Vulnerabilities > CVE-2008-1686 - Numeric Errors vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-092.NASL
    descriptionA vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The speex plugin in the gstreamer-plugins-good package is similarly affected by this issue. The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id36584
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36584
    titleMandriva Linux Security Advisory : gstreamer-plugins-good (MDVSA-2008:092)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2008:092. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36584);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:50");
    
      script_cve_id("CVE-2008-1686");
      script_xref(name:"MDVSA", value:"2008:092");
    
      script_name(english:"Mandriva Linux Security Advisory : gstreamer-plugins-good (MDVSA-2008:092)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability in the Speex library was found where it did not
    properly validate input values read from the Speex files headers. An
    attacker could create a malicious Speex file that would crash an
    application or potentially allow the execution of arbitrary code with
    the privileges of the application calling the Speex library
    (CVE-2008-1686).
    
    The speex plugin in the gstreamer-plugins-good package is similarly
    affected by this issue.
    
    The updated packages have been patched to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://ocert.org/advisories/ocert-2008-004.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-aalib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-caca");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-dv");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-esound");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-flac");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-plugins-good");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-raw1394");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-speex");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gstreamer0.10-wavpack");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-aalib-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-caca-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-dv-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-esound-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-flac-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-plugins-good-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-raw1394-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-speex-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"gstreamer0.10-wavpack-0.10.6-3.1mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-aalib-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-caca-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-dv-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-esound-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-flac-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-plugins-good-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-raw1394-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-speex-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"gstreamer0.10-wavpack-0.10.7-3.1mdv2008.1", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_VORBIS-TOOLS-5193.NASL
    descriptionSpecially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686)
    last seen2020-06-01
    modified2020-06-02
    plugin id33092
    published2008-06-04
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33092
    titleSuSE 10 Security Update : vorbis-tools (ZYPP Patch Number 5193)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33092);
      script_version ("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:33");
    
      script_cve_id("CVE-2008-1686");
    
      script_name(english:"SuSE 10 Security Update : vorbis-tools (ZYPP Patch Number 5193)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Specially crafted files or streams could potentially be abused to
    trick applications that support speex into executing arbitrary code.
    (CVE-2008-1686)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-1686.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 5193.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:1, reference:"vorbis-tools-1.1.1-13.7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0235.NASL
    descriptionFrom Red Hat Security Advisory 2008:0235 : Updated speex packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67684
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67684
    titleOracle Linux 4 / 5 : speex (ELSA-2008-0235)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XINE-DEVEL-5304.NASL
    descriptionSpecially crafted NSF files could potentially be exploited to execute arbitrary code. (CVE-2008-1878) Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686)
    last seen2020-06-01
    modified2020-06-02
    plugin id51767
    published2011-01-27
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51767
    titleSuSE 10 Security Update : xine (ZYPP Patch Number 5304)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-094.NASL
    descriptionA vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id37726
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37726
    titleMandriva Linux Security Advisory : speex (MDVSA-2008:094)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3117.NASL
    description - Bug #441239 - CVE-2008-1686 speex, libfishsound: insufficient boundary checks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id32382
    published2008-05-20
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32382
    titleFedora 7 : libfishsound-0.9.1-1.fc7 (2008-3117)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XINE-DEVEL-5205.NASL
    descriptionSpecially crafted NSF files could potentially be exploited to execute arbitrary code. (CVE-2008-1878) Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686)
    last seen2020-06-01
    modified2020-06-02
    plugin id32393
    published2008-05-20
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32393
    titleSuSE 10 Security Update : xine-lib (ZYPP Patch Number 5205)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-611-1.NASL
    descriptionIt was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id32191
    published2008-05-09
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32191
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : speex vulnerability (USN-611-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_VORBIS-TOOLS-5192.NASL
    descriptionSpecially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code (CVE-2008-1686).
    last seen2020-06-01
    modified2020-06-02
    plugin id33091
    published2008-06-04
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33091
    titleopenSUSE 10 Security Update : vorbis-tools (vorbis-tools-5192)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-611-2.NASL
    descriptionUSN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for ogg123, part of vorbis-tools. It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id32192
    published2008-05-09
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32192
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : vorbis-tools vulnerability (USN-611-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_VORBIS-TOOLS-5302.NASL
    descriptionSpecially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686)
    last seen2020-06-01
    modified2020-06-02
    plugin id51764
    published2011-01-27
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51764
    titleSuSE 10 Security Update : Ogg Vorbis tools (ZYPP Patch Number 5302)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2008-111-01.NASL
    descriptionNew xine-lib packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix security issues. An overflow was found in the Speex decoder that could lead to a crash or possible execution of arbitrary code. Xine-lib <= 1.1.12 was also found to be vulnerable to a stack-based buffer overflow in the NES demuxer (thanks to milw0rm.com).
    last seen2020-06-01
    modified2020-06-02
    plugin id32033
    published2008-04-25
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32033
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : xine-lib (SSA:2008-111-01)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GSTREAMER010-PLUGINS-GOOD-5195.NASL
    descriptionSpecially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code (CVE-2008-1686).
    last seen2020-06-01
    modified2020-06-02
    plugin id33161
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33161
    titleopenSUSE 10 Security Update : gstreamer010-plugins-good (gstreamer010-plugins-good-5195)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3059.NASL
    descriptionCVE-2008-1686 libfishsound: insufficient boundary checks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31973
    published2008-04-18
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31973
    titleFedora 8 : libfishsound-0.9.1-1.fc8 (2008-3059)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3103.NASL
    descriptionSecurity update: Add mode checks to speex_packet_to_header() to protect applications using speex library and not having proper checks (CVE-2008-1686, #441239, https://trac.xiph.org/changeset/14701) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31980
    published2008-04-18
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31980
    titleFedora 8 : speex-1.2-0.4.beta2 (2008-3103)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080416_SPEEX_ON_SL4_X.NASL
    descriptionThe Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686)
    last seen2020-06-01
    modified2020-06-02
    plugin id60386
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60386
    titleScientific Linux Security Update : speex on SL4.x, SL5.x i386/x86_64
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7A7C585310A311DD8EB800163E000016.NASL
    descriptionxine Team reports : A new xine-lib version is now available. This release contains a security fix (an unchecked array index that could allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.)
    last seen2020-06-01
    modified2020-06-02
    plugin id32066
    published2008-04-28
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32066
    titleFreeBSD : libxine -- array index vulnerability (7a7c5853-10a3-11dd-8eb8-00163e000016)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-124.NASL
    descriptionA vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). Xine-lib is similarly affected by this issue. As well, the previous version of xine as provided in Mandriva Linux 2008.1 would crash when playing matroska files, and a regression was introduced that prevented Amarok from playing m4a files. The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id37421
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37421
    titleMandriva Linux Security Advisory : xine-lib (MDVSA-2008:124)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-093.NASL
    descriptionA vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The ogg123 application in vorbis-tools is similarly affected by this issue. The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id37218
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37218
    titleMandriva Linux Security Advisory : vorbis-tools (MDVSA-2008:093)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-611-3.NASL
    descriptionUSN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for GStreamer Good Plugins. It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id32193
    published2008-05-09
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32193
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : gst-plugins-good0.10 vulnerability (USN-611-3)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1586.NASL
    descriptionMultiple vulnerabilities have been discovered in xine-lib, a library which supplies most of the application functionality of the xine multimedia player. The Common Vulnerabilities and Exposures project identifies the following three problems : - CVE-2008-1482 Integer overflow vulnerabilities exist in xine
    last seen2020-06-01
    modified2020-06-02
    plugin id32435
    published2008-05-23
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32435
    titleDebian DSA-1586-1 : xine-lib - multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GSTREAMER010-PLUGINS-GOOD-5185.NASL
    descriptionSpecially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686)
    last seen2020-06-01
    modified2020-06-02
    plugin id33160
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33160
    titleSuSE 10 Security Update : gstreamer010-plugins (ZYPP Patch Number 5185)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-3191.NASL
    descriptionSecurity update: Add mode checks to speex_packet_to_header() to protect applications using speex library and not having proper checks (CVE-2008-1686, #441239, https://trac.xiph.org/changeset/14701) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31982
    published2008-04-18
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31982
    titleFedora 7 : speex-1.2-0.3.beta1 (2008-3191)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1585.NASL
    descriptionIt was discovered that speex, the Speex codec command line tools, did not correctly deal with negative offsets in a particular header field. This could allow a malicious file to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id32407
    published2008-05-22
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32407
    titleDebian DSA-1585-1 : speex - integer overflow
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-635-1.NASL
    descriptionAlin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) Luigi Auriemma discovered that xine-lib did not properly check buffer sizes in the RTSP header-handling code. If xine-lib opened an RTSP stream with crafted SDP attributes, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0225, CVE-2008-0238) Damian Frizza and Alfredo Ortega discovered that xine-lib did not properly validate FLAC tags. If a user or automated system were tricked into opening a crafted FLAC file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0486) It was discovered that the ASF demuxer in xine-lib did not properly check the length if the ASF header. If a user or automated system were tricked into opening a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1110) It was discovered that the Matroska demuxer in xine-lib did not properly verify frame sizes. If xine-lib opened a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1161) Luigi Auriemma discovered multiple integer overflows in xine-lib. If a user or automated system were tricked into opening a crafted FLV, MOV, RM, MVE, MKV or CAK file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1482) It was discovered that xine-lib did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1686) Guido Landi discovered a stack-based buffer overflow in xine-lib when processing NSF files. If xine-lib opened a specially crafted NSF file with a long NSF title, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1878). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33940
    published2008-08-20
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33940
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : xine-lib vulnerabilities (USN-635-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0235.NASL
    descriptionUpdated speex packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id32000
    published2008-04-22
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32000
    titleCentOS 4 / 5 : speex (CESA-2008:0235)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_633716FA1F8F11DDB1430211D880E350.NASL
    descriptionSecunia reports : A vulnerability has been reported in vorbis-tools, which can potentially be exploited by malicious people to compromise a user
    last seen2020-06-01
    modified2020-06-02
    plugin id32299
    published2008-05-13
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32299
    titleFreeBSD : vorbis-tools -- Speex header processing vulnerability (633716fa-1f8f-11dd-b143-0211d880e350)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1584.NASL
    descriptionIt was discovered that libfishsound, a simple programming interface that wraps Xiph.Org audio codecs, didn
    last seen2020-06-01
    modified2020-06-02
    plugin id32406
    published2008-05-22
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32406
    titleDebian DSA-1584-1 : libfishsound - buffer overflow
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200804-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200804-17 (Speex: User-assisted execution of arbitrary code) oCERT reported that the Speex library does not properly validate the
    last seen2020-06-01
    modified2020-06-02
    plugin id32010
    published2008-04-22
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32010
    titleGLSA-200804-17 : Speex: User-assisted execution of arbitrary code
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0235.NASL
    descriptionUpdated speex packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id31988
    published2008-04-18
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31988
    titleRHEL 4 / 5 : speex (RHSA-2008:0235)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XINE-DEVEL-5204.NASL
    descriptionSpecially crafted NSF files could potentially be exploited to execute arbitrary code (CVE-2008-1878). Specially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code (CVE-2008-1686).
    last seen2020-06-01
    modified2020-06-02
    plugin id32392
    published2008-05-20
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32392
    titleopenSUSE 10 Security Update : xine-devel (xine-devel-5204)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SPEEX-5364.NASL
    descriptionSpecially crafted files or streams could potentially be abused to trick applications that support speex into executing arbitrary code. (CVE-2008-1686)
    last seen2020-06-01
    modified2020-06-02
    plugin id33434
    published2008-07-08
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33434
    titleSuSE 10 Security Update : speex (ZYPP Patch Number 5364)

Oval

accepted2013-04-29T04:00:35.867-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionArray index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.
familyunix
idoval:org.mitre.oval:def:10026
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleArray index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.
version27

Redhat

advisories
bugzilla
id441239
titleCVE-2008-1686 speex, libfishsound: insufficient boundary checks
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • commentspeex-devel is earlier than 0:1.0.4-4.el4_6.1
          ovaloval:com.redhat.rhsa:tst:20080235001
        • commentspeex-devel is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20080235002
      • AND
        • commentspeex is earlier than 0:1.0.4-4.el4_6.1
          ovaloval:com.redhat.rhsa:tst:20080235003
        • commentspeex is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20080235004
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentspeex-devel is earlier than 0:1.0.5-4.el5_1.1
          ovaloval:com.redhat.rhsa:tst:20080235006
        • commentspeex-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20080235007
      • AND
        • commentspeex is earlier than 0:1.0.5-4.el5_1.1
          ovaloval:com.redhat.rhsa:tst:20080235008
        • commentspeex is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20080235009
rhsa
idRHSA-2008:0235
released2008-04-16
severityImportant
titleRHSA-2008:0235: speex security update (Important)
rpms
  • speex-0:1.0.4-4.el4_6.1
  • speex-0:1.0.5-4.el5_1.1
  • speex-debuginfo-0:1.0.4-4.el4_6.1
  • speex-debuginfo-0:1.0.5-4.el5_1.1
  • speex-devel-0:1.0.4-4.el4_6.1
  • speex-devel-0:1.0.5-4.el5_1.1

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 28665 CVE(CAN) ID: CVE-2008-1686 fishsound库提供一个编程接口,允许使用Xiph.Org codec(FLAC、Speex和Vorbis)编码和解码音频数据。 fishsound库所使用的Speex库在处理Speex头时存在数组索引错误,如果特制的Speex流在头中包含有负数的modeID字段的话就可能导致执行任意指令。 Speex头中包含有32位的modeID字段,libspeex将其解释为有符的int型(spx_int32_t)。正常的使用方法是索引到全局模式列表以检索SpeexMode *: mode = (SpeexMode *)speex_mode_list[modeID]; 然后创建解码器: st = speex_decoder_init(mode); 这会在libspeex中调用speex_decoder_init(),类似于: void *speex_decoder_init(const SpeexMode *mode) { return mode-&gt;dec_init(mode); } 因此如果没有保证流头中所给出的modeID处于speex_mode_list[]范围中,就会导致执行任意指令。fishsound检查了上边界(modeID &lt; SPEEX_NB_MODES),但没有检查负数值。 CSIRO FishSound &lt;= 0.9.0 CSIRO ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.annodex.net/software/libfishsound/download/libfishsound-0.9.1.tar.gz target=_blank>http://www.annodex.net/software/libfishsound/download/libfishsound-0.9.1.tar.gz</a>
idSSV:3155
last seen2017-11-19
modified2008-04-13
published2008-04-13
reporterRoot
titleFishSound库远程Speex解码代码执行漏洞

References