DSA 1591-1: New libvorbis packages fix several vulnerabilities
Posted on: 06/03/2008 02:55 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1591-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
June 03, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : libvorbis
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-1419 CVE-2008-1420 CVE-2008-1423
Debian Bug : 482518

Several local (remote) vulnerabilities have been discovered in libvorbis,
a library for the Vorbis general-purpose compressed audio codec. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-1419

libvorbis does not properly handle a zero value which allows remote
attackers to cause a denial of service (crash or infinite loop) or
trigger an integer overflow.

CVE-2008-1420

Integer overflow in libvorbis allows remote attackers to execute
arbitrary code via a crafted OGG file, which triggers a heap overflow.

CVE-2008-1423

Integer overflow in libvorbis allows remote attackers to cause a denial
of service (crash) or execute arbitrary code via a crafted OGG file
which triggers a heap overflow.

For the stable distribution (etch), these problems have been fixed in version
1.1.2.dfsg-1.4.

For the unstable distribution (sid), these problems have been fixed in
version 1.2.0.dfsg-3.1.

We recommend that you upgrade your libvorbis package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.dsc
Size/MD5 checksum: 787 2f0bfd28fb368c43c56332e7de7a2e3d
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg.orig.tar.gz
Size/MD5 checksum: 1312540 44cf09fef7f78e7c6ba7dd63b6137412
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.diff.gz
Size/MD5 checksum: 15782 62527e6adcff1dca42018a0252b19b91

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_alpha.deb
Size/MD5 checksum: 94500 edb2728b48cd6fc0357f62a7dc8fca5c
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_alpha.deb
Size/MD5 checksum: 110468 8273babee8a08c373671b468469b2ede
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_alpha.deb
Size/MD5 checksum: 19202 925dfba3f212e8b69c760c433b119716
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_alpha.deb
Size/MD5 checksum: 494958 0052fe78f4be43cb9a7f42ea2b25f7fe

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_amd64.deb
Size/MD5 checksum: 17790 f49da89a8b972614687f3a5e2f6c5bac
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_amd64.deb
Size/MD5 checksum: 93498 241499415b96f3e348d1ec9c66a45981
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_amd64.deb
Size/MD5 checksum: 101508 63e1e8392876a822dc664e21b19e0185
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_amd64.deb
Size/MD5 checksum: 468670 8c6c80eb7b8e7f8b49be1447357ebce1

arm architecture (ARM)

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_arm.deb
Size/MD5 checksum: 75744 03dad28341cde24fbbfd20444bf346c2
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_arm.deb
Size/MD5 checksum: 18528 508cb939f65a367447c44add9dd8c11a
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_arm.deb
Size/MD5 checksum: 98190 a09c2d3021f7b9d2d9b2bf04b2d30957
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_arm.deb
Size/MD5 checksum: 458578 6dcadbb28c56a0a9368bfcd67b28d3fa

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_hppa.deb
Size/MD5 checksum: 483196 0435784553fb2b9c08c915da58c3c7e1
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_hppa.deb
Size/MD5 checksum: 21978 6ade3e3b040f8e01c4fe023df6faf2de
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_hppa.deb
Size/MD5 checksum: 108084 7d263ee14d29b787b0f32710ae2bffdf
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_hppa.deb
Size/MD5 checksum: 92430 72180513d203103e56e4929ca6da035f

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_i386.deb
Size/MD5 checksum: 453652 55bc31f817b6806d19d8f0696cc288cd
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_i386.deb
Size/MD5 checksum: 18884 5d4f1bccf5efa0d5ba5767b49f97d253
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_i386.deb
Size/MD5 checksum: 75346 f11509bd2b430f8be62706a13748d6bc
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_i386.deb
Size/MD5 checksum: 98176 d5b46716c8ab083b9c00b523a73a81b9

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_ia64.deb
Size/MD5 checksum: 98022 dabf436427e867a81074bdca0c53ef6e
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_ia64.deb
Size/MD5 checksum: 510180 1c4e1c58e7d63f10ff7efaf3a6555f46
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_ia64.deb
Size/MD5 checksum: 24700 8dadf685db0738f52c4b47420eff588a
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_ia64.deb
Size/MD5 checksum: 136046 b5d657cad9154915f0a9c0779e68cf1c

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_mips.deb
Size/MD5 checksum: 104986 3d6d14fff3621ed344e88e7bb57ae627
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_mips.deb
Size/MD5 checksum: 81588 e776156e4d5647f0aa591ea8b01d3aad
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_mips.deb
Size/MD5 checksum: 20946 5f5eca06d6b715087a4298d2db944fcf
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_mips.deb
Size/MD5 checksum: 479286 4a9404dab651fd387901d6eb223bd835

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_mipsel.deb
Size/MD5 checksum: 76982 63638be1a06154fa1126e5be3a4ac95e
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_mipsel.deb
Size/MD5 checksum: 469086 9c31f061ab04690bf52876821a9383ea
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_mipsel.deb
Size/MD5 checksum: 20944 5f59636c00cbe76590ac1ef23235cd8d
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_mipsel.deb
Size/MD5 checksum: 104948 be1bf5fd730d239f5cd62a92cd4b75e4

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_powerpc.deb
Size/MD5 checksum: 105760 ba397af813b092de9bea72accb46db4b
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_powerpc.deb
Size/MD5 checksum: 21394 7e12a198ce7bed6922d20da108e5bad5
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_powerpc.deb
Size/MD5 checksum: 82558 1299949b45c3a6fdba4fa64fcf48dc53
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_powerpc.deb
Size/MD5 checksum: 475206 7cda1ebdffc9b47d90efa594bea5d5b8

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_s390.deb
Size/MD5 checksum: 452736 403af241544bf4fd66f4993003f0f192
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_s390.deb
Size/MD5 checksum: 90546 f2f4a9e7410b946b91c4d44cef18f5af
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_s390.deb
Size/MD5 checksum: 102548 ad43cb11ddff398ee0a83ded1a024321
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_s390.deb
Size/MD5 checksum: 20920 7ffdc1f9962394073efae81356780428

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_sparc.deb
Size/MD5 checksum: 98252 fad4afe3566e986fe819a0fff6a2376e
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_sparc.deb
Size/MD5 checksum: 453410 ce3775bb59d55b9ba7e34469225e0d20
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_sparc.deb
Size/MD5 checksum: 17888 4eaf8a0cfd4f3b1c6f8332ccf1bf6ef4
http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_sparc.deb
Size/MD5 checksum: 79796 57795226ac31a7b5bf7793e4e14dc89a


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSEUOemz0hbPcukPfAQKlCwf/RNQkhN5GiXzWbIPQDNuXCa9Gri63UI6Z
yUpFdhpcitk0JKDznD67BwrVjEFOOhInCDMiVftX53oAGoUhW/kEbQ4A+gzqf9cJ
B6OfyEjzV9JLEZ5OMlRQCigQpbUqQVwx6ISBM/RuzbuQSXEpYtUPztPAqHmVZDdU
WjiVKEioP6T64ql9xxEu15ekuWJpcaglkHSOEGPmJZwP/9sLCQrVUwciMSWR/fr+
kdV47I292yfyhdVMnmszpncAtO1ZWAyDV8DZS2yMXlqxfK/nMadz4PWj39gISr6e
677OU3WzrE+tj7hKGvutvivwTEzNzhrHq5/oYFnQn/mgoHfgKFsNlQ==
=52+x
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1591_1_new_libvorbis_packages_fix_several_vulnerabilities.html)