LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for January 8, 2009

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Fedora alert FEDORA-2008-3910 (libvorbis)



From:
    	      updates@fedoraproject.org


To:
    	      fedora-package-announce@redhat.com


Subject:
    	      [SECURITY] Fedora 9 Update: libvorbis-1.2.0-4.fc9


Date:
    	      Wed, 14 May 2008 22:10:23 +0000


Message-ID:
    	      <200805142210.m4EMAF5Y000682@bastion.fedora.phx.redhat.com>


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-3910
2008-05-14 21:00:37
--------------------------------------------------------------------------------

Name        : libvorbis
Product     : Fedora 9
Version     : 1.2.0
Release     : 4.fc9
URL         : http://www.xiph.org/
Summary     : The Vorbis General Audio Compression Codec.
Description :
Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free,
general-purpose compressed audio format for audio and music at fixed
and variable bitrates from 16 to 128 kbps/channel.

The libvorbis package contains runtime libraries for use in programs
that support Ogg Vorbis.

--------------------------------------------------------------------------------
Update Information:

Will Drewry of the Google Security Team reported several flaws in the way
libvorbis processed audio data. An attacker could create a carefully  crafted
OGG audio file in such a way that it could cause an application  linked with
libvorbis to crash, or execute arbitrary code when it was  opened.
(CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)    Moreover, additional OGG file
sanity-checks have been added to prevent  possible exploitation of similar
issues in the future.
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 14 2008 Jindrich Novy <jnovy@redhat.com> - 1:1.2.0-4
- fix CVE-2008-1420, CVE-2008-1419, CVE-2008-1423 (#446342)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #440706 - CVE-2008-1420 vorbis: integer overflow in partvals computation
        https://bugzilla.redhat.com/show_bug.cgi?id=440706
  [ 2 ] Bug #440700 - CVE-2008-1419 vorbis: zero-dim codebooks can cause crash, infinite loop or
heap overflow
        https://bugzilla.redhat.com/show_bug.cgi?id=440700
  [ 3 ] Bug #440709 - CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks
        https://bugzilla.redhat.com/show_bug.cgi?id=440709
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update libvorbis' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds