CVE-2007-3106
First published: Wed Jun 27 2007(Updated: )
Chris Montgomery has informed us of a bug found in libvorbis. The patch is in revision 13160 from <a href="http://svn.xiph.org/trunk/vorbis">http://svn.xiph.org/trunk/vorbis</a> (svn diff -r 13159:13160 <a href="http://svn.xiph.org/trunk/vorbis">http://svn.xiph.org/trunk/vorbis</a>) I'm calling this bug an "array boundary condition flaw". It's the best definition I could find that matched up with something MITRE uses. The issue in question is related to the usage of a function pointer table. Here is an example: _mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]); What happens is the value of 'ci->map_type[i]' can be an attacker controlled 16 bit unsigned integer. The amount of play with the that function pointer is a bit suspect I admit, but I suspect it's still exploitable (some peer review from someone better at this sort of thing would be helpful). The code in question is called when libvorbis starts to clean things up after receiving bad data.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rpath Linux | =1 | |
| Rpath Linux | =1.0.1 | |
| Rpath Linux | =1.0.2 | |
| Rpath Linux | =1.0.3 | |
| Rpath Linux | =1.0.4 | |
| Rpath Linux | =1.0.5 | |
| Rpath Linux | =1.0.6 | |
| libvorbis | <=1.2.0 | |
| libvorbis | =1.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.isecpartners.com/advisories/2007-003-libvorbis.txt
- https://issues.rpath.com/browse/RPL-1590
- http://www.tellini.org/blog/archives/32-Music-Box-1.6.html
- https://bugzilla.redhat.com/show_bug.cgi?id=245991
- https://bugzilla.redhat.com/show_bug.cgi?id=249780
- https://trac.xiph.org/changeset/13160
- http://security.gentoo.org/glsa/glsa-200710-03.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:167-1
- http://www.redhat.com/support/errata/RHSA-2007-0845.html
- http://www.redhat.com/support/errata/RHSA-2007-0912.html
- http://www.ubuntu.com/usn/usn-498-1
- http://www.securityfocus.com/bid/25082
- http://secunia.com/advisories/26232
- http://secunia.com/advisories/26087
- http://secunia.com/advisories/26299
- http://secunia.com/advisories/26429
- http://secunia.com/advisories/26535
- http://secunia.com/advisories/26865
- http://secunia.com/advisories/27099
- http://secunia.com/advisories/24923
- http://www.debian.org/security/2008/dsa-1471
- http://secunia.com/advisories/28614
- http://www.vupen.com/english/advisories/2007/2760
- http://www.vupen.com/english/advisories/2007/2698
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35622
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11449
- http://www.securityfocus.com/archive/1/474729/100/0/threaded
- http://svn.xiph.org/trunk/vorbis
- http://rhn.redhat.com/errata/RHSA-2007-0845.html
- http://rhn.redhat.com/errata/RHSA-2007-0912.html
- https://admin.fedoraproject.org/updates/F7/FEDORA-2007-1765
- collector/nvd-historical
- collector/redhat-bugzilla
- alias/CVE-2007-3106
- agent/author
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/remedy
- agent/references
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/rpath
- canonical/rpath linux
- version/rpath linux/1
- version/rpath linux/1.0.1
- version/rpath linux/1.0.2
- version/rpath linux/1.0.3
- version/rpath linux/1.0.4
- version/rpath linux/1.0.5
- version/rpath linux/1.0.6
- vendor/libvorbis
- canonical/libvorbis
- version/libvorbis/1.2.0
- version/libvorbis/1.1.2