Multiple flaws have been found in libvorbis. These are fixed via libvorbis version 1.2.0. It should be noted that libvorbis 1.2.0 also fixes the issue described in bug 245991. The id number of each flaw is the subversion commit id. The descriptions were provided by Chris Montgomery. The libvorbis subversion repository is located here: http://svn.xiph.org/trunk/vorbis 13217: possible seek infinite loop in libvorbisfile 13215: multiplexed/non Vorbis stream support [heap read, potential heap write] 13211: better return value checking of seeks [heap read, potential heap write] 13179: check legal maximum blocksize [static array read] 13169,13170,13172: correctly handle codebooks with zero entires [heap read/write] 13168: low bitrate static mode declaration error [static read, heap read, potential heap write] 13151,13153,13154,13155,13167: residue decode vector overflow [heap read/write] 13162: static initializer declarations, check-before-free error fixes [heap read/write] 13149: check legal minimum blocksize [static array read]
Here is the breakdown of CVE id to libvorbis commit id mapping: CVE-2007-4065: 13217 (infinite loop) CVE-2007-4029 covers 2 issues with unknown commit IDs. According to Monty these two issues are the commit ids: 13151, 13154, 13155, 13167 and 13149, 13153, 13179 CVE-2007-4066: multiple flaws 13215: multiplexed/non Vorbis stream support [heap read, potential heap write] 13211: better return value checking of seeks [heap read, potential heap write] 13169,13170,13172: correctly handle codebooks with zero entires [heap read/write] 13168: low bitrate static mode declaration error [static read, heap read, potential heap write] 13162: static initializer declarations, check-before-free error fixes [heap read/write]
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0845.html http://rhn.redhat.com/errata/RHSA-2007-0912.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-1765