Launchpad has imported 18 comments from the remote bug at https://bugs.gentoo.org/show_bug.cgi?id=217715.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2008-04-14T20:01:33+00:00 rbu wrote: xiph's (lib)speex 1.2 beta 3.2 has been tagged that fixes CVE-2008-1686 directly in the the speex_header_to_packet() function which applications use. Sanitations inside applications are therefore unnecessary. Patch: https://trac.xiph.org/changeset/14701 Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/11 ------------------------------------------------------------------------ On 2008-04-15T09:35:05+00:00 ssuominen wrote: And we have it in Portage now, *speex-1.2_beta3_p2 (15 Apr 2008) 15 Apr 2008; Samuli Suominen <d...@gentoo.org> -speex-1.1.7.ebuild, +speex-1.2_beta3_p2.ebuild: Version bump. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/13 ------------------------------------------------------------------------ On 2008-04-15T10:38:43+00:00 rbu wrote: Arch Security Liaisons, please test and mark stable: =media-libs/speex-1.2_beta3_p2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86" CC'ing current Liaisons: alpha : ferdy amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/14 ------------------------------------------------------------------------ On 2008-04-15T13:17:57+00:00 armin76 wrote: Adding Tobias for alpha Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/15 ------------------------------------------------------------------------ On 2008-04-15T13:46:01+00:00 fmccor wrote: Sparc stable (tested with {.wav}). Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/16 ------------------------------------------------------------------------ On 2008-04-15T16:17:10+00:00 corsair wrote: ppc64 stable Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/18 ------------------------------------------------------------------------ On 2008-04-15T16:51:29+00:00 ssuominen wrote: amd64 stable, tested by playing with ogg123 (vorbis-tools using USE speex) and converting .spx to .wav and back to .spx using speexdec and speexenc also tested by an AT (VQuickSilver, Freenode), thanks to him Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/19 ------------------------------------------------------------------------ On 2008-04-15T20:00:45+00:00 klausman wrote: Stable for alpha. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/21 ------------------------------------------------------------------------ On 2008-04-15T21:53:19+00:00 rbu wrote: *** Bug 217820 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/22 ------------------------------------------------------------------------ On 2008-04-16T19:08:12+00:00 dertobi123 wrote: ppc stable Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/23 ------------------------------------------------------------------------ On 2008-04-17T01:04:10+00:00 maekke wrote: x86 stable Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/24 ------------------------------------------------------------------------ On 2008-04-17T09:42:39+00:00 vorlon wrote: now public via http://www.ocert.org/advisories/ocert-2008-004.html Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/29 ------------------------------------------------------------------------ On 2008-04-17T09:59:20+00:00 vorlon wrote: removing arch security liaisons, adding missing arches, adding sound herd hope I didn't forget to remove/add anyone glsa request filed Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/30 ------------------------------------------------------------------------ On 2008-04-17T10:02:30+00:00 vorlon wrote: really removing this time Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/31 ------------------------------------------------------------------------ On 2008-04-17T10:18:10+00:00 armin76 wrote: ia64 stable Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/32 ------------------------------------------------------------------------ On 2008-04-17T10:53:48+00:00 klausman wrote: Removing myself since I stood in for ferdy as sec liaison for Alpha. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/33 ------------------------------------------------------------------------ On 2008-04-17T12:15:52+00:00 rbu wrote: GLSA 200804-17. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/34 ------------------------------------------------------------------------ On 2008-04-21T08:16:15+00:00 pva wrote: Fixed in release snapshot. Reply at: https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652/comments/36 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gst-plugins-good0.10 in Ubuntu. https://bugs.launchpad.net/bugs/218652 Title: CVE-2008-1686: Multiple speex implementations insufficient boundary checks Status in vorbis-tools: Fix Released Status in xine-lib: Fix Released Status in gst-plugins-good0.10 package in Ubuntu: Invalid Status in libannodex package in Ubuntu: Invalid Status in libfishsound package in Ubuntu: Fix Released Status in libsdl-sound1.2 package in Ubuntu: Won't Fix Status in speex package in Ubuntu: Invalid Status in sweep package in Ubuntu: Won't Fix Status in vlc package in Ubuntu: Fix Released Status in vorbis-tools package in Ubuntu: Fix Released Status in xine-lib package in Ubuntu: Fix Released Status in xmms-speex package in Ubuntu: Invalid Status in gst-plugins-good0.10 source package in Dapper: Fix Released Status in libannodex source package in Dapper: Won't Fix Status in libfishsound source package in Dapper: Won't Fix Status in libsdl-sound1.2 source package in Dapper: Won't Fix Status in speex source package in Dapper: Fix Released Status in sweep source package in Dapper: Won't Fix Status in vlc source package in Dapper: Won't Fix Status in vorbis-tools source package in Dapper: Fix Released Status in xine-lib source package in Dapper: Fix Released Status in xmms-speex source package in Dapper: Invalid Status in gst-plugins-good0.10 source package in Feisty: Fix Released Status in libannodex source package in Feisty: Won't Fix Status in libfishsound source package in Feisty: Won't Fix Status in libsdl-sound1.2 source package in Feisty: Won't Fix Status in speex source package in Feisty: Fix Released Status in sweep source package in Feisty: Won't Fix Status in vlc source package in Feisty: Won't Fix Status in vorbis-tools source package in Feisty: Fix Released Status in xine-lib source package in Feisty: Fix Released Status in xmms-speex source package in Feisty: Won't Fix Status in gst-plugins-good0.10 source package in Gutsy: Fix Released Status in libannodex source package in Gutsy: Won't Fix Status in libfishsound source package in Gutsy: Won't Fix Status in libsdl-sound1.2 source package in Gutsy: Won't Fix Status in speex source package in Gutsy: Fix Released Status in sweep source package in Gutsy: Won't Fix Status in vlc source package in Gutsy: Won't Fix Status in vorbis-tools source package in Gutsy: Fix Released Status in xine-lib source package in Gutsy: Fix Released Status in xmms-speex source package in Gutsy: Won't Fix Status in gst-plugins-good0.10 source package in Hardy: Fix Released Status in libannodex source package in Hardy: Won't Fix Status in libfishsound source package in Hardy: Fix Released Status in libsdl-sound1.2 source package in Hardy: Won't Fix Status in speex source package in Hardy: Fix Released Status in sweep source package in Hardy: Won't Fix Status in vlc source package in Hardy: Fix Released Status in vorbis-tools source package in Hardy: Fix Released Status in xine-lib source package in Hardy: Fix Released Status in xmms-speex source package in Hardy: Invalid Status in speex package in Fedora: Fix Released Status in speex package in Gentoo Linux: Fix Released Bug description: Description Uncontrolled array index in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. See: http://www.ocert.org/advisories/ocert-2008-2.html http://www.ocert.org/advisories/ocert-2008-004.html From the oCERT advisory #2008-002: "The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input. A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution. A patch has been committed to the libfishsound public repository. Affected version: <= 0.9.0 Fixed version: 0.9.1 Additional affected packages: Speex <= 1.1.12, the reference implementation from which libfishsound is derived. Illiminable DirectShow Filters, which statically include the libfishsound library. Annodex Plugins for Firefox. Credit: reporter wishes to remain anonymous CVE: CVE-2008-1686" From the oCERT advisory #2008-004: "The reference speex decoder from the Speex library performs insufficient boundary checks on a header structure read from user input, this has been reported in oCERT-2008-002 advisory. Further investigation showed that several packages include similar code and are therefore vulnerable. In order to prevent the usage of incorrect header processing reference code, the speex_packet_to_header() function has been modified to bound the returned mode values in Speex >= 1.2beta3.2. This change automatically fixes applications that use the Speex library dynamically. Affected version: gstreamer-plugins-good <= 0.10.8 SDL_sound <= 1.0.1 Speex <= 1.1.12 (speexdec) Sweep <= 0.9.2 vorbis-tools <= 1.2.0 VLC Media Player <= 0.8.6f xine-lib <= 1.1.11.1 XMMS speex plugin Fixed version: gstreamer-plugins-good, >= 0.10.8 (patched in CVS) SDL_sound, patched in CVS Speex >= 1.2beta3.2 (patched in CVS) Sweep >= 0.9.3 vorbis-tools, patched in CVS VLC Media Player, N/A xine-lib >= 1.1.12 XMMS speex plugin, N/A Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger from the Red Hat Security Response Team for his help in investigating the issue. CVE: CVE-2008-1686" To manage notifications about this bug go to: https://bugs.launchpad.net/vorbis-tools/+bug/218652/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
