CVE-2009-2663: Input Validation
First published: Tue Aug 04 2009(Updated: )
An insufficient input validation flaw was found in the way libvorbis used to process codec file headers (static mode headers and encoding books) for the Ogg Vorbis audio file format (Ogg). A remote attacker could provide a specially-crafted Ogg file, which would lead to denial of service (memory corruption and application crash) or, potentially execute arbitrary code with the privileges of the application using the libvorbis library, when opened by the victim. References: ----------- <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=500254">https://bugzilla.mozilla.org/show_bug.cgi?id=500254</a> <a href="http://bugs.gentoo.org/280393">http://bugs.gentoo.org/280393</a> <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2663">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2663</a> Reproducer: ----------- <a href="https://bugzilla.mozilla.org/attachment.cgi?id=384979">https://bugzilla.mozilla.org/attachment.cgi?id=384979</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | =0.1 | |
| Firefox | =0.9_rc | |
| Firefox | =0.8 | |
| Firefox | =2.0.0.12 | |
| Firefox | =1.5-beta2 | |
| Firefox | =2.0_.7 | |
| Firefox | =3.0.7 | |
| Firefox | =1.5.2 | |
| Firefox | =3.0.9 | |
| Firefox | =1.5.0.6 | |
| Firefox | =1.8 | |
| Firefox | =2.0.0.2 | |
| Firefox | =1.5.0.10 | |
| Firefox | =1.5.0.3 | |
| Firefox | =3.0.8 | |
| Firefox | =1.5.0.11 | |
| Firefox | =1.4.1 | |
| Firefox | =1.5.4 | |
| Firefox | =1.0.2 | |
| Firefox | =3.5 | |
| Firefox | =3.0.4 | |
| Firefox | =1.5-beta1 | |
| Firefox | =2.0_8 | |
| Firefox | =2.0_.9 | |
| Firefox | =3.0.5 | |
| Firefox | =1.5 | |
| Firefox | =0.9.1 | |
| Firefox | =1.0.4 | |
| Firefox | =2.0.0.7 | |
| Firefox | =1.0.7 | |
| Firefox | =2.0.0.9 | |
| Firefox | =0.10.1 | |
| Firefox | =2.0_.1 | |
| Firefox | =0.9 | |
| Firefox | =2.0.0.16 | |
| Firefox | =1.5.6 | |
| Firefox | =2.0.0.17 | |
| Firefox | =0.7 | |
| Firefox | =2.0.0.15 | |
| Firefox | =3.0.10 | |
| Firefox | =0.2 | |
| Firefox | =0.3 | |
| Firefox | =2.0_.10 | |
| Firefox | =3.0.12 | |
| Firefox | =1.0 | |
| Firefox | =3.0.3 | |
| Firefox | =1.5.0.7 | |
| Firefox | =2.0 | |
| Firefox | <=3.5.1 | |
| Firefox | =1.0.1 | |
| Firefox | =2.0-beta1 | |
| Firefox | =2.0.0.14 | |
| Firefox | =0.6 | |
| Firefox | =0.7.1 | |
| Firefox | =3.0.6 | |
| Firefox | =1.5.0.8 | |
| Firefox | =2.0_.5 | |
| Firefox | =1.0.6 | |
| Firefox | =2.0.0.3 | |
| Firefox | =1.5.0.9 | |
| Firefox | =1.5.0.5 | |
| Firefox | =1.5.7 | |
| Firefox | =1.5.0.12 | |
| Firefox | =2.0.0.6 | |
| Firefox | =3.0 | |
| Firefox | =2.0.0.11 | |
| Firefox | =1.5.0.2 | |
| Firefox | =1.0.3 | |
| Firefox | =3.0.1 | |
| Firefox | =2.0.0.4 | |
| Firefox | =0.5 | |
| Firefox | =0.6.1 | |
| Firefox | =1.5.1 | |
| Firefox | =2.0.0.21 | |
| Firefox | =0.9.3 | |
| Firefox | =2.0.0.13 | |
| Firefox | =2.0.0.18 | |
| Firefox | =2.0-rc2 | |
| Firefox | =2.0.0.1 | |
| Firefox | =3.0.2 | |
| Firefox | =2.0_.6 | |
| Firefox | =2.0_.4 | |
| Firefox | =1.5.5 | |
| Firefox | =0.9.2 | |
| Firefox | =1.0-preview_release | |
| Firefox | =2.0-beta_1 | |
| Firefox | =2.0.0.20 | |
| Firefox | =2.0.0.8 | |
| Firefox | =0.9-rc | |
| Firefox | =2.0.0.19 | |
| Firefox | =1.5.8 | |
| Firefox | =1.5.3 | |
| Firefox | =0.4 | |
| Firefox | =1.5.0.4 | |
| Firefox | =1.5.0.1 | |
| Firefox | =0.10 | |
| Firefox | =1.0.5 | |
| Firefox | =2.0.0.5 | |
| Firefox | =2.0.0.10 | |
| Firefox | =2.0-rc3 | |
| Firefox | =1.0.6 | |
| Firefox | =1.0.8 | |
| Firefox | =3.0.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=500254
- http://bugs.gentoo.org/280393
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2663
- https://bugzilla.mozilla.org/attachment.cgi?id=384979
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=356685&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=356685&action=edit
- http://svn.xiph.org/trunk/vorbis/
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=356686
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=356686&action=edit
- http://admin.fedoraproject.org/updates/libvorbis-1.2.0-6.fc10
- http://admin.fedoraproject.org/updates/libvorbis-1.2.0-8.fc11
- https://rhn.redhat.com/errata/RHSA-2009-1219.html
- https://bugzilla.redhat.com/show_bug.cgi?id=516259
- http://www.mozilla.org/security/announce/2009/mfsa2009-45.html
- http://www.vupen.com/english/advisories/2009/2142
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.html
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00261.html
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00481.html
- http://secunia.com/advisories/36126
- http://www.securityfocus.com/bid/35927
- http://www.vupen.com/english/advisories/2009/2223
- http://secunia.com/advisories/36263
- http://secunia.com/advisories/36230
- http://secunia.com/advisories/36463
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1
- http://www.securityfocus.com/bid/36018
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52397
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9506
- https://usn.ubuntu.com/825-1/
Frequently Asked Questions
What is the severity of CVE-2009-2663?
CVE-2009-2663 has a severity rating that typically falls within the medium range due to its potential to cause denial of service.
How do I fix CVE-2009-2663?
To remediate CVE-2009-2663, update affected versions of the Mozilla Firefox browser to the latest patched release.
What type of vulnerability is CVE-2009-2663?
CVE-2009-2663 is an insufficient input validation vulnerability in the libvorbis codec handling Ogg Vorbis audio files.
Can CVE-2009-2663 be exploited remotely?
Yes, CVE-2009-2663 can be exploited remotely by an attacker through specially crafted Ogg files.
Which versions of Firefox are affected by CVE-2009-2663?
CVE-2009-2663 affects multiple versions of Mozilla Firefox up to and including 3.5.1.
- agent/type
- agent/remedy
- agent/references
- agent/weakness
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-2663
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/mozilla
- canonical/firefox
- version/firefox/0.1
- version/firefox/0.9_rc
- version/firefox/0.8
- version/firefox/2.0.0.12
- version/firefox/1.5-beta2
- version/firefox/2.0_.7
- version/firefox/3.0.7
- version/firefox/1.5.2
- version/firefox/3.0.9
- version/firefox/1.5.0.6
- version/firefox/1.8
- version/firefox/2.0.0.2
- version/firefox/1.5.0.10
- version/firefox/1.5.0.3
- version/firefox/3.0.8
- version/firefox/1.5.0.11
- version/firefox/1.4.1
- version/firefox/1.5.4
- version/firefox/1.0.2
- version/firefox/3.5
- version/firefox/3.0.4
- version/firefox/1.5-beta1
- version/firefox/2.0_8
- version/firefox/2.0_.9
- version/firefox/3.0.5
- version/firefox/1.5
- version/firefox/0.9.1
- version/firefox/1.0.4
- version/firefox/2.0.0.7
- version/firefox/1.0.7
- version/firefox/2.0.0.9
- version/firefox/0.10.1
- version/firefox/2.0_.1
- version/firefox/0.9
- version/firefox/2.0.0.16
- version/firefox/1.5.6
- version/firefox/2.0.0.17
- version/firefox/0.7
- version/firefox/2.0.0.15
- version/firefox/3.0.10
- version/firefox/0.2
- version/firefox/0.3
- version/firefox/2.0_.10
- version/firefox/3.0.12
- version/firefox/1.0
- version/firefox/3.0.3
- version/firefox/1.5.0.7
- version/firefox/2.0
- version/firefox/3.5.1
- version/firefox/1.0.1
- version/firefox/2.0-beta1
- version/firefox/2.0.0.14
- version/firefox/0.6
- version/firefox/0.7.1
- version/firefox/3.0.6
- version/firefox/1.5.0.8
- version/firefox/2.0_.5
- version/firefox/1.0.6
- version/firefox/2.0.0.3
- version/firefox/1.5.0.9
- version/firefox/1.5.0.5
- version/firefox/1.5.7
- version/firefox/1.5.0.12
- version/firefox/2.0.0.6
- version/firefox/3.0
- version/firefox/2.0.0.11
- version/firefox/1.5.0.2
- version/firefox/1.0.3
- version/firefox/3.0.1
- version/firefox/2.0.0.4
- version/firefox/0.5
- version/firefox/0.6.1
- version/firefox/1.5.1
- version/firefox/2.0.0.21
- version/firefox/0.9.3
- version/firefox/2.0.0.13
- version/firefox/2.0.0.18
- version/firefox/2.0-rc2
- version/firefox/2.0.0.1
- version/firefox/3.0.2
- version/firefox/2.0_.6
- version/firefox/2.0_.4
- version/firefox/1.5.5
- version/firefox/0.9.2
- version/firefox/1.0-preview_release
- version/firefox/2.0-beta_1
- version/firefox/2.0.0.20
- version/firefox/2.0.0.8
- version/firefox/0.9-rc
- version/firefox/2.0.0.19
- version/firefox/1.5.8
- version/firefox/1.5.3
- version/firefox/0.4
- version/firefox/1.5.0.4
- version/firefox/1.5.0.1
- version/firefox/0.10
- version/firefox/1.0.5
- version/firefox/2.0.0.5
- version/firefox/2.0.0.10
- version/firefox/2.0-rc3
- version/firefox/1.0.8
- version/firefox/3.0.11