Vulnerabilities > CVE-2017-11333 - NULL Pointer Dereference vulnerability in Xiph.Org Libvorbis 1.3.5
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | libvorbis 1.3.5 - Multiple Vulnerabilities. CVE-2017-11333,CVE-2017-11735. Dos exploit for Linux platform. Tags: Denial of Service (DoS) |
| file | exploits/linux/dos/42399.txt |
| id | EDB-ID:42399 |
| last seen | 2017-07-31 |
| modified | 2017-07-31 |
| platform | linux |
| port | |
| published | 2017-07-31 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/42399/ |
| title | libvorbis 1.3.5 - Multiple Vulnerabilities |
| type | dos |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2019-2E385F97E2.NASL description MinGW cross compiled libvorbis 1.3.6 + various patches backported from git. This is a security fix for: CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 CVE-2018-5146 CVE-2018-10392 CVE-2018-10393 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 121318 published 2019-01-23 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121318 title Fedora 29 : mingw-libvorbis (2019-2e385f97e2) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-2e385f97e2. # include("compat.inc"); if (description) { script_id(121318); script_version("1.3"); script_cvs_date("Date: 2019/09/23 11:21:10"); script_cve_id("CVE-2017-11333", "CVE-2017-11735", "CVE-2017-14160", "CVE-2017-14632", "CVE-2017-14633", "CVE-2018-10392", "CVE-2018-10393", "CVE-2018-5146"); script_xref(name:"FEDORA", value:"2019-2e385f97e2"); script_name(english:"Fedora 29 : mingw-libvorbis (2019-2e385f97e2)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "MinGW cross compiled libvorbis 1.3.6 + various patches backported from git. This is a security fix for: CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 CVE-2018-5146 CVE-2018-10392 CVE-2018-10393 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-2e385f97e2" ); script_set_attribute( attribute:"solution", value:"Update the affected mingw-libvorbis package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw-libvorbis"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/31"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^29([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC29", reference:"mingw-libvorbis-1.3.6-2.fc29")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mingw-libvorbis"); }NASL family Fedora Local Security Checks NASL id FEDORA_2018-0259281AB6.NASL description Sync with git (CVE-2017-14160, CVE-2018-10392, CVE-2018-10393, bz#1516379) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120203 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120203 title Fedora 28 : 1:libvorbis (2018-0259281ab6) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-0259281ab6. # include("compat.inc"); if (description) { script_id(120203); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-11333", "CVE-2017-14160", "CVE-2018-10392", "CVE-2018-10393"); script_xref(name:"FEDORA", value:"2018-0259281ab6"); script_name(english:"Fedora 28 : 1:libvorbis (2018-0259281ab6)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Sync with git (CVE-2017-14160, CVE-2018-10392, CVE-2018-10393, bz#1516379) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-0259281ab6" ); script_set_attribute( attribute:"solution", value:"Update the affected 1:libvorbis package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:libvorbis"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/31"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC28", reference:"libvorbis-1.3.6-3.fc28", epoch:"1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:libvorbis"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1368.NASL description Serious vulnerabilities were found in the libvorbis library, commonly used to encode and decode audio in OGG containers. 2017-14633 In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). 2017-14632 Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184. 2017-11333 The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file. 2018-5146 out-of-bounds memory write in the codeboook parsing code of the Libvorbis multimedia library could result in the execution of arbitrary code. For Debian 7 last seen 2020-03-17 modified 2018-04-30 plugin id 109409 published 2018-04-30 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109409 title Debian DLA-1368-1 : libvorbis security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1368-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(109409); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-11333", "CVE-2017-14632", "CVE-2017-14633", "CVE-2018-5146"); script_name(english:"Debian DLA-1368-1 : libvorbis security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Serious vulnerabilities were found in the libvorbis library, commonly used to encode and decode audio in OGG containers. 2017-14633 In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). 2017-14632 Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184. 2017-11333 The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file. 2018-5146 out-of-bounds memory write in the codeboook parsing code of the Libvorbis multimedia library could result in the execution of arbitrary code. For Debian 7 'Wheezy', these problems have been fixed in version 1.3.2-1.3+deb7u1. We recommend that you upgrade your libvorbis packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/04/msg00033.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/libvorbis" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbis-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbis-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbis0a"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbisenc2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbisfile3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"libvorbis-dbg", reference:"1.3.2-1.3+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libvorbis-dev", reference:"1.3.2-1.3+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libvorbis0a", reference:"1.3.2-1.3+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libvorbisenc2", reference:"1.3.2-1.3+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libvorbisfile3", reference:"1.3.2-1.3+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2039.NASL description Two issues have been found in libvorbis, a decoder library for Vorbis General Audio Compression Codec. 2017-14633 In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). 2017-11333 The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 132106 published 2019-12-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132106 title Debian DLA-2039-1 : libvorbis security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-2039-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(132106); script_version("1.2"); script_cvs_date("Date: 2019/12/20"); script_cve_id("CVE-2017-11333", "CVE-2017-14633"); script_name(english:"Debian DLA-2039-1 : libvorbis security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two issues have been found in libvorbis, a decoder library for Vorbis General Audio Compression Codec. 2017-14633 In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). 2017-11333 The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file. For Debian 8 'Jessie', these problems have been fixed in version 1.3.4-2+deb8u3. We recommend that you upgrade your libvorbis packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/12/msg00021.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/libvorbis" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbis-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbis-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbis0a"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbisenc2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvorbisfile3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/31"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libvorbis-dbg", reference:"1.3.4-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"libvorbis-dev", reference:"1.3.4-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"libvorbis0a", reference:"1.3.4-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"libvorbisenc2", reference:"1.3.4-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"libvorbisfile3", reference:"1.3.4-2+deb8u3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");