__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN libvorbis Security Update [Red Hat RHSA-2008:0270-5] May 15, 2008 20:00 GMT Number S-294 [REVISED 5 Jun 2008] ______________________________________________________________________________ PROBLEM: Several flaws werer reported in the way libvorbis processed audio data. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 3, v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS, ES, WS (v. 3, v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 4.0 (etch) DAMAGE: Execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker could create a carefully ASSESSMENT: crafted OGG audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened. ______________________________________________________________________________ CVSS 2 BASE SCORE: 7.5 TEMPORAL SCORE: 5.9 VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-294.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0270.html ADDITIONAL LINK: http://www.debian.org/security/2008/dsa-1591 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-1419 CVE-2008-1420 CVE-2008-1423 ______________________________________________________________________________ REVISION HISTORY: 06/05/2008 - revised S-294 to add a link to Debian Security Advisory DSA-1591-1 for Debian GNU/Linux 4.0 (etch). [***** Start Red Hat RHSA-2008:0270-5 *****] Important: libvorbis security update Advisory: RHSA-2008:0270-5 Type: Security Advisory Severity: Important Issued on: 2008-05-14 Last updated on: 2008-05-14 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20080270.xml CVEs (cve.mitre.org): CVE-2008-1419 CVE-2008-1420 CVE-2008-1423 Details Updated libvorbis packages that fix various security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. Will Drewry of the Google Security Team reported several flaws in the way libvorbis processed audio data. An attacker could create a carefully crafted OGG audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423) Moreover, additional OGG file sanity-checks have been added to prevent possible exploitation of similar issues in the future. Users of libvorbis are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: libvorbis-devel-1.1.2-3.el5_1.2.i386.rpm 7a41c2b6e9ee016a4344b8836b638218 x86_64: libvorbis-devel-1.1.2-3.el5_1.2.i386.rpm 7a41c2b6e9ee016a4344b8836b638218 libvorbis-devel-1.1.2-3.el5_1.2.x86_64.rpm 0358694d1c04a28dcd2944f89c513fb6 Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.0-10.el3.src.rpm 487d870492fb60ea1fa624f50b40975b IA-32: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-devel-1.0-10.el3.i386.rpm 6de896c294690ea480a65dedde14a7e3 x86_64: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-1.0-10.el3.x86_64.rpm 57857d4e5f2bff381c538f9c3cf0c1e9 libvorbis-devel-1.0-10.el3.x86_64.rpm 25a8ad62ec1137f3163d2cfeeaa8cdbd Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.1.0-3.el4_6.1.src.rpm 4ec9713d21f447711704b8ca57a23f85 IA-32: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-devel-1.1.0-3.el4_6.1.i386.rpm 45394583ab67b47c6ccbce43730b9b7c x86_64: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-1.1.0-3.el4_6.1.x86_64.rpm 412cde92f0de816f9d062811e03e4af8 libvorbis-devel-1.1.0-3.el4_6.1.x86_64.rpm 8684f07c831784590e6cb2de3cd762d4 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.1.2-3.el5_1.2.src.rpm 686ff9bc4cbbc09be1d350567e4514b2 IA-32: libvorbis-1.1.2-3.el5_1.2.i386.rpm 3dc980580ada6f086d2728fe5f4478d1 libvorbis-devel-1.1.2-3.el5_1.2.i386.rpm 7a41c2b6e9ee016a4344b8836b638218 IA-64: libvorbis-1.1.2-3.el5_1.2.ia64.rpm 60e122a0d6b8f96dff7d3d7d63af702f libvorbis-devel-1.1.2-3.el5_1.2.ia64.rpm 24e57202c329a10fa9c2fe925d95fc2e PPC: libvorbis-1.1.2-3.el5_1.2.ppc.rpm 64be672303a653b9271eff9a04293c00 libvorbis-1.1.2-3.el5_1.2.ppc64.rpm 58c9d8f83ce0b9cc2d5977a663f8f5d2 libvorbis-devel-1.1.2-3.el5_1.2.ppc.rpm d9867a6925914570194dbb4aaf1fa549 libvorbis-devel-1.1.2-3.el5_1.2.ppc64.rpm 5c39857a2e89d271a4fe2c6f094b3bc8 s390x: libvorbis-1.1.2-3.el5_1.2.s390.rpm 26b779dcacb9b744f69cd08c77799806 libvorbis-1.1.2-3.el5_1.2.s390x.rpm aee857165c97c694f3878b346838816c libvorbis-devel-1.1.2-3.el5_1.2.s390.rpm 3a963fa5d4bf6c30f57753dc5912c13a libvorbis-devel-1.1.2-3.el5_1.2.s390x.rpm ae4085ba3d03a3ba4e1d056736c7c35d x86_64: libvorbis-1.1.2-3.el5_1.2.i386.rpm 3dc980580ada6f086d2728fe5f4478d1 libvorbis-1.1.2-3.el5_1.2.x86_64.rpm 892a903e5e970fa1147b3314202a16f9 libvorbis-devel-1.1.2-3.el5_1.2.i386.rpm 7a41c2b6e9ee016a4344b8836b638218 libvorbis-devel-1.1.2-3.el5_1.2.x86_64.rpm 0358694d1c04a28dcd2944f89c513fb6 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.0-10.el3.src.rpm 487d870492fb60ea1fa624f50b40975b IA-32: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-devel-1.0-10.el3.i386.rpm 6de896c294690ea480a65dedde14a7e3 IA-64: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-1.0-10.el3.ia64.rpm 38f44a7d0af1600b46c8b4e3cc144444 libvorbis-devel-1.0-10.el3.ia64.rpm 70605d1d6b8492bd67295db79b58dc32 PPC: libvorbis-1.0-10.el3.ppc.rpm e4db5c2876a94a74b70c16cc646cf42d libvorbis-1.0-10.el3.ppc64.rpm 1d6fdb75c4560da7ac170d64d76b5d44 libvorbis-devel-1.0-10.el3.ppc.rpm 3dd0d16be54163cec5a02f5ac0820074 s390: libvorbis-1.0-10.el3.s390.rpm 9f912975ad028d6af32129f6d294c52c libvorbis-devel-1.0-10.el3.s390.rpm 8256633c1b7510768311e8590c30e0f9 s390x: libvorbis-1.0-10.el3.s390.rpm 9f912975ad028d6af32129f6d294c52c libvorbis-1.0-10.el3.s390x.rpm 7ff56ddaf3a011d6ee3964f3fbb4b346 libvorbis-devel-1.0-10.el3.s390x.rpm 005e5a1ad18b57dfe11af40fb44e25e7 x86_64: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-1.0-10.el3.x86_64.rpm 57857d4e5f2bff381c538f9c3cf0c1e9 libvorbis-devel-1.0-10.el3.x86_64.rpm 25a8ad62ec1137f3163d2cfeeaa8cdbd Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.1.0-3.el4_6.1.src.rpm 4ec9713d21f447711704b8ca57a23f85 IA-32: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-devel-1.1.0-3.el4_6.1.i386.rpm 45394583ab67b47c6ccbce43730b9b7c IA-64: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-1.1.0-3.el4_6.1.ia64.rpm 64d1491d8a35a87334c05df441cebb51 libvorbis-devel-1.1.0-3.el4_6.1.ia64.rpm 28a1816abce0854255ec8fd78e6d0218 PPC: libvorbis-1.1.0-3.el4_6.1.ppc.rpm 9c839b5e1734e9f81c7c34e783c23433 libvorbis-1.1.0-3.el4_6.1.ppc64.rpm e81ff78e869d354cc0fc008b7eca8b01 libvorbis-devel-1.1.0-3.el4_6.1.ppc.rpm c24719967a2c0f15907410a0bbb7ad03 s390: libvorbis-1.1.0-3.el4_6.1.s390.rpm f5302f2beefee615ca190e55fca5d5ff libvorbis-devel-1.1.0-3.el4_6.1.s390.rpm af7bb6fee2935df7867733b66d9baff0 s390x: libvorbis-1.1.0-3.el4_6.1.s390.rpm f5302f2beefee615ca190e55fca5d5ff libvorbis-1.1.0-3.el4_6.1.s390x.rpm 6a51d56f961539b9d4a32a3c6068ce19 libvorbis-devel-1.1.0-3.el4_6.1.s390x.rpm 7f79f3f03b3761d18069f2cc4f00b78f x86_64: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-1.1.0-3.el4_6.1.x86_64.rpm 412cde92f0de816f9d062811e03e4af8 libvorbis-devel-1.1.0-3.el4_6.1.x86_64.rpm 8684f07c831784590e6cb2de3cd762d4 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.1.2-3.el5_1.2.src.rpm 686ff9bc4cbbc09be1d350567e4514b2 IA-32: libvorbis-1.1.2-3.el5_1.2.i386.rpm 3dc980580ada6f086d2728fe5f4478d1 x86_64: libvorbis-1.1.2-3.el5_1.2.i386.rpm 3dc980580ada6f086d2728fe5f4478d1 libvorbis-1.1.2-3.el5_1.2.x86_64.rpm 892a903e5e970fa1147b3314202a16f9 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.0-10.el3.src.rpm 487d870492fb60ea1fa624f50b40975b IA-32: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-devel-1.0-10.el3.i386.rpm 6de896c294690ea480a65dedde14a7e3 IA-64: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-1.0-10.el3.ia64.rpm 38f44a7d0af1600b46c8b4e3cc144444 libvorbis-devel-1.0-10.el3.ia64.rpm 70605d1d6b8492bd67295db79b58dc32 x86_64: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-1.0-10.el3.x86_64.rpm 57857d4e5f2bff381c538f9c3cf0c1e9 libvorbis-devel-1.0-10.el3.x86_64.rpm 25a8ad62ec1137f3163d2cfeeaa8cdbd Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.1.0-3.el4_6.1.src.rpm 4ec9713d21f447711704b8ca57a23f85 IA-32: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-devel-1.1.0-3.el4_6.1.i386.rpm 45394583ab67b47c6ccbce43730b9b7c IA-64: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-1.1.0-3.el4_6.1.ia64.rpm 64d1491d8a35a87334c05df441cebb51 libvorbis-devel-1.1.0-3.el4_6.1.ia64.rpm 28a1816abce0854255ec8fd78e6d0218 x86_64: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-1.1.0-3.el4_6.1.x86_64.rpm 412cde92f0de816f9d062811e03e4af8 libvorbis-devel-1.1.0-3.el4_6.1.x86_64.rpm 8684f07c831784590e6cb2de3cd762d4 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.0-10.el3.src.rpm 487d870492fb60ea1fa624f50b40975b IA-32: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-devel-1.0-10.el3.i386.rpm 6de896c294690ea480a65dedde14a7e3 IA-64: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-1.0-10.el3.ia64.rpm 38f44a7d0af1600b46c8b4e3cc144444 libvorbis-devel-1.0-10.el3.ia64.rpm 70605d1d6b8492bd67295db79b58dc32 x86_64: libvorbis-1.0-10.el3.i386.rpm c3f278cc535e5499c8f9d54d2110bef7 libvorbis-1.0-10.el3.x86_64.rpm 57857d4e5f2bff381c538f9c3cf0c1e9 libvorbis-devel-1.0-10.el3.x86_64.rpm 25a8ad62ec1137f3163d2cfeeaa8cdbd Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: libvorbis-1.1.0-3.el4_6.1.src.rpm 4ec9713d21f447711704b8ca57a23f85 IA-32: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-devel-1.1.0-3.el4_6.1.i386.rpm 45394583ab67b47c6ccbce43730b9b7c IA-64: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-1.1.0-3.el4_6.1.ia64.rpm 64d1491d8a35a87334c05df441cebb51 libvorbis-devel-1.1.0-3.el4_6.1.ia64.rpm 28a1816abce0854255ec8fd78e6d0218 x86_64: libvorbis-1.1.0-3.el4_6.1.i386.rpm 4e7520585b8ed2a81ba27f40e1327bf4 libvorbis-1.1.0-3.el4_6.1.x86_64.rpm 412cde92f0de816f9d062811e03e4af8 libvorbis-devel-1.1.0-3.el4_6.1.x86_64.rpm 8684f07c831784590e6cb2de3cd762d4 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 440700 - CVE-2008-1419 vorbis: zero-dim codebooks can cause crash, infinite loop or heap overflow 440706 - CVE-2008-1420 vorbis: integer overflow in partvals computation 440709 - CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1423 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0270-5 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update