Launchpad.net

CVE 2008-1423

Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow.

Related bugs and status

CVE-2008-1423 (Candidate) is related to these bugs:

Bug #232150: Multiple vulnerabilities in libvorbis 1.2.0 [CVE-2008-1419, CVE-2008-1420, CVE-2008-1423]

Summary				In	Importance	Status
	232150	Multiple vulnerabilities in libvorbis 1.2.0 [CVE-2008-1419, CVE-2008-1420, CVE-2008-1423]		libvorbis (Ubuntu)	Undecided	Fix Released
	232150	Multiple vulnerabilities in libvorbis 1.2.0 [CVE-2008-1419, CVE-2008-1420, CVE-2008-1423]		libvorbis (Debian)	Unknown	Fix Released

Bug #418059: libvorbis out of date

Summary				In	Importance	Status
	418059	libvorbis out of date		libvorbis (Ubuntu)	Undecided	Fix Released
	418059	libvorbis out of date		libvorbis (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://bugzilla.redha...
FEDORA: FEDORA-2008-3898
FEDORA: FEDORA-2008-3910
FEDORA: FEDORA-2008-3934
MANDRIVA: MDVSA-2008:102
REDHAT: RHSA-2008:0270
REDHAT: RHSA-2008:0271
BID: 29206
SECTRACK: 1020029
SECUNIA: 30234
SECUNIA: 30237
SECUNIA: 30247
SECUNIA: 30259
DEBIAN: DSA-1591
SUSE: SUSE-SR:2008:012
SECUNIA: 30479
SECUNIA: 30581
GENTOO: GLSA-200806-09
SECUNIA: 30820
UBUNTU: USN-682-1
SECUNIA: 32946
VUPEN: ADV-2008-1510
XF: libvorbis-quantvals-qu...
OVAL: oval:org.mitre.oval:de...