Vulnerabilities > CVE-2011-3895 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Heap-based buffer overflow in the Vorbis decoder in Google Chrome before 15.0.874.120 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream.

Vulnerable Configurations

Part Description Count
Application
Google
1818
OS
Debian
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201111-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201111-05 (Chromium, V8: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details. Impact : A context-dependent attacker could entice a user to open a specially crafted website or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. The attacker also could cause a Java applet to run without user confirmation. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id56901
    published2011-11-22
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56901
    titleGLSA-201111-05 : Chromium, V8: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201111-05.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(56901);
      script_version("1.9");
      script_cvs_date("Date: 2018/07/11 17:09:26");
    
      script_cve_id("CVE-2011-3892", "CVE-2011-3893", "CVE-2011-3894", "CVE-2011-3895", "CVE-2011-3896", "CVE-2011-3897", "CVE-2011-3898", "CVE-2011-3900");
      script_bugtraq_id(50642, 50701);
      script_xref(name:"GLSA", value:"201111-05");
    
      script_name(english:"GLSA-201111-05 : Chromium, V8: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201111-05
    (Chromium, V8: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Chromium and V8. Please
          review the CVE identifiers and release notes referenced below for
          details.
      
    Impact :
    
        A context-dependent attacker could entice a user to open a specially
          crafted website or JavaScript program using Chromium or V8, possibly
          resulting in the execution of arbitrary code with the privileges of the
          process, or a Denial of Service condition. The attacker also could cause
          a Java applet to run without user confirmation.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      # https://googlechromereleases.blogspot.com/2011/11/stable-channel-update.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0f60ac84"
      );
      # https://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5f5edd29"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201111-05"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Chromium users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=www-client/chromium-15.0.874.121'
        All V8 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=dev-lang/v8-3.5.10.24'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:chromium");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:v8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/11/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-client/chromium", unaffected:make_list("ge 15.0.874.121"), vulnerable:make_list("lt 15.0.874.121"))) flag++;
    if (qpkg_check(package:"dev-lang/v8", unaffected:make_list("ge 3.5.10.24"), vulnerable:make_list("lt 3.5.10.24"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Chromium / V8");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2471.NASL
    descriptionSeveral vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. Multiple input validations in the decoders/ demuxers for Westwood Studios VQA, Apple MJPEG-B, Theora, Matroska, Vorbis, Sony ATRAC3, DV, NSV, files could lead to the execution of arbitrary code. These issues were discovered by Aki Helin, Mateusz Jurczyk, Gynvael Coldwind, and Michael Niedermayer.
    last seen2020-03-17
    modified2012-05-15
    plugin id59094
    published2012-05-15
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59094
    titleDebian DSA-2471-1 : ffmpeg - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2471. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(59094);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2011-3892", "CVE-2011-3893", "CVE-2011-3895", "CVE-2011-3929", "CVE-2011-3936", "CVE-2011-3940", "CVE-2011-3947", "CVE-2012-0853", "CVE-2012-0947");
      script_xref(name:"DSA", value:"2471");
    
      script_name(english:"Debian DSA-2471-1 : ffmpeg - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in FFmpeg, a multimedia
    player, server and encoder. Multiple input validations in the
    decoders/ demuxers for Westwood Studios VQA, Apple MJPEG-B, Theora,
    Matroska, Vorbis, Sony ATRAC3, DV, NSV, files could lead to the
    execution of arbitrary code.
    
    These issues were discovered by Aki Helin, Mateusz Jurczyk, Gynvael
    Coldwind, and Michael Niedermayer."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze/ffmpeg"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2012/dsa-2471"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the ffmpeg packages.
    
    For the stable distribution (squeeze), this problem has been fixed in
    version 4:0.5.8-1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ffmpeg");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/05/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"ffmpeg", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"ffmpeg-dbg", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"ffmpeg-doc", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavcodec-dev", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavcodec52", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavdevice-dev", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavdevice52", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavfilter-dev", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavfilter0", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavformat-dev", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavformat52", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavutil-dev", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libavutil49", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libpostproc-dev", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libpostproc51", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libswscale-dev", reference:"4:0.5.8-1")) flag++;
    if (deb_check(release:"6.0", prefix:"libswscale0", reference:"4:0.5.8-1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201310-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201310-12 (FFmpeg: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in FFmpeg. Please review the CVE identifiers and FFmpeg changelogs referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted media file, possibly leading to the execution of arbitrary code with the privileges of the user running the application or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id70647
    published2013-10-27
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70647
    titleGLSA-201310-12 : FFmpeg: Multiple vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6887828F022911E0B84D00262D5ED8EE.NASL
    descriptionGoogle Chrome Releases reports : Fixed in 15.0.874.121 : [103259] High CVE-2011-3900: Out-of-bounds write in v8. Credit to Christian Holler. Fixed in 15.0.874.120 : [100465] High CVE-2011-3892: Double free in Theora decoder. Credit to Aki Helin of OUSPG. [100492] [100543] Medium CVE-2011-3893: Out of bounds reads in MKV and Vorbis media handlers. Credit to Aki Helin of OUSPG. [101172] High CVE-2011-3894: Memory corruption regression in VP8 decoding. Credit to Andrew Scherkus of the Chromium development community. [101458] High CVE-2011-3895: Heap overflow in Vorbis decoder. Credit to Aki Helin of OUSPG. [101624] High CVE-2011-3896: Buffer overflow in shader variable mapping. Credit to Ken
    last seen2020-06-01
    modified2020-06-02
    plugin id51069
    published2010-12-08
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51069
    titleFreeBSD : chromium -- multiple vulnerabilities (6887828f-0229-11e0-b84d-00262d5ed8ee)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2012-075.NASL
    descriptionMultiple vulnerabilities has been found and corrected in ffmpeg : The Matroska format decoder in FFmpeg does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted file (CVE-2011-3362, CVE-2011-3504). cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, related to the decode_residual_block, check_for_slice, and cavs_decode_frame functions, a different vulnerability than CVE-2011-3362 (CVE-2011-3973). Integer signedness error in the decode_residual_inter function in cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, a different vulnerability than CVE-2011-3362 (CVE-2011-3974). Double free vulnerability in the Theora decoder in FFmpeg allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream (CVE-2011-3892). FFmpeg does not properly implement the MKV and Vorbis media handlers, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2011-3893). Heap-based buffer overflow in the Vorbis decoder in FFmpeg allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream (CVE-2011-3895). An error within the QDM2 decoder (libavcodec/qdm2.c) can be exploited to cause a buffer overflow (CVE-2011-4351). An integer overflow error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id59096
    published2012-05-15
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59096
    titleMandriva Linux Security Advisory : ffmpeg (MDVSA-2012:075)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2012-076.NASL
    descriptionMultiple vulnerabilities has been found and corrected in ffmpeg : The Matroska format decoder in FFmpeg does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted file (CVE-2011-3362, CVE-2011-3504). cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, related to the decode_residual_block, check_for_slice, and cavs_decode_frame functions, a different vulnerability than CVE-2011-3362 (CVE-2011-3973). Integer signedness error in the decode_residual_inter function in cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, a different vulnerability than CVE-2011-3362 (CVE-2011-3974). Double free vulnerability in the Theora decoder in FFmpeg allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream (CVE-2011-3892). FFmpeg does not properly implement the MKV and Vorbis media handlers, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2011-3893). Heap-based buffer overflow in the Vorbis decoder in FFmpeg allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream (CVE-2011-3895). An error within the QDM2 decoder (libavcodec/qdm2.c) can be exploited to cause a buffer overflow (CVE-2011-4351). An integer overflow error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id61951
    published2012-09-06
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/61951
    titleMandriva Linux Security Advisory : ffmpeg (MDVSA-2012:076)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4D087B35099011E3A9F4BCAEC565249C.NASL
    descriptionBundled version of libav in gstreamer-ffmpeg contains a number of vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id69412
    published2013-08-21
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/69412
    titleFreeBSD : gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav (4d087b35-0990-11e3-a9f4-bcaec565249c)
  • NASL familyWindows
    NASL idGOOGLE_CHROME_15_0_874_120.NASL
    descriptionThe version of Google Chrome installed on the remote host is earlier than 15.0.874.120. It is, therefore, potentially affected by the following vulnerabilities : - A double-free error exists in the Theora decoder. (CVE-2011-3892) - Out-of-bounds read errors exist in the MVK and Vorbis media handlers. (CVE-2011-3893) - A memory corruption error exists in the VP8 decoding. (CVE-2011-3894) - A heap overflow error exists in the Vorbis decoder. (CVE-2011-3895) - A buffer overflow error exists in shader variable mapping functionality. (CVE-2011-3896) - A use-after-free error exists related to unspecified editing. (CVE-2011-3897) - In JRE7, applets are allowed to run without the proper permissions. (CVE-2011-3898)
    last seen2020-06-01
    modified2020-06-02
    plugin id56779
    published2011-11-11
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56779
    titleGoogle Chrome < 15.0.874.120 Multiple Vulnerabilities

Oval

accepted2014-04-07T04:00:20.719-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationDTCC
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameMaria Kedovskaya
    organizationALTX-SOFT
  • nameMaria Kedovskaya
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
  • commentGoogle Chrome is installed
    ovaloval:org.mitre.oval:def:11914
descriptionHeap-based buffer overflow in the Vorbis decoder in Google Chrome before 15.0.874.120 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream.
familywindows
idoval:org.mitre.oval:def:13551
statusaccepted
submitted2011-11-25T18:27:58.000-05:00
titleHeap-based buffer overflow in the Vorbis decoder in Google Chrome before 15.0.874.120 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream.
version52