Bug 441239 - (CVE-2008-1686) CVE-2008-1686 speex, libfishsound: insufficient boundary checks
CVE-2008-1686 speex, libfishsound: insufficient boundary checks
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On: 441246 441247 441248 442030 442031 442035 442036 442037 442038 442040 442042 442043 442044 442571 442572 833978
  Show dependency treegraph
Reported: 2008-04-07 07:41 EDT by Tomas Hoger
Modified: 2012-06-20 10:37 EDT (History)
12 users (show)

See Also:
Fixed In Version: 0.9.1-1.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-19 10:28:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-04-07 07:41:09 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1686 to the following vulnerability:

Quoting oCert advisory:

The libfishsound decoder library incorrectly implements the reference speex
decoder from the Speex library, performing insufficient boundary checks on a
header structure read from user input.

A user controlled field in the header structure is used to build a function
pointer. The libfishsound implementation does not check for negative values for
the field, allowing the function pointer to be pointed at an arbitary position
in memory. This allows remote code execution.

Affected version: <= 0.9.0
Fixed version: 0.9.1

Upstream patch in trunk:

Comment 3 Tomas Hoger 2008-04-07 08:48:20 EDT
oCert-2008-2 was updated to list speex as affected as well:

Additional affected packages:
Speex <= 1.1.6, the reference implementation from which libfishsound is derived.

Current Fedora speex packages are not affected by this problem.  Affected speex
packages are shipped in Red Hat Enterprise Linux 4 and 5.
Comment 4 Tomas Hoger 2008-04-07 08:55:52 EDT
For speex, fix first occurred in 1.2.0beta1.
Comment 5 Tomas Hoger 2008-04-07 13:51:19 EDT
Some more info in Contrad Parker's blog:

Comment 8 Tomas Hoger 2008-04-11 07:24:34 EDT
So far, same issue was identified in following other projects:

- gstreamer-plugins-good-0.10.6
- vorbis-tools-1.1.1 (ogg123)
- sweep-0.9.2
- xine-lib-
- vlc-0.8.6f (not shipped in Fedora or Red Hat Enterprise Linux)
- SDL_sound-1.0.1
  Fedora packages seems unaffected, as they do not seem to be linked against
  libspeex despite --enable-speex and speex-devel BuildRequires
Comment 9 Tomas Hoger 2008-04-11 07:25:53 EDT
So far, fixed upstream in:

- gstreamer-plugins-good

- sweep
Comment 14 Tomas Hoger 2008-04-12 13:11:09 EDT
Speex upstream added check in speex_packet_to_header(), so that can address this
problem for all affected apps, that use speex_packet_to_header and check its
return value (all applications seem to do that correctly).  For caller of
speex_packet_to_header that does not check return value, it will reduce problem
to a crash caused by NULL pointer dereference.

Patch applied to speex_packet_to_header():

$ svn diff -c 14701 http://svn.xiph.org/trunk/speex/libspeex/
Index: speex_header.c
--- speex_header.c      (revision 14700)
+++ speex_header.c      (revision 14701)
@@ -178,6 +178,13 @@

+   if (le_header->mode >= SPEEX_NB_MODES || le_header->mode < 0)
+   {
+      speex_notify("Invalid mode specified in Speex header");
+      speex_free (le_header);
+      return NULL;
+   }
    if (le_header->nb_channels>2)
       le_header->nb_channels = 2;
    if (le_header->nb_channels<1)

$ svn log -r 14701 http://svn.xiph.org/trunk/speex/libspeex/
r14701 | jm | 2008-04-11 05:48:46 +0200 (Fri, 11 Apr 2008) | 5 lines

Patch by kfish that checks for headers with invalid mode numbers. Technically,
it should have been the application's responsability, but many didn't, so
we ended up with security issues. Considering that there's no real use for
modes that Speex doesn't know about, this should workaround a lot of problems.

Comment 17 Tomas Hoger 2008-04-14 11:11:06 EDT
Upstream bugreport for ogg123:

Comment 18 Tomas Hoger 2008-04-14 12:14:16 EDT
Upstream speex commit mentioned in comment #14 is also viewalbe via xiph.org trac:

Comment 22 Tomas Hoger 2008-04-15 12:07:35 EDT
xine-lib 1.1.12 was released today adding same check to speex decoder used by


xine-lib update will not be needed for security reasons after following speex
updates are pushed to stable:


Those updates implement check on speex side, based on speex upstream change
Comment 24 Fedora Update System 2008-04-16 23:48:15 EDT
libfishsound-0.9.1-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2008-04-16 23:52:31 EDT
speex-1.2-0.4.beta2 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2008-04-16 23:56:41 EDT
speex-1.2-0.3.beta1 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Tomas Hoger 2008-04-17 03:42:17 EDT
oCERT published advisory oCERT-2008-004 describing affected applications:


Speex package update is sufficient to address the issue in all affected
Comment 29 Fedora Update System 2008-05-17 18:19:11 EDT
libfishsound-0.9.1-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.