Bug 245991 (CVE-2007-3106) - CVE-2007-3106 libvorbis array boundary condition
Summary: CVE-2007-3106 libvorbis array boundary condition
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-3106
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 245994 245995 245996 245997 245998 245999 250599 250600
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-27 19:46 UTC by Josh Bressers
Modified: 2019-09-29 12:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-17 15:47:38 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0845 0 normal SHIPPED_LIVE Important: libvorbis security update 2008-01-08 00:44:25 UTC
Red Hat Product Errata RHSA-2007:0912 0 normal SHIPPED_LIVE Important: libvorbis security update 2007-10-11 18:24:01 UTC

Description Josh Bressers 2007-06-27 19:46:52 UTC
Chris Montgomery has informed us of a bug found in libvorbis.
The patch is in revision 13160 from http://svn.xiph.org/trunk/vorbis
(svn diff -r 13159:13160 http://svn.xiph.org/trunk/vorbis)

I'm calling this bug an "array boundary condition flaw".  It's the best
definition I could find that matched up with something MITRE uses.  The
issue in question is related to the usage of a function pointer table.
Here is an example:

_mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);

What happens is the value of 'ci->map_type[i]' can be an attacker
controlled 16 bit unsigned integer.  The amount of play with the that
function pointer is a bit suspect I admit, but I suspect it's still
exploitable (some peer review from someone better at this sort of thing
would be helpful).

The code in question is called when libvorbis starts to clean things up
after receiving bad data.

Comment 6 Josh Bressers 2007-07-26 20:28:11 UTC
Lifting embargo:
http://www.isecpartners.com/advisories/2007-003-libvorbis.txt

Comment 9 Red Hat Product Security 2008-01-17 15:47:38 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0845.html
  http://rhn.redhat.com/errata/RHSA-2007-0912.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-1765




Note You need to log in before you can comment on or make changes to this bug.