[USN-682-1] libvorbis vulnerabilities
Subject: [USN-682-1] libvorbis vulnerabilities
From: Marc Deslauriers <marc.deslauriers@canonical.com.>
To: [email protected]
Cc: "[email protected]" <bugtraq@securityfocus.com.>,
[email protected]
X-Original-To: [email protected]
X-Mailcontrol-Inbound:
uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xw=
X-Spam-Score: -13.7
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.69.0.173
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-7oAJ0ExbFsnSiyDVIc2/"
Date: Mon, 01 Dec 2008 12:11:59 -0500
Message-Id: <1228151519.9860.4.camel@mdlinux.technorage.com.>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=-7oAJ0ExbFsnSiyDVIc2/
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-682-1 December 01, 2008
libvorbis vulnerabilities
CVE-2008-1419, CVE-2008-1420, CVE-2008-1423
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libvorbis0a 1.1.2-0ubuntu2.3
Ubuntu 7.10:
libvorbis0a 1.2.0.dfsg-1ubuntu0.1
Ubuntu 8.04 LTS:
libvorbis0a 1.2.0.dfsg-2ubuntu0.1
After a standard system upgrade you need to restart any applications that
use libvorbis, such as Totem and gtkpod, to effect the necessary changes.
Details follow:
It was discovered that libvorbis did not correctly handle certain malformed
sound files. If a user were tricked into opening a specially crafted sound
file with an application that uses libvorbis, an attacker could execute
arbitrary code with the user's privileges.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
1.2-0ubuntu2.3.diff.gz
Size/MD5: 11735 23f3260732f1b61563011034bf9aff5a
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
1.2-0ubuntu2.3.dsc
Size/MD5: 706 0758a89dc0616697d3cb128b0f42e475
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
1.2.orig.tar.gz
Size/MD5: 1316434 37847626b8e1b53ae79a34714c7b3211
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.1.2-0ubuntu2.3_amd64.deb
Size/MD5: 487988 6ac00dab1115b85c27189621c06c008f
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.1.2-0ubuntu2.3_amd64.deb
Size/MD5: 101856 0c92f61c2c777cce1d5277ed840fffcc
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.1.2-0ubuntu2.3_amd64.deb
Size/MD5: 100908 78d05f9a2670e1a87740c9cc629782fd
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.1.2-0ubuntu2.3_amd64.deb
Size/MD5: 18646 4df2145dff94106c81ee2fcac873a75b
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.1.2-0ubuntu2.3_i386.deb
Size/MD5: 469316 1f9bdb104c24279d1c92c363640afce1
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.1.2-0ubuntu2.3_i386.deb
Size/MD5: 96240 844260578e93b48388975720d845c033
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.1.2-0ubuntu2.3_i386.deb
Size/MD5: 82932 6c614ab9888672510e947f1d246db071
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.1.2-0ubuntu2.3_i386.deb
Size/MD5: 19584 a206c9c5fb541f709fd4a4dce8c606ca
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.1.2-0ubuntu2.3_powerpc.deb
Size/MD5: 503692 f929a9177343adbf367e74c0ea5cbee7
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.1.2-0ubuntu2.3_powerpc.deb
Size/MD5: 106230 f01391134bebdff866c694f14b8be256
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.1.2-0ubuntu2.3_powerpc.deb
Size/MD5: 86804 5d328592302bc7d23742c0d32d3322f4
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.1.2-0ubuntu2.3_powerpc.deb
Size/MD5: 22616 921a35c6e272fd4c00a8ed82d2855aca
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.1.2-0ubuntu2.3_sparc.deb
Size/MD5: 478580 e7b9e3d3444aa9b2516e2de383ad0212
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.1.2-0ubuntu2.3_sparc.deb
Size/MD5: 99560 c7a45c44998fff502735a1a555c533ef
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.1.2-0ubuntu2.3_sparc.deb
Size/MD5: 84760 b12349cd58f4c20dd510f7bc4018ceba
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.1.2-0ubuntu2.3_sparc.deb
Size/MD5: 19434 2865e544cff32fffeb9e5b91d2d9f5b9
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
2.0.dfsg-1ubuntu0.1.diff.gz
Size/MD5: 6803 eba88f0d5ed7e99f23c390ac5b061aa6
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
2.0.dfsg-1ubuntu0.1.dsc
Size/MD5: 936 0afaeb24889965a41966dbce3d9bd8e6
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
2.0.dfsg.orig.tar.gz
Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.2.0.dfsg-1ubuntu0.1_amd64.deb
Size/MD5: 475590 7a6503ea10ce1550dfa80f4d3cce5fb3
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.2.0.dfsg-1ubuntu0.1_amd64.deb
Size/MD5: 104288 0c60601a0a2b44caf7789c6d4a20965e
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.2.0.dfsg-1ubuntu0.1_amd64.deb
Size/MD5: 94172 f617ece4bdf424c66614e1ed29e1e3b0
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.2.0.dfsg-1ubuntu0.1_amd64.deb
Size/MD5: 19202 a1831a3dd4389bff251d4aa9a127a80e
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.2.0.dfsg-1ubuntu0.1_i386.deb
Size/MD5: 455008 d98ab2c958d7ab2afaefed5084cf7d57
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.2.0.dfsg-1ubuntu0.1_i386.deb
Size/MD5: 99594 0fd621c1950703339239f5aed7f4c805
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.2.0.dfsg-1ubuntu0.1_i386.deb
Size/MD5: 75998 3843a868a9bfc8f330270e5ea966b753
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.2.0.dfsg-1ubuntu0.1_i386.deb
Size/MD5: 20064 a69d1699effba03d8de9b98ddbcb9748
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.df=
sg-1ubuntu0.1_lpia.deb
Size/MD5: 457286 030878c8e2394ce9ecd92c03de803098
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg=
-1ubuntu0.1_lpia.deb
Size/MD5: 100054 68f25494c3ec5217af8263d60b67915b
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.df=
sg-1ubuntu0.1_lpia.deb
Size/MD5: 76134 68219cdf66ec0aa276c695fface59427
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.d=
fsg-1ubuntu0.1_lpia.deb
Size/MD5: 19900 8e45f8dc189f83d860066975e178712e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.2.0.dfsg-1ubuntu0.1_powerpc.deb
Size/MD5: 484714 a6c8845587f6a2b27e054dac925340b3
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.2.0.dfsg-1ubuntu0.1_powerpc.deb
Size/MD5: 109326 dced4c6926117ed364d36b83ebc5722a
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.2.0.dfsg-1ubuntu0.1_powerpc.deb
Size/MD5: 83698 6f2af6040278913dae5e595fbe2de6c1
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.2.0.dfsg-1ubuntu0.1_powerpc.deb
Size/MD5: 23756 4f74ee6f4f17466807770592e4cc1262
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.2.0.dfsg-1ubuntu0.1_sparc.deb
Size/MD5: 462312 f378e16a892a6613391579ebd78a1cb8
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.2.0.dfsg-1ubuntu0.1_sparc.deb
Size/MD5: 100548 fa60ade69e538ab433a4f29c39d47626
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.2.0.dfsg-1ubuntu0.1_sparc.deb
Size/MD5: 80566 992176befcc1e4b0f5c9e8623446d388
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.2.0.dfsg-1ubuntu0.1_sparc.deb
Size/MD5: 19260 42b606b63d8d534776b805cd089e7208
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
2.0.dfsg-2ubuntu0.1.diff.gz
Size/MD5: 6859 229d235964b97a77019007f465e6be12
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
2.0.dfsg-2ubuntu0.1.dsc
Size/MD5: 936 cb80528452572db8df019ee48022bfec
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.=
2.0.dfsg.orig.tar.gz
Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.2.0.dfsg-2ubuntu0.1_amd64.deb
Size/MD5: 474602 019214230eddd04a756dcd6eb206f4d5
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.2.0.dfsg-2ubuntu0.1_amd64.deb
Size/MD5: 103554 105de05b983d65a404f60af6eea67e68
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.2.0.dfsg-2ubuntu0.1_amd64.deb
Size/MD5: 94216 c6c2e356c2dc96d4af547fb2a1dd5b34
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.2.0.dfsg-2ubuntu0.1_amd64.deb
Size/MD5: 18928 82c4d54a4f30c7e41da333543e2d1370
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-de=
v_1.2.0.dfsg-2ubuntu0.1_i386.deb
Size/MD5: 455286 75d65fe98e008eb426c47822221b8903
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_=
1.2.0.dfsg-2ubuntu0.1_i386.deb
Size/MD5: 98426 3d03860f8b0271c7f04e5eb5681800b9
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc=
2_1.2.0.dfsg-2ubuntu0.1_i386.deb
Size/MD5: 76012 2190470c51c85850e153416e10cb9583
http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfil=
e3_1.2.0.dfsg-2ubuntu0.1_i386.deb
Size/MD5: 19782 943c8d8a7b3cbface595f47b87d4129e
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.df=
sg-2ubuntu0.1_lpia.deb
Size/MD5: 457272 6b6c65e2e8a4883c567723a31c970909
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg=
-2ubuntu0.1_lpia.deb
Size/MD5: 99072 af5d515bb4159f811df31789606cf6fa
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.df=
sg-2ubuntu0.1_lpia.deb
Size/MD5: 76154 39f582ff09a3e43c6690ece11c1272de
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.d=
fsg-2ubuntu0.1_lpia.deb
Size/MD5: 19778 2482fd35cdcfaf93af997a11f2277859
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.df=
sg-2ubuntu0.1_powerpc.deb
Size/MD5: 484204 128ddaebf7ab8c95288de20b309b7b39
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg=
-2ubuntu0.1_powerpc.deb
Size/MD5: 108516 a15c110e58da00ce9e851f8f04909673
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.df=
sg-2ubuntu0.1_powerpc.deb
Size/MD5: 83532 be00dcbd1f6a209ff7e59669ea3bcf33
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.d=
fsg-2ubuntu0.1_powerpc.deb
Size/MD5: 23644 d07be5c602f3714cf0701226fef5bfa4
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.df=
sg-2ubuntu0.1_sparc.deb
Size/MD5: 461822 9396b9f159e3e96ce44c140f02dcf3cb
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg=
-2ubuntu0.1_sparc.deb
Size/MD5: 99428 8dbbaf70afa928a5d2407d1eef3b1922
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.df=
sg-2ubuntu0.1_sparc.deb
Size/MD5: 80484 e5592f1cd6297a630fd7358d6c88c82e
http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.d=
fsg-2ubuntu0.1_sparc.deb
Size/MD5: 19054 66c63c0e4024661e9d905b22862450c5
--=-7oAJ0ExbFsnSiyDVIc2/
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAkk0Gt0ACgkQLMAs/0C4zNr38QCfXFL62MDw9jwrgIaghp4X5EIY
QkYAoL0rSF+kmaXi8jEaPbWsP6uyoIxe
=Ge08
-----END PGP SIGNATURE-----
--=-7oAJ0ExbFsnSiyDVIc2/--