Joined: 12 May 2004
|Posted: Mon Sep 07, 2009 2:26 am Post subject: [ GLSA 200909-02 ] libvorbis: User-assisted execution of arb
|Gentoo Linux Security Advisory
Title: libvorbis: User-assisted execution of arbitrary code (GLSA 200909-02)
Date: September 07, 2009
A processing error in libvorbis might result in the execution of arbitrary
code or a Denial of Service.
libvorbis is the reference implementation of the Xiph.org Ogg Vorbis
audio file format. It is used by many applications for playback of Ogg
Vulnerable: < 1.2.3
Unaffected: >= 1.2.3
Architectures: All supported architectures
Lucas Adamski reported that libvorbis does not correctly process file
headers, related to static mode headers and encoding books.
A remote attacker could entice a user to play a specially crafted OGG
Vorbis file using an application that uses libvorbis, possibly
resulting in the execution of arbitrary code with the privileges of the
user running the application, or a Denial of Service.
There is no known workaround at this time.
All libvorbis users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libvorbis-1.2.3"
Last edited by GLSA on Tue May 29, 2012 4:27 am; edited 5 times in total