbis CESA-2008:0271-01 centos2 i386
File : nvt/gb_CESA-2008_0271-01_libvorbis_centos2_i386.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
59386Mozilla Firefox libvorbis Multiple Unspecified Code Execution Issues
45413libvorbis OGG File _make_decode_tree Function Huffman Tree Handling Memory Co...

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1561.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1530.nasl - Type : ACT_GATHER_INFO
2013-06-29Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1561.nasl - Type : ACT_GATHER_INFO
2013-01-08Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20091109_libvorbis_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2010-10-11Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_MozillaFirefox-6609.nasl - Type : ACT_GATHER_INFO
2010-07-30Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-294.nasl - Type : ACT_GATHER_INFO
2010-02-24Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1939.nasl - Type : ACT_GATHER_INFO
2009-11-25Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-861-1.nasl - Type : ACT_GATHER_INFO
2009-11-25Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_94edff42d93d11dea4340211d880e350.nasl - Type : ACT_GATHER_INFO
2009-11-11Name : The remote Fedora host is missing a security update.
File : fedora_2009-11169.nasl - Type : ACT_GATHER_INFO
2009-11-11Name : The remote Fedora host is missing a security update.
File : fedora_2009-11243.nasl - Type : ACT_GATHER_INFO
2009-11-10Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1561.nasl - Type : ACT_GATHER_INFO
2009-11-04Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_MozillaFirefox-091030.nasl - Type : ACT_GATHER_INFO
2009-11-04Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_MozillaFirefox-6606.nasl - Type : ACT_GATHER_INFO
2009-10-29Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_c87aa2d2c3c411deab08000f20797ede.nasl - Type : ACT_GATHER_INFO
2009-10-29Name : The remote Windows host contains a web browser that is affected by multiple v...
File : mozilla_firefox_354.nasl - Type : ACT_GATHER_INFO
2009-10-29Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1530.nasl - Type : ACT_GATHER_INFO
2009-10-28Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1530.nasl - Type : ACT_GATHER_INFO
2008-05-16Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0271.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 12:06:24
  • Multiple Updates