CVE-2008-1686 - Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, in

CVE-2008-1686

Summary

Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.

References

Vulnerable Configurations

cpe:2.3:a:xine:xine-lib:0.9.8:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:0.9.8:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:0.9.13:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:0.9.13:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:0.99:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:0.99:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.0:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.0:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.0.3a:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.0.3a:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.10:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.10:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.10.1:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.10.1:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.11:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1.1.11:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:*:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:*:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.3:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.3:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.4:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.4:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.5:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.5:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.6:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.6:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.7:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.7:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.8:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.8:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.9:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.9:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.10:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.10:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.11:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.11:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.11.1:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:1.1.11.1:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:*:*:*:*:*:*:*:*
cpe:2.3:a:xiph:speex:*:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.5.41:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.5.41:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.5.42:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.5.42:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.6.3:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.6.3:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:*:*:*:*:*:*:*:*
cpe:2.3:a:xiph:libfishsound:*:*:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 11-10-2018 - 20:36)
Impact:
Exploitability:

CWE

CWE-189

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

oval via4

accepted

2013-04-29T04:00:35.867-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10026

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	441239
title	CVE-2008-1686 speex, libfishsound: insufficient boundary checks

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment speex is earlier than 0:1.0.4-4.el4_6.1
oval oval:com.redhat.rhsa:tst:20080235001
comment speex is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20080235002
AND
comment speex-devel is earlier than 0:1.0.4-4.el4_6.1
oval oval:com.redhat.rhsa:tst:20080235003
comment speex-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20080235004

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment speex is earlier than 0:1.0.5-4.el5_1.1
oval oval:com.redhat.rhsa:tst:20080235006
comment speex is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20080235007
AND
comment speex-devel is earlier than 0:1.0.5-4.el5_1.1
oval oval:com.redhat.rhsa:tst:20080235008
comment speex-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20080235009

rhsa

id	RHSA-2008:0235
released	2008-04-16
severity	Important
title	RHSA-2008:0235: speex security update (Important)

rpms

speex-0:1.0.4-4.el4_6.1
speex-0:1.0.5-4.el5_1.1
speex-debuginfo-0:1.0.4-4.el4_6.1
speex-debuginfo-0:1.0.5-4.el5_1.1
speex-devel-0:1.0.4-4.el4_6.1
speex-devel-0:1.0.5-4.el5_1.1

refmap via4

bid	28665
bugtraq	20080417 [oCERT-2008-004] multiple speex implementations insufficientboundary checks
confirm	http://blog.kfish.org/2008/04/release-libfishsound-091.html http://sourceforge.net/project/shownotes.php?release_id=592185 http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 http://www.metadecks.org/software/sweep/news.html
debian	DSA-1584 DSA-1585 DSA-1586
fedora	FEDORA-2008-3059 FEDORA-2008-3103 FEDORA-2008-3191
gentoo	GLSA-200804-17
mandriva	MDVSA-2008:092 MDVSA-2008:093 MDVSA-2008:094 MDVSA-2008:124
misc	http://www.ocert.org/advisories/ocert-2008-004.html http://www.ocert.org/advisories/ocert-2008-2.html
mlist	[Speex-dev] 20080406 libfishsound 0.9.1 Release
sectrack	1019875
secunia	29672 29727 29835 29845 29854 29866 29878 29880 29881 29882 29898 30104 30117 30119 30337 30353 30358 30581 30717 31393
slackware	SSA:2008-111-01
suse	SUSE-SR:2008:012 SUSE-SR:2008:013
ubuntu	USN-611-1 USN-611-2 USN-611-3 USN-635-1
vupen	ADV-2008-1187 ADV-2008-1228 ADV-2008-1268 ADV-2008-1269 ADV-2008-1300 ADV-2008-1301 ADV-2008-1302
xf	fishsound-libfishsound-speex-bo(41684)

Last major update

11-10-2018 - 20:36

Published

08-04-2008 - 18:05

Last modified

11-10-2018 - 20:36