| Description: | Description:
The remote host is missing an update to libvorbis
announced via advisory FEDORA-2008-3934.
Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free,
general-purpose compressed audio format for audio and music at fixed
and variable bitrates from 16 to 128 kbps/channel.
The libvorbis package contains runtime libraries for use in programs
that support Ogg Vorbis.
Update Information:
Will Drewry of the Google Security Team reported several flaws in the way
libvorbis processed audio data. An attacker could create a carefully crafted
OGG audio file in such a way that it could cause an application linked with
libvorbis to crash, or execute arbitrary code when it was opened.
(CVE-2008-1419, CVE-2008-1420, CVE-2008-1423) Moreover, additional OGG file
sanity-checks have been added to prevent possible exploitation of similar
issues in the future.
ChangeLog:
* Wed May 14 2008 Jindrich Novy - 1:1.2.0-2
- fix CVE-2008-1420, CVE-2008-1419, CVE-2008-1423 (#446342)
References:
[ 1 ] Bug #440706 - CVE-2008-1420 vorbis: integer overflow in partvals computation
https://bugzilla.redhat.com/show_bug.cgi?id=440706
[ 2 ] Bug #440709 - CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks
https://bugzilla.redhat.com/show_bug.cgi?id=440709
[ 3 ] Bug #440700 - CVE-2008-1419 vorbis: zero-dim codebooks can cause crash, infinite loop or heap overflow
https://bugzilla.redhat.com/show_bug.cgi?id=440700
Solution: Apply the appropriate updates.
This update can be installed with the yum update program. Use
su -c 'yum update libvorbis' at the command line.
For more information, refer to Managing Software with yum,
available at http://docs.fedoraproject.org/yum/.
http://www.securityspace.com/smysecure/catid.html?in=FEDORA-2008-3934
Risk factor : Critical
CVSS Score:
9.3
|
