iSEC Partners Security Advisory - 2007-003-libvorbis http://www.isecpartners.com -------------------------------------------- libvorbis 1.1.2 - Multiple memory corruption flaws Vendor: Xiph.org Vendor URL: http://www.xiph.org Systems Affected: All tested software based upon libvorbis 1.1.2 Severity: High (Heap corruption, Denial of Service, Potential code execution) Author: David Thiel Vendor notified: 2007-06-05 Public release: 2007-07-26 Advisory URL: http://www.isecpartners.com/advisories/2007-003-libvorbis.txt Summary: -------- libvorbis 1.1.2 contains several vulnerabilities allowing heap overwrite, read violations and a function pointer overwrite. These bugs cause a at least a denial of service, and potentially code execution. Details: -------- Invalid blocksize_0 and blocksize_1 values result in a heap overwrite in the _01inverse() function of res0.c. An invalid mapping type causes an out of bounds dispatch table lookup, offset by an attacker-controlled value, during cleanup in vorbis_info_clear() in info.c. Additionally, invalid blocksize values cause a segmentation fault on read in block.c. Fix Information: ---------------- These issues are resolved in libvorbis 1.2.0, available at: http://downloads.xiph.org/releases/vorbis/libvorbis-1.2.0.tar.bz2 Thanks to: ---------- Ralph Giles and Xiphmont of Xiph.org for their detailed help determining root causes of and fixes for these issues. About iSEC Partners: -------------------- iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification, with offices in San Francisco and Seattle. Information on testing media players and codecs to expose and prevent similar bugs and tools to do the same will be presented at BlackHat USA 2007. http://www.isecpartners.com info@isecpartners.com