Vulnerabilities > CVE-2008-1686 - Numeric Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-092.NASL description A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The speex plugin in the gstreamer-plugins-good package is similarly affected by this issue. The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 36584 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36584 title Mandriva Linux Security Advisory : gstreamer-plugins-good (MDVSA-2008:092) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:092. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(36584); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2008-1686"); script_xref(name:"MDVSA", value:"2008:092"); script_name(english:"Mandriva Linux Security Advisory : gstreamer-plugins-good (MDVSA-2008:092)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The speex plugin in the gstreamer-plugins-good package is similarly affected by this issue. The updated packages have been patched to correct this issue." ); script_set_attribute( attribute:"see_also", value:"http://ocert.org/advisories/ocert-2008-004.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-aalib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-caca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-dv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-esound"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-flac"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-plugins-good"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-raw1394"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-speex"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-wavpack"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-aalib-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-caca-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-dv-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-esound-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-flac-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-plugins-good-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-raw1394-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-speex-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-wavpack-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-aalib-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-caca-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-dv-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-esound-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-flac-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-plugins-good-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-raw1394-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-speex-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-wavpack-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_VORBIS-TOOLS-5193.NASL description Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686) last seen 2020-06-01 modified 2020-06-02 plugin id 33092 published 2008-06-04 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33092 title SuSE 10 Security Update : vorbis-tools (ZYPP Patch Number 5193) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(33092); script_version ("1.14"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2008-1686"); script_name(english:"SuSE 10 Security Update : vorbis-tools (ZYPP Patch Number 5193)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-1686.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 5193."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, reference:"vorbis-tools-1.1.1-13.7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0235.NASL description From Red Hat Security Advisory 2008:0235 : Updated speex packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67684 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67684 title Oracle Linux 4 / 5 : speex (ELSA-2008-0235) NASL family SuSE Local Security Checks NASL id SUSE_XINE-DEVEL-5304.NASL description Specially crafted NSF files could potentially be exploited to execute arbitrary code. (CVE-2008-1878) Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686) last seen 2020-06-01 modified 2020-06-02 plugin id 51767 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51767 title SuSE 10 Security Update : xine (ZYPP Patch Number 5304) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-094.NASL description A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 37726 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37726 title Mandriva Linux Security Advisory : speex (MDVSA-2008:094) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3117.NASL description - Bug #441239 - CVE-2008-1686 speex, libfishsound: insufficient boundary checks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32382 published 2008-05-20 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32382 title Fedora 7 : libfishsound-0.9.1-1.fc7 (2008-3117) NASL family SuSE Local Security Checks NASL id SUSE_XINE-DEVEL-5205.NASL description Specially crafted NSF files could potentially be exploited to execute arbitrary code. (CVE-2008-1878) Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686) last seen 2020-06-01 modified 2020-06-02 plugin id 32393 published 2008-05-20 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32393 title SuSE 10 Security Update : xine-lib (ZYPP Patch Number 5205) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-611-1.NASL description It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32191 published 2008-05-09 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32191 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : speex vulnerability (USN-611-1) NASL family SuSE Local Security Checks NASL id SUSE_VORBIS-TOOLS-5192.NASL description Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code (CVE-2008-1686). last seen 2020-06-01 modified 2020-06-02 plugin id 33091 published 2008-06-04 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33091 title openSUSE 10 Security Update : vorbis-tools (vorbis-tools-5192) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-611-2.NASL description USN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for ogg123, part of vorbis-tools. It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32192 published 2008-05-09 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32192 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : vorbis-tools vulnerability (USN-611-2) NASL family SuSE Local Security Checks NASL id SUSE_VORBIS-TOOLS-5302.NASL description Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686) last seen 2020-06-01 modified 2020-06-02 plugin id 51764 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51764 title SuSE 10 Security Update : Ogg Vorbis tools (ZYPP Patch Number 5302) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-111-01.NASL description New xine-lib packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix security issues. An overflow was found in the Speex decoder that could lead to a crash or possible execution of arbitrary code. Xine-lib <= 1.1.12 was also found to be vulnerable to a stack-based buffer overflow in the NES demuxer (thanks to milw0rm.com). last seen 2020-06-01 modified 2020-06-02 plugin id 32033 published 2008-04-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32033 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : xine-lib (SSA:2008-111-01) NASL family SuSE Local Security Checks NASL id SUSE_GSTREAMER010-PLUGINS-GOOD-5195.NASL description Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code (CVE-2008-1686). last seen 2020-06-01 modified 2020-06-02 plugin id 33161 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33161 title openSUSE 10 Security Update : gstreamer010-plugins-good (gstreamer010-plugins-good-5195) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3059.NASL description CVE-2008-1686 libfishsound: insufficient boundary checks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 31973 published 2008-04-18 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31973 title Fedora 8 : libfishsound-0.9.1-1.fc8 (2008-3059) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3103.NASL description Security update: Add mode checks to speex_packet_to_header() to protect applications using speex library and not having proper checks (CVE-2008-1686, #441239, https://trac.xiph.org/changeset/14701) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 31980 published 2008-04-18 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31980 title Fedora 8 : speex-1.2-0.4.beta2 (2008-3103) NASL family Scientific Linux Local Security Checks NASL id SL_20080416_SPEEX_ON_SL4_X.NASL description The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) last seen 2020-06-01 modified 2020-06-02 plugin id 60386 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60386 title Scientific Linux Security Update : speex on SL4.x, SL5.x i386/x86_64 NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_7A7C585310A311DD8EB800163E000016.NASL description xine Team reports : A new xine-lib version is now available. This release contains a security fix (an unchecked array index that could allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.) last seen 2020-06-01 modified 2020-06-02 plugin id 32066 published 2008-04-28 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32066 title FreeBSD : libxine -- array index vulnerability (7a7c5853-10a3-11dd-8eb8-00163e000016) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-124.NASL description A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). Xine-lib is similarly affected by this issue. As well, the previous version of xine as provided in Mandriva Linux 2008.1 would crash when playing matroska files, and a regression was introduced that prevented Amarok from playing m4a files. The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 37421 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37421 title Mandriva Linux Security Advisory : xine-lib (MDVSA-2008:124) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-093.NASL description A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The ogg123 application in vorbis-tools is similarly affected by this issue. The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 37218 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37218 title Mandriva Linux Security Advisory : vorbis-tools (MDVSA-2008:093) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-611-3.NASL description USN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for GStreamer Good Plugins. It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32193 published 2008-05-09 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32193 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : gst-plugins-good0.10 vulnerability (USN-611-3) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1586.NASL description Multiple vulnerabilities have been discovered in xine-lib, a library which supplies most of the application functionality of the xine multimedia player. The Common Vulnerabilities and Exposures project identifies the following three problems : - CVE-2008-1482 Integer overflow vulnerabilities exist in xine last seen 2020-06-01 modified 2020-06-02 plugin id 32435 published 2008-05-23 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32435 title Debian DSA-1586-1 : xine-lib - multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_GSTREAMER010-PLUGINS-GOOD-5185.NASL description Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686) last seen 2020-06-01 modified 2020-06-02 plugin id 33160 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33160 title SuSE 10 Security Update : gstreamer010-plugins (ZYPP Patch Number 5185) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3191.NASL description Security update: Add mode checks to speex_packet_to_header() to protect applications using speex library and not having proper checks (CVE-2008-1686, #441239, https://trac.xiph.org/changeset/14701) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 31982 published 2008-04-18 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31982 title Fedora 7 : speex-1.2-0.3.beta1 (2008-3191) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1585.NASL description It was discovered that speex, the Speex codec command line tools, did not correctly deal with negative offsets in a particular header field. This could allow a malicious file to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 32407 published 2008-05-22 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32407 title Debian DSA-1585-1 : speex - integer overflow NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-635-1.NASL description Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) Luigi Auriemma discovered that xine-lib did not properly check buffer sizes in the RTSP header-handling code. If xine-lib opened an RTSP stream with crafted SDP attributes, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0225, CVE-2008-0238) Damian Frizza and Alfredo Ortega discovered that xine-lib did not properly validate FLAC tags. If a user or automated system were tricked into opening a crafted FLAC file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0486) It was discovered that the ASF demuxer in xine-lib did not properly check the length if the ASF header. If a user or automated system were tricked into opening a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1110) It was discovered that the Matroska demuxer in xine-lib did not properly verify frame sizes. If xine-lib opened a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1161) Luigi Auriemma discovered multiple integer overflows in xine-lib. If a user or automated system were tricked into opening a crafted FLV, MOV, RM, MVE, MKV or CAK file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1482) It was discovered that xine-lib did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1686) Guido Landi discovered a stack-based buffer overflow in xine-lib when processing NSF files. If xine-lib opened a specially crafted NSF file with a long NSF title, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1878). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33940 published 2008-08-20 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33940 title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : xine-lib vulnerabilities (USN-635-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0235.NASL description Updated speex packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 32000 published 2008-04-22 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32000 title CentOS 4 / 5 : speex (CESA-2008:0235) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_633716FA1F8F11DDB1430211D880E350.NASL description Secunia reports : A vulnerability has been reported in vorbis-tools, which can potentially be exploited by malicious people to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 32299 published 2008-05-13 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32299 title FreeBSD : vorbis-tools -- Speex header processing vulnerability (633716fa-1f8f-11dd-b143-0211d880e350) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1584.NASL description It was discovered that libfishsound, a simple programming interface that wraps Xiph.Org audio codecs, didn last seen 2020-06-01 modified 2020-06-02 plugin id 32406 published 2008-05-22 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32406 title Debian DSA-1584-1 : libfishsound - buffer overflow NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200804-17.NASL description The remote host is affected by the vulnerability described in GLSA-200804-17 (Speex: User-assisted execution of arbitrary code) oCERT reported that the Speex library does not properly validate the last seen 2020-06-01 modified 2020-06-02 plugin id 32010 published 2008-04-22 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32010 title GLSA-200804-17 : Speex: User-assisted execution of arbitrary code NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0235.NASL description Updated speex packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 31988 published 2008-04-18 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31988 title RHEL 4 / 5 : speex (RHSA-2008:0235) NASL family SuSE Local Security Checks NASL id SUSE_XINE-DEVEL-5204.NASL description Specially crafted NSF files could potentially be exploited to execute arbitrary code (CVE-2008-1878). Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code (CVE-2008-1686). last seen 2020-06-01 modified 2020-06-02 plugin id 32392 published 2008-05-20 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32392 title openSUSE 10 Security Update : xine-devel (xine-devel-5204) NASL family SuSE Local Security Checks NASL id SUSE_SPEEX-5364.NASL description Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686) last seen 2020-06-01 modified 2020-06-02 plugin id 33434 published 2008-07-08 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33434 title SuSE 10 Security Update : speex (ZYPP Patch Number 5364)
Oval
| accepted | 2013-04-29T04:00:35.867-04:00 | ||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||
| description | Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. | ||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:10026 | ||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||
| title | Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. | ||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28665 CVE(CAN) ID: CVE-2008-1686 fishsound库提供一个编程接口,允许使用Xiph.Org codec(FLAC、Speex和Vorbis)编码和解码音频数据。 fishsound库所使用的Speex库在处理Speex头时存在数组索引错误,如果特制的Speex流在头中包含有负数的modeID字段的话就可能导致执行任意指令。 Speex头中包含有32位的modeID字段,libspeex将其解释为有符的int型(spx_int32_t)。正常的使用方法是索引到全局模式列表以检索SpeexMode *: mode = (SpeexMode *)speex_mode_list[modeID]; 然后创建解码器: st = speex_decoder_init(mode); 这会在libspeex中调用speex_decoder_init(),类似于: void *speex_decoder_init(const SpeexMode *mode) { return mode->dec_init(mode); } 因此如果没有保证流头中所给出的modeID处于speex_mode_list[]范围中,就会导致执行任意指令。fishsound检查了上边界(modeID < SPEEX_NB_MODES),但没有检查负数值。 CSIRO FishSound <= 0.9.0 CSIRO ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.annodex.net/software/libfishsound/download/libfishsound-0.9.1.tar.gz target=_blank>http://www.annodex.net/software/libfishsound/download/libfishsound-0.9.1.tar.gz</a> |
| id | SSV:3155 |
| last seen | 2017-11-19 |
| modified | 2008-04-13 |
| published | 2008-04-13 |
| reporter | Root |
| title | FishSound库远程Speex解码代码执行漏洞 |
References
- http://blog.kfish.org/2008/04/release-libfishsound-091.html
- http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00001.html
- http://lists.xiph.org/pipermail/speex-dev/2008-April/006636.html
- http://secunia.com/advisories/29672
- http://secunia.com/advisories/29727
- http://secunia.com/advisories/29835
- http://secunia.com/advisories/29845
- http://secunia.com/advisories/29854
- http://secunia.com/advisories/29866
- http://secunia.com/advisories/29878
- http://secunia.com/advisories/29880
- http://secunia.com/advisories/29881
- http://secunia.com/advisories/29882
- http://secunia.com/advisories/29898
- http://secunia.com/advisories/30104
- http://secunia.com/advisories/30117
- http://secunia.com/advisories/30119
- http://secunia.com/advisories/30337
- http://secunia.com/advisories/30353
- http://secunia.com/advisories/30358
- http://secunia.com/advisories/30581
- http://secunia.com/advisories/30717
- http://secunia.com/advisories/31393
- http://security.gentoo.org/glsa/glsa-200804-17.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.460836
- http://sourceforge.net/project/shownotes.php?release_id=592185
- http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655
- http://www.debian.org/security/2008/dsa-1584
- http://www.debian.org/security/2008/dsa-1585
- http://www.debian.org/security/2008/dsa-1586
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:092
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:093
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:094
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:124
- http://www.metadecks.org/software/sweep/news.html
- http://www.novell.com/linux/security/advisories/2008_13_sr.html
- http://www.ocert.org/advisories/ocert-2008-004.html
- http://www.ocert.org/advisories/ocert-2008-2.html
- http://www.redhat.com/support/errata/RHSA-2008-0235.html
- http://www.securityfocus.com/archive/1/491009/100/0/threaded
- http://www.securityfocus.com/bid/28665
- http://www.securitytracker.com/id?1019875
- http://www.ubuntu.com/usn/usn-611-1
- http://www.ubuntu.com/usn/usn-611-2
- http://www.ubuntu.com/usn/usn-611-3
- http://www.ubuntu.com/usn/usn-635-1
- http://www.vupen.com/english/advisories/2008/1187/references
- http://www.vupen.com/english/advisories/2008/1228/references
- http://www.vupen.com/english/advisories/2008/1268/references
- http://www.vupen.com/english/advisories/2008/1269/references
- http://www.vupen.com/english/advisories/2008/1300/references
- http://www.vupen.com/english/advisories/2008/1301/references
- http://www.vupen.com/english/advisories/2008/1302/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41684
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10026
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00244.html
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00287.html
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00357.html