ID OPENVAS:870075 Type openvas Reporter Copyright (C) 2009 Greenbone Networks GmbH Modified 2017-07-12T00:00:00
Description
Check for the Version of libvorbis
###############################################################################
# OpenVAS Vulnerability Test
#
# RedHat Update for libvorbis RHSA-2008:0271-01
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
include("revisions-lib.inc");
tag_insight = "The libvorbis packages contain runtime libraries for use in programs that
support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and
royalty-free, general-purpose compressed audio format.
Will Drewry of the Google Security Team reported several flaws in the way
libvorbis processed audio data. An attacker could create a carefully
crafted OGG audio file in such a way that it could cause an application
linked with libvorbis to crash, or execute arbitrary code when it was
opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423, CVE-2008-2009)
Moreover, additional OGG file sanity-checks have been added to prevent
possible exploitation of similar issues in the future.
Users of libvorbis are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.";
tag_affected = "libvorbis on Red Hat Enterprise Linux AS (Advanced Server) version 2.1,
Red Hat Enterprise Linux ES version 2.1,
Red Hat Enterprise Linux WS version 2.1";
tag_solution = "Please Install the Updated Packages.";
if(description)
{
script_xref(name : "URL" , value : "https://www.redhat.com/archives/rhsa-announce/2008-May/msg00008.html");
script_id(870075);
script_version("$Revision: 6683 $");
script_tag(name:"last_modification", value:"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $");
script_tag(name:"creation_date", value:"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)");
script_tag(name:"cvss_base", value:"9.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_xref(name: "RHSA", value: "2008:0271-01");
script_cve_id("CVE-2008-1419", "CVE-2008-1420", "CVE-2008-1423", "CVE-2008-2009");
script_name( "RedHat Update for libvorbis RHSA-2008:0271-01");
script_summary("Check for the Version of libvorbis");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
script_family("Red Hat Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/rhel", "ssh/login/rpms");
script_tag(name : "affected" , value : tag_affected);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "insight" , value : tag_insight);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL){
exit(0);
}
if(release == "RHENT_2.1")
{
if ((res = isrpmvuln(pkg:"libvorbis", rpm:"libvorbis~1.0rc2~9.el2", rls:"RHENT_2.1")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"libvorbis-devel", rpm:"libvorbis-devel~1.0rc2~9.el2", rls:"RHENT_2.1")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}
{"id": "OPENVAS:870075", "type": "openvas", "bulletinFamily": "scanner", "title": "RedHat Update for libvorbis RHSA-2008:0271-01", "description": "Check for the Version of libvorbis", "published": "2009-03-06T00:00:00", "modified": "2017-07-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870075", "reporter": "Copyright (C) 2009 Greenbone Networks GmbH", "references": ["2008:0271-01", "https://www.redhat.com/archives/rhsa-announce/2008-May/msg00008.html"], "cvelist": ["CVE-2008-1420", "CVE-2008-2009", "CVE-2008-1419", "CVE-2008-1423"], "lastseen": "2017-07-27T10:56:45", "viewCount": 0, "enchantments": {"score": {"value": 7.1, "vector": "NONE", "modified": "2017-07-27T10:56:45", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-1420", "CVE-2008-1423", "CVE-2008-1419", "CVE-2008-2009"]}, {"type": "centos", "idList": ["CESA-2008:0271-01", "CESA-2008:0270"]}, {"type": "nessus", "idList": ["FEDORA_2008-3910.NASL", "FEDORA_2008-3898.NASL", "GENTOO_GLSA-200806-09.NASL", "REDHAT-RHSA-2008-0271.NASL", "DEBIAN_DSA-1591.NASL", "FEDORA_2008-3934.NASL", "SUSE_LIBVORBIS-5258.NASL", "MANDRIVA_MDVSA-2008-102.NASL", "ORACLELINUX_ELSA-2008-0270.NASL", "SUSE9_12159.NASL"]}, {"type": "redhat", "idList": ["RHSA-2008:0271", "RHSA-2008:0270"]}, {"type": "openvas", "idList": ["OPENVAS:880142", "OPENVAS:860811", "OPENVAS:136141256231065846", "OPENVAS:1361412562310870075", "OPENVAS:840247", "OPENVAS:860665", "OPENVAS:1361412562310830606", "OPENVAS:1361412562310880258", "OPENVAS:1361412562310880142", "OPENVAS:65280"]}, {"type": "seebug", "idList": ["SSV:3300"]}, {"type": "ubuntu", "idList": ["USN-861-1", "USN-682-1", "USN-825-1"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10419", "SECURITYVULNS:DOC:22365", "SECURITYVULNS:DOC:22832", "SECURITYVULNS:VULN:9045", "SECURITYVULNS:DOC:19950"]}, {"type": "gentoo", "idList": ["GLSA-200806-09"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1591-1:C813C"]}, {"type": "oraclelinux", "idList": ["ELSA-2008-0270"]}, {"type": "freebsd", "idList": ["F5A76FAF-244C-11DD-B143-0211D880E350", "3DAC84C9-BCE1-4199-9784-D68AF1EB7B2E", "94EDFF42-D93D-11DE-A434-0211D880E350"]}, {"type": "fedora", "idList": ["FEDORA:M4EM8E0Z000569", "FEDORA:M4EMAF5Y000682", "FEDORA:M4EM8C0V000542"]}], "modified": "2017-07-27T10:56:45", "rev": 2}, "vulnersScore": 7.1}, "pluginID": "870075", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for libvorbis RHSA-2008:0271-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The libvorbis packages contain runtime libraries for use in programs that\n support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\n royalty-free, general-purpose compressed audio format.\n\n Will Drewry of the Google Security Team reported several flaws in the way\n libvorbis processed audio data. An attacker could create a carefully\n crafted OGG audio file in such a way that it could cause an application\n linked with libvorbis to crash, or execute arbitrary code when it was\n opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423, CVE-2008-2009)\n \n Moreover, additional OGG file sanity-checks have been added to prevent\n possible exploitation of similar issues in the future.\n \n Users of libvorbis are advised to upgrade to these updated packages, which\n contain backported patches to resolve these issues.\";\n\ntag_affected = \"libvorbis on Red Hat Enterprise Linux AS (Advanced Server) version 2.1,\n Red Hat Enterprise Linux ES version 2.1,\n Red Hat Enterprise Linux WS version 2.1\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-May/msg00008.html\");\n script_id(870075);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2008:0271-01\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\", \"CVE-2008-2009\");\n script_name( \"RedHat Update for libvorbis RHSA-2008:0271-01\");\n\n script_summary(\"Check for the Version of libvorbis\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_2.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvorbis\", rpm:\"libvorbis~1.0rc2~9.el2\", rls:\"RHENT_2.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvorbis-devel\", rpm:\"libvorbis-devel~1.0rc2~9.el2\", rls:\"RHENT_2.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "naslFamily": "Red Hat Local Security Checks"}
{"cve": [{"lastseen": "2020-10-03T11:50:58", "description": "Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow.", "edition": 3, "cvss3": {}, "published": "2008-05-16T12:54:00", "title": "CVE-2008-1423", "type": "cve", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1423"], "modified": "2017-09-29T01:30:00", "cpe": ["cpe:/a:xiph.org:libvorbis:1.0.0", "cpe:/a:xiph.org:libvorbis:1.0.1", "cpe:/a:xiph.org:libvorbis:1.1.2", "cpe:/a:xiph.org:libvorbis:1.1.1", "cpe:/a:xiph.org:libvorbis:1.1.0", "cpe:/a:xiph.org:libvorbis:1.2.0"], "id": "CVE-2008-1423", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1423", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:xiph.org:libvorbis:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:50:58", "description": "Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow.", "edition": 3, "cvss3": {}, "published": "2008-05-16T12:54:00", "title": "CVE-2008-1419", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1419"], "modified": "2017-09-29T01:30:00", "cpe": ["cpe:/a:xiph.org:libvorbis:1.0.0", "cpe:/a:xiph.org:libvorbis:1.0.1", "cpe:/a:xiph.org:libvorbis:1.1.1", "cpe:/a:xiph.org:libvorbis:1.1.0", "cpe:/a:xiph.org:libvorbis:1.2.0", "cpe:/a:xiph.org:libvorbis:1.12"], "id": "CVE-2008-1419", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1419", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:xiph.org:libvorbis:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.12:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:50:58", "description": "Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow.", "edition": 3, "cvss3": {}, "published": "2008-05-16T12:54:00", "title": "CVE-2008-1420", "type": "cve", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1420"], "modified": "2018-10-03T21:53:00", "cpe": ["cpe:/a:xiph.org:libvorbis:1.0.0", "cpe:/a:xiph.org:libvorbis:1.0.1", "cpe:/a:xiph.org:libvorbis:1.1.1", "cpe:/a:xiph.org:libvorbis:1.1.0", "cpe:/a:xiph.org:libvorbis:1.2.0", "cpe:/a:xiph.org:libvorbis:1.12"], "id": "CVE-2008-1420", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1420", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:xiph.org:libvorbis:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.12:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:50:59", "description": "Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.\nPer http://svn.xiph.org/trunk/vorbis/CHANGES, 1.0 is the first stable release of libvorbis. No version of libvorbis before 1.0 has been confirmed at this time.", "edition": 5, "cvss3": {}, "published": "2008-05-16T12:54:00", "title": "CVE-2008-2009", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2009"], "modified": "2019-10-29T00:57:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:8.04", "cpe:/a:xiph.org:libvorbis:1.0", "cpe:/o:canonical:ubuntu_linux:9.10", "cpe:/o:canonical:ubuntu_linux:8.10", "cpe:/o:canonical:ubuntu_linux:9.04"], "id": "CVE-2008-2009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2009", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:xiph.org:libvorbis:1.0:rc2:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.0:beta4:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*", "cpe:2.3:a:xiph.org:libvorbis:1.0:rc1:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*"]}], "centos": [{"lastseen": "2019-12-20T18:26:52", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2008-2009", "CVE-2008-1419", "CVE-2008-1423"], "description": "**CentOS Errata and Security Advisory** CESA-2008:0271-01\n\n\nThe libvorbis packages contain runtime libraries for use in programs that\nsupport Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\nroyalty-free, general-purpose compressed audio format.\n\nWill Drewry of the Google Security Team reported several flaws in the way\nlibvorbis processed audio data. An attacker could create a carefully\ncrafted OGG audio file in such a way that it could cause an application\nlinked with libvorbis to crash, or execute arbitrary code when it was\nopened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423, CVE-2008-2009)\n\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nUsers of libvorbis are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026943.html\n\n**Affected packages:**\nlibvorbis\nlibvorbis-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "edition": 4, "modified": "2008-05-16T03:59:20", "published": "2008-05-16T03:59:20", "href": "http://lists.centos.org/pipermail/centos-announce/2008-May/026943.html", "id": "CESA-2008:0271-01", "title": "libvorbis security update", "type": "centos", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:24:16", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "**CentOS Errata and Security Advisory** CESA-2008:0270\n\n\nThe libvorbis packages contain runtime libraries for use in programs that\nsupport Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\nroyalty-free, general-purpose compressed audio format.\n\nWill Drewry of the Google Security Team reported several flaws in the way\nlibvorbis processed audio data. An attacker could create a carefully\ncrafted OGG audio file in such a way that it could cause an application\nlinked with libvorbis to crash, or execute arbitrary code when it was\nopened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\n\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nUsers of libvorbis are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026936.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026937.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026938.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026939.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026944.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026945.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026946.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026947.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026952.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-May/026953.html\n\n**Affected packages:**\nlibvorbis\nlibvorbis-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2008-0270.html", "edition": 4, "modified": "2008-05-19T01:19:21", "published": "2008-05-14T12:52:45", "href": "http://lists.centos.org/pipermail/centos-announce/2008-May/026936.html", "id": "CESA-2008:0270", "title": "libvorbis security update", "type": "centos", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:48", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1419", "CVE-2008-1420", "CVE-2008-1423", "CVE-2008-2009"], "description": "The libvorbis packages contain runtime libraries for use in programs that\nsupport Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\nroyalty-free, general-purpose compressed audio format.\n\nWill Drewry of the Google Security Team reported several flaws in the way\nlibvorbis processed audio data. An attacker could create a carefully\ncrafted OGG audio file in such a way that it could cause an application\nlinked with libvorbis to crash, or execute arbitrary code when it was\nopened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423, CVE-2008-2009)\n\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nUsers of libvorbis are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues.", "modified": "2018-03-14T19:27:43", "published": "2008-05-14T04:00:00", "id": "RHSA-2008:0271", "href": "https://access.redhat.com/errata/RHSA-2008:0271", "type": "redhat", "title": "(RHSA-2008:0271) Important: libvorbis security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:37", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1419", "CVE-2008-1420", "CVE-2008-1423"], "description": "The libvorbis packages contain runtime libraries for use in programs that\nsupport Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\nroyalty-free, general-purpose compressed audio format.\n\nWill Drewry of the Google Security Team reported several flaws in the way\nlibvorbis processed audio data. An attacker could create a carefully\ncrafted OGG audio file in such a way that it could cause an application\nlinked with libvorbis to crash, or execute arbitrary code when it was\nopened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\n\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nUsers of libvorbis are advised to upgrade to these updated packages, which\ncontain backported patches to resolve these issues.", "modified": "2017-09-08T12:06:33", "published": "2008-05-14T04:00:00", "id": "RHSA-2008:0270", "href": "https://access.redhat.com/errata/RHSA-2008:0270", "type": "redhat", "title": "(RHSA-2008:0270) Important: libvorbis security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T04:56:17", "description": "Updated libvorbis packages that fix various security issues are now\navailable for Red Hat Enterprise Linux 2.1.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe libvorbis packages contain runtime libraries for use in programs\nthat support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary,\npatent-and royalty-free, general-purpose compressed audio format.\n\nWill Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423,\nCVE-2008-2009)\n\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nUsers of libvorbis are advised to upgrade to these updated packages,\nwhich contain backported patches to resolve these issues.", "edition": 26, "published": "2008-05-16T00:00:00", "title": "RHEL 2.1 : libvorbis (RHSA-2008:0271)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-2009", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:libvorbis-devel", "cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:libvorbis"], "id": "REDHAT-RHSA-2008-0271.NASL", "href": "https://www.tenable.com/plugins/nessus/32356", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2008:0271. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(32356);\n script_version (\"1.24\");\n script_cvs_date(\"Date: 2019/10/25 13:36:13\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\", \"CVE-2008-2009\");\n script_bugtraq_id(29206);\n script_xref(name:\"RHSA\", value:\"2008:0271\");\n\n script_name(english:\"RHEL 2.1 : libvorbis (RHSA-2008:0271)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated libvorbis packages that fix various security issues are now\navailable for Red Hat Enterprise Linux 2.1.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe libvorbis packages contain runtime libraries for use in programs\nthat support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary,\npatent-and royalty-free, general-purpose compressed audio format.\n\nWill Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423,\nCVE-2008-2009)\n\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nUsers of libvorbis are advised to upgrade to these updated packages,\nwhich contain backported patches to resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-1419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-1420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-1423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-2009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2008:0271\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libvorbis and / or libvorbis-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libvorbis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libvorbis-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2008:0271\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"libvorbis-1.0rc2-9.el2\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"libvorbis-devel-1.0rc2-9.el2\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvorbis / libvorbis-devel\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:32:39", "description": "Several security problems were fixed in libvorbis :\n\n - Division by zero. (CVE-2008-1419)\n\n - integer overflow. (CVE-2008-1420)\n\n - integer overflow. (CVE-2008-1423)", "edition": 21, "published": "2008-05-29T00:00:00", "title": "SuSE 10 Security Update : libvorbis (ZYPP Patch Number 5259)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_LIBVORBIS-5259.NASL", "href": "https://www.tenable.com/plugins/nessus/32474", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(32474);\n script_version (\"1.18\");\n script_cvs_date(\"Date: 2019/10/25 13:36:32\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n\n script_name(english:\"SuSE 10 Security Update : libvorbis (ZYPP Patch Number 5259)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security problems were fixed in libvorbis :\n\n - Division by zero. (CVE-2008-1419)\n\n - integer overflow. (CVE-2008-1420)\n\n - integer overflow. (CVE-2008-1423)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-1419.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-1420.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-1423.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 5259.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:1, reference:\"libvorbis-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:1, reference:\"libvorbis-devel-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:1, cpu:\"x86_64\", reference:\"libvorbis-32bit-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"libvorbis-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"libvorbis-devel-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, cpu:\"x86_64\", reference:\"libvorbis-32bit-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:1, reference:\"libvorbis-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:1, reference:\"libvorbis-devel-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:1, cpu:\"x86_64\", reference:\"libvorbis-32bit-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"libvorbis-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"libvorbis-devel-1.1.2-13.12\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, cpu:\"x86_64\", reference:\"libvorbis-32bit-1.1.2-13.12\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:52:23", "description": "The remote host is affected by the vulnerability described in GLSA-200806-09\n(libvorbis: Multiple vulnerabilities)\n\n Will Drewry of the Google Security Team reported multiple\n vulnerabilities in libvorbis:\n A zero value for 'codebook.dim' is not properly handled, leading to a\n crash, infinite loop or triggering an integer overflow\n (CVE-2008-1419).\n An integer overflow in 'residue partition value' evaluation might lead\n to a heap-based buffer overflow (CVE-2008-1420).\n An integer overflow in a certain 'quantvals' and 'quantlist'\n calculation might lead to a heap-based buffer overflow\n (CVE-2008-1423).\n \nImpact :\n\n A remote attacker could exploit these vulnerabilities by enticing a\n user to open a specially crafted Ogg Vorbis file or network stream with\n an application using libvorbis. This might lead to the execution of\n arbitrary code with the privileges of the user playing the file or a\n Denial of Service by a crash or CPU consumption.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 27, "published": "2008-06-24T00:00:00", "title": "GLSA-200806-09 : libvorbis: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2008-06-24T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:libvorbis"], "id": "GENTOO_GLSA-200806-09.NASL", "href": "https://www.tenable.com/plugins/nessus/33245", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200806-09.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33245);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_xref(name:\"GLSA\", value:\"200806-09\");\n\n script_name(english:\"GLSA-200806-09 : libvorbis: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200806-09\n(libvorbis: Multiple vulnerabilities)\n\n Will Drewry of the Google Security Team reported multiple\n vulnerabilities in libvorbis:\n A zero value for 'codebook.dim' is not properly handled, leading to a\n crash, infinite loop or triggering an integer overflow\n (CVE-2008-1419).\n An integer overflow in 'residue partition value' evaluation might lead\n to a heap-based buffer overflow (CVE-2008-1420).\n An integer overflow in a certain 'quantvals' and 'quantlist'\n calculation might lead to a heap-based buffer overflow\n (CVE-2008-1423).\n \nImpact :\n\n A remote attacker could exploit these vulnerabilities by enticing a\n user to open a specially crafted Ogg Vorbis file or network stream with\n an application using libvorbis. This might lead to the execution of\n arbitrary code with the privileges of the user playing the file or a\n Denial of Service by a crash or CPU consumption.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200806-09\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All libvorbis users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/libvorbis-1.2.1_rc1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:libvorbis\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/06/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-libs/libvorbis\", unaffected:make_list(\"ge 1.2.1_rc1\"), vulnerable:make_list(\"lt 1.2.1_rc1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvorbis\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:32:39", "description": "Several security problems were fixed in libvorbis :\n\n - CVE-2008-1419 - Division by zero\n\n - CVE-2008-1420 - integer overflow\n\n - CVE-2008-1423 - integer overflow", "edition": 21, "published": "2008-05-29T00:00:00", "title": "openSUSE 10 Security Update : libvorbis (libvorbis-5258)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libvorbis-32bit", "cpe:/o:novell:opensuse:10.3", "cpe:/o:novell:opensuse:10.2", "cpe:/o:novell:opensuse:10.1", "p-cpe:/a:novell:opensuse:libvorbis-devel", "p-cpe:/a:novell:opensuse:libvorbis"], "id": "SUSE_LIBVORBIS-5258.NASL", "href": "https://www.tenable.com/plugins/nessus/32473", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update libvorbis-5258.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(32473);\n script_version (\"1.9\");\n script_cvs_date(\"Date: 2019/10/25 13:36:32\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n\n script_name(english:\"openSUSE 10 Security Update : libvorbis (libvorbis-5258)\");\n script_summary(english:\"Check for the libvorbis-5258 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security problems were fixed in libvorbis :\n\n - CVE-2008-1419 - Division by zero\n\n - CVE-2008-1420 - integer overflow\n\n - CVE-2008-1423 - integer overflow\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libvorbis packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvorbis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvorbis-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvorbis-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.1|SUSE10\\.2|SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.1 / 10.2 / 10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.1\", reference:\"libvorbis-1.1.2-13.12\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"libvorbis-devel-1.1.2-13.12\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", cpu:\"x86_64\", reference:\"libvorbis-32bit-1.1.2-13.12\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"libvorbis-1.1.2-37\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"libvorbis-devel-1.1.2-37\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", cpu:\"x86_64\", reference:\"libvorbis-32bit-1.1.2-37\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"libvorbis-1.2.0-11.2\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"libvorbis-devel-1.2.0-11.2\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", cpu:\"x86_64\", reference:\"libvorbis-32bit-1.2.0-11.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvorbis / libvorbis-32bit / libvorbis-devel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:06:32", "description": "Will Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-05-16T00:00:00", "title": "Fedora 9 : libvorbis-1.2.0-4.fc9 (2008-3910)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2008-05-16T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:9", "p-cpe:/a:fedoraproject:fedora:libvorbis"], "id": "FEDORA_2008-3910.NASL", "href": "https://www.tenable.com/plugins/nessus/32342", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-3910.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32342);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_bugtraq_id(29206);\n script_xref(name:\"FEDORA\", value:\"2008-3910\");\n\n script_name(english:\"Fedora 9 : libvorbis-1.2.0-4.fc9 (2008-3910)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Will Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440700\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440706\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440709\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-May/009908.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d3370d4e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libvorbis package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libvorbis\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"libvorbis-1.2.0-4.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvorbis\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:50:20", "description": "Several security problems were fixed in libvorbis :\n\n - Division by zero. (CVE-2008-1419)\n\n - integer overflow. (CVE-2008-1420)\n\n - integer overflow. (CVE-2008-1423)", "edition": 21, "published": "2009-09-24T00:00:00", "title": "SuSE9 Security Update : libvorbis (YOU Patch Number 12159)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE9_12159.NASL", "href": "https://www.tenable.com/plugins/nessus/41213", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(41213);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/10/25 13:36:31\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n\n script_name(english:\"SuSE9 Security Update : libvorbis (YOU Patch Number 12159)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 9 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security problems were fixed in libvorbis :\n\n - Division by zero. (CVE-2008-1419)\n\n - integer overflow. (CVE-2008-1420)\n\n - integer overflow. (CVE-2008-1423)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-1419.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-1420.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-1423.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply YOU patch number 12159.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 9 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SUSE9\", reference:\"libvorbis-1.0.1-56.8\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"libvorbis-devel-1.0.1-56.8\")) flag++;\nif (rpm_check(release:\"SUSE9\", cpu:\"x86_64\", reference:\"libvorbis-32bit-9-200805201623\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:06:31", "description": "Will Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-05-16T00:00:00", "title": "Fedora 7 : libvorbis-1.1.2-4.fc7 (2008-3898)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2008-05-16T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:7", "p-cpe:/a:fedoraproject:fedora:libvorbis"], "id": "FEDORA_2008-3898.NASL", "href": "https://www.tenable.com/plugins/nessus/32339", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-3898.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32339);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_bugtraq_id(29206);\n script_xref(name:\"FEDORA\", value:\"2008-3898\");\n\n script_name(english:\"Fedora 7 : libvorbis-1.1.2-4.fc7 (2008-3898)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Will Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440700\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440706\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440709\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-May/009899.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2623c090\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libvorbis package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libvorbis\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 7.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC7\", reference:\"libvorbis-1.1.2-4.fc7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvorbis\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:06:32", "description": "Will Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-05-16T00:00:00", "title": "Fedora 8 : libvorbis-1.2.0-2.fc8 (2008-3934)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2008-05-16T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:8", "p-cpe:/a:fedoraproject:fedora:libvorbis"], "id": "FEDORA_2008-3934.NASL", "href": "https://www.tenable.com/plugins/nessus/32345", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-3934.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32345);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_bugtraq_id(29206);\n script_xref(name:\"FEDORA\", value:\"2008-3934\");\n\n script_name(english:\"Fedora 8 : libvorbis-1.2.0-2.fc8 (2008-3934)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Will Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440700\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440706\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=440709\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-May/009895.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e137348d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libvorbis package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libvorbis\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"libvorbis-1.2.0-2.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvorbis\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:51:52", "description": "Will Drewry of the Google Security Team reported several\nvulnerabilities in how libvorbis processed audio data. An attacker\ncould create a carefully crafted OGG audio file in such a way that it\nwould cause an application linked to libvorbis to crash or possibly\nexecute arbitrary code when opened (CVE-2008-1419, CVE-2008-1420,\nCVE-2008-1423).\n\nThe updated packages have been patched to correct these issues.", "edition": 25, "published": "2009-04-23T00:00:00", "title": "Mandriva Linux Security Advisory : libvorbis (MDVSA-2008:102)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2009-04-23T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:lib64vorbisfile3", "p-cpe:/a:mandriva:linux:lib64vorbisenc2", "p-cpe:/a:mandriva:linux:lib64vorbis0-devel", "cpe:/o:mandriva:linux:2007.1", "cpe:/o:mandriva:linux:2008.1", "cpe:/o:mandriva:linux:2008.0", "p-cpe:/a:mandriva:linux:lib64vorbis0", "p-cpe:/a:mandriva:linux:libvorbis0", "p-cpe:/a:mandriva:linux:libvorbisfile3", "p-cpe:/a:mandriva:linux:libvorbisenc2", "p-cpe:/a:mandriva:linux:libvorbis0-devel", "p-cpe:/a:mandriva:linux:libvorbis-devel", "p-cpe:/a:mandriva:linux:lib64vorbis-devel"], "id": "MANDRIVA_MDVSA-2008-102.NASL", "href": "https://www.tenable.com/plugins/nessus/36438", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2008:102. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36438);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_bugtraq_id(29206);\n script_xref(name:\"MDVSA\", value:\"2008:102\");\n\n script_name(english:\"Mandriva Linux Security Advisory : libvorbis (MDVSA-2008:102)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Will Drewry of the Google Security Team reported several\nvulnerabilities in how libvorbis processed audio data. An attacker\ncould create a carefully crafted OGG audio file in such a way that it\nwould cause an application linked to libvorbis to crash or possibly\nexecute arbitrary code when opened (CVE-2008-1419, CVE-2008-1420,\nCVE-2008-1423).\n\nThe updated packages have been patched to correct these issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64vorbis-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64vorbis0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64vorbis0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64vorbisenc2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64vorbisfile3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libvorbis-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libvorbis0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libvorbis0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libvorbisenc2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libvorbisfile3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2007.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"x86_64\", reference:\"lib64vorbis0-1.1.2-1.4mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"x86_64\", reference:\"lib64vorbis0-devel-1.1.2-1.4mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"x86_64\", reference:\"lib64vorbisenc2-1.1.2-1.4mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"x86_64\", reference:\"lib64vorbisfile3-1.1.2-1.4mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"i386\", reference:\"libvorbis0-1.1.2-1.4mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"i386\", reference:\"libvorbis0-devel-1.1.2-1.4mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"i386\", reference:\"libvorbisenc2-1.1.2-1.4mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"i386\", reference:\"libvorbisfile3-1.1.2-1.4mdv2007.1\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64vorbis-devel-1.2.0-1.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64vorbis0-1.2.0-1.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64vorbisenc2-1.2.0-1.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64vorbisfile3-1.2.0-1.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libvorbis-devel-1.2.0-1.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libvorbis0-1.2.0-1.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libvorbisenc2-1.2.0-1.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libvorbisfile3-1.2.0-1.1mdv2008.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64vorbis-devel-1.2.0-3.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64vorbis0-1.2.0-3.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64vorbisenc2-1.2.0-3.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64vorbisfile3-1.2.0-3.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libvorbis-devel-1.2.0-3.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libvorbis0-1.2.0-3.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libvorbisenc2-1.2.0-3.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libvorbisfile3-1.2.0-3.1mdv2008.1\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:25:20", "description": "Updated libvorbis packages that fix various security issues are now\navailable for Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe libvorbis packages contain runtime libraries for use in programs\nthat support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary,\npatent-and royalty-free, general-purpose compressed audio format.\n\nWill Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\n\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nUsers of libvorbis are advised to upgrade to these updated packages,\nwhich contain backported patches to resolve these issues.", "edition": 27, "published": "2008-05-16T00:00:00", "title": "CentOS 3 / 4 / 5 : libvorbis (CESA-2008:0270)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "modified": "2008-05-16T00:00:00", "cpe": ["p-cpe:/a:centos:centos:libvorbis", "cpe:/o:centos:centos:4", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:libvorbis-devel", "cpe:/o:centos:centos:3"], "id": "CENTOS_RHSA-2008-0270.NASL", "href": "https://www.tenable.com/plugins/nessus/32326", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2008:0270 and \n# CentOS Errata and Security Advisory 2008:0270 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32326);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_bugtraq_id(29206);\n script_xref(name:\"RHSA\", value:\"2008:0270\");\n\n script_name(english:\"CentOS 3 / 4 / 5 : libvorbis (CESA-2008:0270)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated libvorbis packages that fix various security issues are now\navailable for Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe libvorbis packages contain runtime libraries for use in programs\nthat support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary,\npatent-and royalty-free, general-purpose compressed audio format.\n\nWill Drewry of the Google Security Team reported several flaws in the\nway libvorbis processed audio data. An attacker could create a\ncarefully crafted OGG audio file in such a way that it could cause an\napplication linked with libvorbis to crash, or execute arbitrary code\nwhen it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\n\nMoreover, additional OGG file sanity-checks have been added to prevent\npossible exploitation of similar issues in the future.\n\nUsers of libvorbis are advised to upgrade to these updated packages,\nwhich contain backported patches to resolve these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-May/014898.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c0ddfbdb\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-May/014899.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b6ff27a7\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-May/014900.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0ef44d9e\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-May/014901.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c4d76914\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-May/014906.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a84fa5d4\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-May/014908.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?deb53d9f\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-May/014914.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5b257c95\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-May/014915.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f0d1611b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libvorbis packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libvorbis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libvorbis-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 3.x / 4.x / 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-3\", reference:\"libvorbis-1.0-10.el3\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"libvorbis-devel-1.0-10.el3\")) flag++;\n\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"libvorbis-1.1.0-3.el4_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"libvorbis-1.1.0-3.c4.1\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"libvorbis-1.1.0-3.el4_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"libvorbis-devel-1.1.0-3.el4_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"libvorbis-devel-1.1.0-3.c4.1\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"libvorbis-devel-1.1.0-3.el4_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-5\", reference:\"libvorbis-1.1.2-3.el5_1.2\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"libvorbis-devel-1.1.2-3.el5_1.2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvorbis / libvorbis-devel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-25T10:57:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-2009", "CVE-2008-1419", "CVE-2008-1423"], "description": "Check for the Version of libvorbis", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:880142", "href": "http://plugins.openvas.org/nasl.php?oid=880142", "type": "openvas", "title": "CentOS Update for libvorbis CESA-2008:0271-01 centos2 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libvorbis CESA-2008:0271-01 centos2 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The libvorbis packages contain runtime libraries for use in programs that\n support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\n royalty-free, general-purpose compressed audio format.\n\n Will Drewry of the Google Security Team reported several flaws in the way\n libvorbis processed audio data. An attacker could create a carefully\n crafted OGG audio file in such a way that it could cause an application\n linked with libvorbis to crash, or execute arbitrary code when it was\n opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423, CVE-2008-2009)\n \n Moreover, additional OGG file sanity-checks have been added to prevent\n possible exploitation of similar issues in the future.\n \n Users of libvorbis are advised to upgrade to these updated packages, which\n contain backported patches to resolve these issues.\";\n\ntag_affected = \"libvorbis on CentOS 2\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-May/014905.html\");\n script_id(880142);\n script_version(\"$Revision: 6651 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:45:21 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 09:02:20 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2008:0271-01\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\", \"CVE-2008-2009\");\n script_name( \"CentOS Update for libvorbis CESA-2008:0271-01 centos2 i386\");\n\n script_summary(\"Check for the Version of libvorbis\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS2\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvorbis\", rpm:\"libvorbis~1.0rc2~9.el2\", rls:\"CentOS2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvorbis-devel\", rpm:\"libvorbis-devel~1.0rc2~9.el2\", rls:\"CentOS2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:41:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-2009", "CVE-2008-1419", "CVE-2008-1423"], "description": "Check for the Version of libvorbis", "modified": "2018-04-06T00:00:00", "published": "2009-03-06T00:00:00", "id": "OPENVAS:1361412562310870075", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870075", "type": "openvas", "title": "RedHat Update for libvorbis RHSA-2008:0271-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for libvorbis RHSA-2008:0271-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The libvorbis packages contain runtime libraries for use in programs that\n support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\n royalty-free, general-purpose compressed audio format.\n\n Will Drewry of the Google Security Team reported several flaws in the way\n libvorbis processed audio data. An attacker could create a carefully\n crafted OGG audio file in such a way that it could cause an application\n linked with libvorbis to crash, or execute arbitrary code when it was\n opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423, CVE-2008-2009)\n \n Moreover, additional OGG file sanity-checks have been added to prevent\n possible exploitation of similar issues in the future.\n \n Users of libvorbis are advised to upgrade to these updated packages, which\n contain backported patches to resolve these issues.\";\n\ntag_affected = \"libvorbis on Red Hat Enterprise Linux AS (Advanced Server) version 2.1,\n Red Hat Enterprise Linux ES version 2.1,\n Red Hat Enterprise Linux WS version 2.1\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-May/msg00008.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870075\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2008:0271-01\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\", \"CVE-2008-2009\");\n script_name( \"RedHat Update for libvorbis RHSA-2008:0271-01\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of libvorbis\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_2.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvorbis\", rpm:\"libvorbis~1.0rc2~9.el2\", rls:\"RHENT_2.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvorbis-devel\", rpm:\"libvorbis-devel~1.0rc2~9.el2\", rls:\"RHENT_2.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:41:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-2009", "CVE-2008-1419", "CVE-2008-1423"], "description": "Check for the Version of libvorbis", "modified": "2018-04-06T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:1361412562310880142", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880142", "type": "openvas", "title": "CentOS Update for libvorbis CESA-2008:0271-01 centos2 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libvorbis CESA-2008:0271-01 centos2 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The libvorbis packages contain runtime libraries for use in programs that\n support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\n royalty-free, general-purpose compressed audio format.\n\n Will Drewry of the Google Security Team reported several flaws in the way\n libvorbis processed audio data. An attacker could create a carefully\n crafted OGG audio file in such a way that it could cause an application\n linked with libvorbis to crash, or execute arbitrary code when it was\n opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423, CVE-2008-2009)\n \n Moreover, additional OGG file sanity-checks have been added to prevent\n possible exploitation of similar issues in the future.\n \n Users of libvorbis are advised to upgrade to these updated packages, which\n contain backported patches to resolve these issues.\";\n\ntag_affected = \"libvorbis on CentOS 2\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-May/014905.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880142\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 09:02:20 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2008:0271-01\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\", \"CVE-2008-2009\");\n script_name( \"CentOS Update for libvorbis CESA-2008:0271-01 centos2 i386\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of libvorbis\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS2\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvorbis\", rpm:\"libvorbis~1.0rc2~9.el2\", rls:\"CentOS2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvorbis-devel\", rpm:\"libvorbis-devel~1.0rc2~9.el2\", rls:\"CentOS2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:39:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "Check for the Version of libvorbis", "modified": "2018-04-06T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:1361412562310880258", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880258", "type": "openvas", "title": "CentOS Update for libvorbis CESA-2008:0270 centos3 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libvorbis CESA-2008:0270 centos3 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The libvorbis packages contain runtime libraries for use in programs that\n support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\n royalty-free, general-purpose compressed audio format.\n\n Will Drewry of the Google Security Team reported several flaws in the way\n libvorbis processed audio data. An attacker could create a carefully\n crafted OGG audio file in such a way that it could cause an application\n linked with libvorbis to crash, or execute arbitrary code when it was\n opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\n \n Moreover, additional OGG file sanity-checks have been added to prevent\n possible exploitation of similar issues in the future.\n \n Users of libvorbis are advised to upgrade to these updated packages, which\n contain backported patches to resolve these issues.\";\n\ntag_affected = \"libvorbis on CentOS 3\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-May/014898.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880258\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 09:02:20 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2008:0270\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_name( \"CentOS Update for libvorbis CESA-2008:0270 centos3 i386\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of libvorbis\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvorbis\", rpm:\"libvorbis~1.0~10.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvorbis-devel\", rpm:\"libvorbis-devel~1.0~10.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:57:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "Check for the Version of libvorbis", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:880064", "href": "http://plugins.openvas.org/nasl.php?oid=880064", "type": "openvas", "title": "CentOS Update for libvorbis CESA-2008:0270 centos3 x86_64", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libvorbis CESA-2008:0270 centos3 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The libvorbis packages contain runtime libraries for use in programs that\n support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and\n royalty-free, general-purpose compressed audio format.\n\n Will Drewry of the Google Security Team reported several flaws in the way\n libvorbis processed audio data. An attacker could create a carefully\n crafted OGG audio file in such a way that it could cause an application\n linked with libvorbis to crash, or execute arbitrary code when it was\n opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)\n \n Moreover, additional OGG file sanity-checks have been added to prevent\n possible exploitation of similar issues in the future.\n \n Users of libvorbis are advised to upgrade to these updated packages, which\n contain backported patches to resolve these issues.\";\n\ntag_affected = \"libvorbis on CentOS 3\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-May/014899.html\");\n script_id(880064);\n script_version(\"$Revision: 6651 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:45:21 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 09:02:20 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2008:0270\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_name( \"CentOS Update for libvorbis CESA-2008:0270 centos3 x86_64\");\n\n script_summary(\"Check for the Version of libvorbis\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvorbis\", rpm:\"libvorbis~1.0~10.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvorbis-devel\", rpm:\"libvorbis-devel~1.0~10.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T08:55:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n libvorbis-devel\n libvorbis\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5026120 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65280", "href": "http://plugins.openvas.org/nasl.php?oid=65280", "type": "openvas", "title": "SLES9: Security update for libvorbis", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5026120.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for libvorbis\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n libvorbis-devel\n libvorbis\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5026120 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65280);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES9: Security update for libvorbis\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"libvorbis-devel\", rpm:\"libvorbis-devel~1.0.1~56.8\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:28:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-682-1", "modified": "2017-12-01T00:00:00", "published": "2009-03-23T00:00:00", "id": "OPENVAS:840247", "href": "http://plugins.openvas.org/nasl.php?oid=840247", "type": "openvas", "title": "Ubuntu Update for libvorbis vulnerabilities USN-682-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_682_1.nasl 7969 2017-12-01 09:23:16Z santu $\n#\n# Ubuntu Update for libvorbis vulnerabilities USN-682-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that libvorbis did not correctly handle certain malformed\n sound files. If a user were tricked into opening a specially crafted sound\n file with an application that uses libvorbis, an attacker could execute\n arbitrary code with the user's privileges.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-682-1\";\ntag_affected = \"libvorbis vulnerabilities on Ubuntu 6.06 LTS ,\n Ubuntu 7.10 ,\n Ubuntu 8.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-682-1/\");\n script_id(840247);\n script_version(\"$Revision: 7969 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 10:23:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-23 10:59:50 +0100 (Mon, 23 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"682-1\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_name( \"Ubuntu Update for libvorbis vulnerabilities USN-682-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libvorbis-dev\", ver:\"1.1.2-0ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbis0a\", ver:\"1.1.2-0ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbisenc2\", ver:\"1.1.2-0ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbisfile3\", ver:\"1.1.2-0ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libvorbis-dev\", ver:\"1.2.0.dfsg-2ubuntu0.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbis0a\", ver:\"1.2.0.dfsg-2ubuntu0.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbisenc2\", ver:\"1.2.0.dfsg-2ubuntu0.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbisfile3\", ver:\"1.2.0.dfsg-2ubuntu0.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU7.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libvorbis-dev\", ver:\"1.2.0.dfsg-1ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbis0a\", ver:\"1.2.0.dfsg-1ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbisenc2\", ver:\"1.2.0.dfsg-1ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libvorbisfile3\", ver:\"1.2.0.dfsg-1ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "The remote host is missing an update to libvorbis\nannounced via advisory DSA 1591-1.", "modified": "2017-07-07T00:00:00", "published": "2008-06-11T00:00:00", "id": "OPENVAS:61107", "href": "http://plugins.openvas.org/nasl.php?oid=61107", "type": "openvas", "title": "Debian Security Advisory DSA 1591-1 (libvorbis)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1591_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1591-1 (libvorbis)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several local (remote) vulnerabilities have been discovered in libvorbis,\na library for the Vorbis general-purpose compressed audio codec. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2008-1419\n\nlibvorbis does not properly handle a zero value which allows remote\nattackers to cause a denial of service (crash or infinite loop) or\ntrigger an integer overflow.\n\nCVE-2008-1420\n\nInteger overflow in libvorbis allows remote attackers to execute\narbitrary code via a crafted OGG file, which triggers a heap overflow.\n\nCVE-2008-1423\n\nInteger overflow in libvorbis allows remote attackers to cause a denial\nof service (crash) or execute arbitrary code via a crafted OGG file\nwhich triggers a heap overflow.\n\nFor the stable distribution (etch), these problems have been fixed in version\n1.1.2.dfsg-1.4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.2.0.dfsg-3.1.\n\nWe recommend that you upgrade your libvorbis package.\";\ntag_summary = \"The remote host is missing an update to libvorbis\nannounced via advisory DSA 1591-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201591-1\";\n\n\nif(description)\n{\n script_id(61107);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-06-11 18:37:44 +0200 (Wed, 11 Jun 2008)\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1591-1 (libvorbis)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libvorbisenc2\", ver:\"1.1.2.dfsg-1.4\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvorbis0a\", ver:\"1.1.2.dfsg-1.4\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvorbisfile3\", ver:\"1.1.2.dfsg-1.4\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvorbis-dev\", ver:\"1.1.2.dfsg-1.4\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "Check for the Version of libvorbis", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860665", "href": "http://plugins.openvas.org/nasl.php?oid=860665", "type": "openvas", "title": "Fedora Update for libvorbis FEDORA-2008-3910", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libvorbis FEDORA-2008-3910\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free,\n general-purpose compressed audio format for audio and music at fixed\n and variable bitrates from 16 to 128 kbps/channel.\n\n The libvorbis package contains runtime libraries for use in programs\n that support Ogg Vorbis.\";\n\ntag_affected = \"libvorbis on Fedora 9\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00256.html\");\n script_id(860665);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 16:43:56 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2008-3910\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_name( \"Fedora Update for libvorbis FEDORA-2008-3910\");\n\n script_summary(\"Check for the Version of libvorbis\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC9\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvorbis\", rpm:\"libvorbis~1.2.0~4.fc9\", rls:\"FC9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200806-09.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:61183", "href": "http://plugins.openvas.org/nasl.php?oid=61183", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200806-09 (libvorbis)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities in libvorbis might lead to the execution of\narbitrary code.\";\ntag_solution = \"All libvorbis users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/libvorbis-1.2.1_rc1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200806-09\nhttp://bugs.gentoo.org/show_bug.cgi?id=222085\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200806-09.\";\n\n \n\nif(description)\n{\n script_id(61183);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2008-1419\", \"CVE-2008-1420\", \"CVE-2008-1423\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200806-09 (libvorbis)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-libs/libvorbis\", unaffected: make_list(\"ge 1.2.1_rc1\"), vulnerable: make_list(\"lt 1.2.1_rc1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-09T01:33:30", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "It was discovered that libvorbis did not correctly handle certain malformed \nsound files. If a user were tricked into opening a specially crafted sound \nfile with an application that uses libvorbis, an attacker could execute \narbitrary code with the user's privileges.", "edition": 5, "modified": "2008-12-01T00:00:00", "published": "2008-12-01T00:00:00", "id": "USN-682-1", "href": "https://ubuntu.com/security/notices/USN-682-1", "title": "libvorbis vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:22:06", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2009-2663"], "description": "It was discovered that libvorbis did not correctly handle certain malformed \nogg files. If a user were tricked into opening a specially crafted ogg file \nwith an application that uses libvorbis, an attacker could execute \narbitrary code with the user's privileges. (CVE-2009-2663)\n\nUSN-682-1 provided updated libvorbis packages to fix multiple security \nvulnerabilities. The upstream security patch to fix CVE-2008-1420 \nintroduced a regression when reading sound files encoded with libvorbis \n1.0beta1. This update corrects the problem.\n\nOriginal advisory details:\n\nIt was discovered that libvorbis did not correctly handle certain \nmalformed sound files. If a user were tricked into opening a specially \ncrafted sound file with an application that uses libvorbis, an attacker \ncould execute arbitrary code with the user's privileges. (CVE-2008-1420)", "edition": 5, "modified": "2009-08-24T00:00:00", "published": "2009-08-24T00:00:00", "id": "USN-825-1", "href": "https://ubuntu.com/security/notices/USN-825-1", "title": "libvorbis vulnerability", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T23:30:18", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2009", "CVE-2009-3379"], "description": "It was discovered that libvorbis did not correctly handle ogg files with \nunderpopulated Huffman trees. If a user were tricked into opening a \nspecially crafted ogg file with an application that uses libvorbis, an \nattacker could cause a denial of service. (CVE-2008-2009)\n\nIt was discovered that libvorbis did not correctly handle certain malformed \nogg files. If a user were tricked into opening a specially crafted ogg file \nwith an application that uses libvorbis, an attacker could cause a denial \nof service or possibly execute arbitrary code with the user's privileges. \n(CVE-2009-3379)", "edition": 5, "modified": "2009-11-24T00:00:00", "published": "2009-11-24T00:00:00", "id": "USN-861-1", "href": "https://ubuntu.com/security/notices/USN-861-1", "title": "libvorbis vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:25", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "\nRed Hat reports:\n\nWill Drewry of the Google Security Team reported several\n\t flaws in the way libvorbis processed audio data. An\n\t attacker could create a carefully crafted [Vorbis] audio file\n\t in such a way that it could cause an application linked\n\t with libvorbis to crash, or execute arbitrary code when\n\t it was opened.\n\n", "edition": 4, "modified": "2008-05-14T00:00:00", "published": "2008-05-14T00:00:00", "id": "F5A76FAF-244C-11DD-B143-0211D880E350", "href": "https://vuxml.freebsd.org/freebsd/f5a76faf-244c-11dd-b143-0211d880e350.html", "title": "libvorbis -- various security issues", "type": "freebsd", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:05", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2008-2009", "CVE-2008-1419", "CVE-2008-1423", "CVE-2008-1418"], "description": "\nThe RedHat Project reports:\n\nWill Drewry of the Google Security Team reported multiple\n\t issues in OGG Vorbis and Tremor libraries, that could cause\n\t application using those libraries to crash (NULL pointer\n\t dereference or divide by zero), enter an infinite loop or\n\t cause heap overflow caused by integer overflow.\n\n", "edition": 4, "modified": "2015-08-25T00:00:00", "published": "2008-03-19T00:00:00", "id": "3DAC84C9-BCE1-4199-9784-D68AF1EB7B2E", "href": "https://vuxml.freebsd.org/freebsd/3dac84c9-bce1-4199-9784-d68af1eb7b2e.html", "title": "libtremor -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:11", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2009-3379"], "description": "\nThe Ubuntu security team reports:\n\nIt was discovered that libvorbis did not correctly\n\t handle certain malformed vorbis files. If a user were\n\t tricked into opening a specially crafted vorbis file\n\t with an application that uses libvorbis, an attacker\n\t could cause a denial of service or possibly execute\n\t arbitrary code with the user's privileges.\n\n", "edition": 4, "modified": "2009-11-24T00:00:00", "published": "2009-11-24T00:00:00", "id": "94EDFF42-D93D-11DE-A434-0211D880E350", "href": "https://vuxml.freebsd.org/freebsd/94edff42-d93d-11de-a434-0211d880e350.html", "title": "libvorbis -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:05", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "[1.1.2-3.el5.2]\n- fix release tag\nRelated: #444707\n[1.1.2-3.el5.1]\n- fix CVE-2008-1420, CVE-2008-1419, CVE-2008-1423\nResolves: #444707", "edition": 4, "modified": "2008-05-14T00:00:00", "published": "2008-05-14T00:00:00", "id": "ELSA-2008-0270", "href": "http://linux.oracle.com/errata/ELSA-2008-0270.html", "title": "libvorbis security update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T21:43:02", "description": "BUGTRAQ ID: 29206\r\nCVE(CAN) ID: CVE-2008-1419,CVE-2008-1420,CVE-2008-1423\r\n\r\nlibvorbis\u662f\u5f00\u6e90\u7684\u97f3\u9891\u97f3\u4e50\u7f16\u7801\u89e3\u7801\u51fd\u6570\u5e93\u3002\r\n\r\nlibvorbis\u5728\u5904\u7406\u7578\u5f62\u683c\u5f0f\u7684OGG\u6587\u4ef6\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\r\n\r\n\u5982\u679c\u7279\u5236\u7684OGG\u6587\u4ef6\u5305\u542b\u6709codebook\u7ef4\u5ea6\u4e3a0\u7684\u8bdd\uff0c\u6253\u5f00\u8be5\u6587\u4ef6\u5c31\u4f1a\u5bfc\u81f4\u4f7f\u7528libvorbis\u5e93\u7684\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u3001\u51fa\u73b0\u6b7b\u5faa\u73af\u6216\u5806\u6ea2\u51fa\u3002\r\n\r\n\u5982\u679c\u4f7f\u7528libvorbis\u5e93\u7684\u5e94\u7528\u7a0b\u5e8f\u6253\u5f00\u4e86\u7279\u5236\u7684OGG\u6587\u4ef6\u7684\u8bdd\uff0c\u5728\u5904\u7406residue\u5206\u533a\u503c\u548c\u8ba1\u7b97quantvals\u53caquantlist\u6240\u9700\u7a7a\u95f4\u65f6\u53ef\u80fd\u4f1a\u51fa\u73b0\u6574\u6570\u6ea2\u51fa\uff0c\u6700\u7ec8\u4f1a\u5bfc\u81f4\u5806\u6ea2\u51fa\u3002\r\n\r\n\n\nXiph.org Libvorbis 1.2\n RedHat\r\n------\r\nRedHat\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08RHSA-2008:0270-01\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nRHSA-2008:0270-01\uff1aImportant: libvorbis security update\r\n\u94fe\u63a5\uff1a<a href=https://www.redhat.com/support/errata/RHSA-2008-0270.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0270.html</a>\r\n\r\nXiph.org\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=https://trac.xiph.org/changeset/14602 target=_blank>https://trac.xiph.org/changeset/14602</a>\r\n<a href=https://trac.xiph.org/changeset/14598 target=_blank>https://trac.xiph.org/changeset/14598</a>\r\n<a href=https://trac.xiph.org/changeset/14600 target=_blank>https://trac.xiph.org/changeset/14600</a>\r\n<a href=https://trac.xiph.org/changeset/14604 target=_blank>https://trac.xiph.org/changeset/14604</a>", "published": "2008-05-17T00:00:00", "type": "seebug", "title": "libvorbis\u591a\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1419", "CVE-2008-1420", "CVE-2008-1423"], "modified": "2008-05-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3300", "id": "SSV:3300", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1591-1 security@debian.org\r\nhttp://www.debian.org/security/ Thijs Kinkhorst\r\nJune 03, 2008 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : libvorbis\r\nVulnerability : several\r\nProblem type : local (remote)\r\nDebian-specific: no\r\nCVE Id(s) : CVE-2008-1419 CVE-2008-1420 CVE-2008-1423\r\nDebian Bug : 482518\r\n\r\nSeveral local (remote) vulnerabilities have been discovered in libvorbis,\r\na library for the Vorbis general-purpose compressed audio codec. The Common\r\nVulnerabilities and Exposures project identifies the following problems:\r\n\r\nCVE-2008-1419\r\n\r\n libvorbis does not properly handle a zero value which allows remote\r\n attackers to cause a denial of service (crash or infinite loop) or\r\n trigger an integer overflow.\r\n\r\nCVE-2008-1420\r\n\r\n Integer overflow in libvorbis allows remote attackers to execute\r\n arbitrary code via a crafted OGG file, which triggers a heap overflow.\r\n\r\nCVE-2008-1423\r\n\r\n Integer overflow in libvorbis allows remote attackers to cause a denial\r\n of service (crash) or execute arbitrary code via a crafted OGG file\r\n which triggers a heap overflow.\r\n\r\nFor the stable distribution (etch), these problems have been fixed in version\r\n1.1.2.dfsg-1.4.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 1.2.0.dfsg-3.1. \r\n\r\nWe recommend that you upgrade your libvorbis package.\r\n\r\nUpgrade instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 4.0 alias etch\r\n- -------------------------------\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.dsc\r\n Size/MD5 checksum: 787 2f0bfd28fb368c43c56332e7de7a2e3d\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg.orig.tar.gz\r\n Size/MD5 checksum: 1312540 44cf09fef7f78e7c6ba7dd63b6137412\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.diff.gz\r\n Size/MD5 checksum: 15782 62527e6adcff1dca42018a0252b19b91\r\n\r\nalpha architecture (DEC Alpha)\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_alpha.deb\r\n Size/MD5 checksum: 94500 edb2728b48cd6fc0357f62a7dc8fca5c\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_alpha.deb\r\n Size/MD5 checksum: 110468 8273babee8a08c373671b468469b2ede\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_alpha.deb\r\n Size/MD5 checksum: 19202 925dfba3f212e8b69c760c433b119716\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_alpha.deb\r\n Size/MD5 checksum: 494958 0052fe78f4be43cb9a7f42ea2b25f7fe\r\n\r\namd64 architecture (AMD x86_64 (AMD64))\r\n\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_amd64.deb\r\n Size/MD5 checksum: 17790 f49da89a8b972614687f3a5e2f6c5bac\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_amd64.deb\r\n Size/MD5 checksum: 93498 241499415b96f3e348d1ec9c66a45981\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_amd64.deb\r\n Size/MD5 checksum: 101508 63e1e8392876a822dc664e21b19e0185\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_amd64.deb\r\n Size/MD5 checksum: 468670 8c6c80eb7b8e7f8b49be1447357ebce1\r\n\r\narm architecture (ARM)\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_arm.deb\r\n Size/MD5 checksum: 75744 03dad28341cde24fbbfd20444bf346c2\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_arm.deb\r\n Size/MD5 checksum: 18528 508cb939f65a367447c44add9dd8c11a\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_arm.deb\r\n Size/MD5 checksum: 98190 a09c2d3021f7b9d2d9b2bf04b2d30957\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_arm.deb\r\n Size/MD5 checksum: 458578 6dcadbb28c56a0a9368bfcd67b28d3fa\r\n\r\nhppa architecture (HP PA RISC)\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_hppa.deb\r\n Size/MD5 checksum: 483196 0435784553fb2b9c08c915da58c3c7e1\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_hppa.deb\r\n Size/MD5 checksum: 21978 6ade3e3b040f8e01c4fe023df6faf2de\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_hppa.deb\r\n Size/MD5 checksum: 108084 7d263ee14d29b787b0f32710ae2bffdf\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_hppa.deb\r\n Size/MD5 checksum: 92430 72180513d203103e56e4929ca6da035f\r\n\r\ni386 architecture (Intel ia32)\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_i386.deb\r\n Size/MD5 checksum: 453652 55bc31f817b6806d19d8f0696cc288cd\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_i386.deb\r\n Size/MD5 checksum: 18884 5d4f1bccf5efa0d5ba5767b49f97d253\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_i386.deb\r\n Size/MD5 checksum: 75346 f11509bd2b430f8be62706a13748d6bc\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_i386.deb\r\n Size/MD5 checksum: 98176 d5b46716c8ab083b9c00b523a73a81b9\r\n\r\nia64 architecture (Intel ia64)\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_ia64.deb\r\n Size/MD5 checksum: 98022 dabf436427e867a81074bdca0c53ef6e\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_ia64.deb\r\n Size/MD5 checksum: 510180 1c4e1c58e7d63f10ff7efaf3a6555f46\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_ia64.deb\r\n Size/MD5 checksum: 24700 8dadf685db0738f52c4b47420eff588a\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_ia64.deb\r\n Size/MD5 checksum: 136046 b5d657cad9154915f0a9c0779e68cf1c\r\n\r\nmips architecture (MIPS (Big Endian))\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_mips.deb\r\n Size/MD5 checksum: 104986 3d6d14fff3621ed344e88e7bb57ae627\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_mips.deb\r\n Size/MD5 checksum: 81588 e776156e4d5647f0aa591ea8b01d3aad\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_mips.deb\r\n Size/MD5 checksum: 20946 5f5eca06d6b715087a4298d2db944fcf\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_mips.deb\r\n Size/MD5 checksum: 479286 4a9404dab651fd387901d6eb223bd835\r\n\r\nmipsel architecture (MIPS (Little Endian))\r\n\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_mipsel.deb\r\n Size/MD5 checksum: 76982 63638be1a06154fa1126e5be3a4ac95e\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_mipsel.deb\r\n Size/MD5 checksum: 469086 9c31f061ab04690bf52876821a9383ea\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_mipsel.deb\r\n Size/MD5 checksum: 20944 5f59636c00cbe76590ac1ef23235cd8d\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_mipsel.deb\r\n Size/MD5 checksum: 104948 be1bf5fd730d239f5cd62a92cd4b75e4\r\n\r\npowerpc architecture (PowerPC)\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_powerpc.deb\r\n Size/MD5 checksum: 105760 ba397af813b092de9bea72accb46db4b\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_powerpc.deb\r\n Size/MD5 checksum: 21394 7e12a198ce7bed6922d20da108e5bad5\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_powerpc.deb\r\n Size/MD5 checksum: 82558 1299949b45c3a6fdba4fa64fcf48dc53\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_powerpc.deb\r\n Size/MD5 checksum: 475206 7cda1ebdffc9b47d90efa594bea5d5b8\r\n\r\ns390 architecture (IBM S/390)\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_s390.deb\r\n Size/MD5 checksum: 452736 403af241544bf4fd66f4993003f0f192\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_s390.deb\r\n Size/MD5 checksum: 90546 f2f4a9e7410b946b91c4d44cef18f5af\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_s390.deb\r\n Size/MD5 checksum: 102548 ad43cb11ddff398ee0a83ded1a024321\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_s390.deb\r\n Size/MD5 checksum: 20920 7ffdc1f9962394073efae81356780428\r\n\r\nsparc architecture (Sun SPARC/UltraSPARC)\r\n\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_sparc.deb\r\n Size/MD5 checksum: 98252 fad4afe3566e986fe819a0fff6a2376e\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_sparc.deb\r\n Size/MD5 checksum: 453410 ce3775bb59d55b9ba7e34469225e0d20\r\n \r\nhttp://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_sparc.deb\r\n Size/MD5 checksum: 17888 4eaf8a0cfd4f3b1c6f8332ccf1bf6ef4\r\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_sparc.deb\r\n Size/MD5 checksum: 79796 57795226ac31a7b5bf7793e4e14dc89a\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (GNU/Linux)\r\n\r\niQEVAwUBSEUOemz0hbPcukPfAQKlCwf/RNQkhN5GiXzWbIPQDNuXCa9Gri63UI6Z\r\nyUpFdhpcitk0JKDznD67BwrVjEFOOhInCDMiVftX53oAGoUhW/kEbQ4A+gzqf9cJ\r\nB6OfyEjzV9JLEZ5OMlRQCigQpbUqQVwx6ISBM/RuzbuQSXEpYtUPztPAqHmVZDdU\r\nWjiVKEioP6T64ql9xxEu15ekuWJpcaglkHSOEGPmJZwP/9sLCQrVUwciMSWR/fr+\r\nkdV47I292yfyhdVMnmszpncAtO1ZWAyDV8DZS2yMXlqxfK/nMadz4PWj39gISr6e\r\n677OU3WzrE+tj7hKGvutvivwTEzNzhrHq5/oYFnQn/mgoHfgKFsNlQ==\r\n=52+x\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-06-04T00:00:00", "published": "2008-06-04T00:00:00", "id": "SECURITYVULNS:DOC:19950", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19950", "title": "[SECURITY] [DSA 1591-1] New libvorbis packages fix several vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:29", "bulletinFamily": "software", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2009-2663", "CVE-2008-1423"], "description": "Multiple integer overflows and denial of service.", "edition": 1, "modified": "2009-08-25T00:00:00", "published": "2009-08-25T00:00:00", "id": "SECURITYVULNS:VULN:9045", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9045", "title": "libvorbis multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "cvelist": ["CVE-2008-1420", "CVE-2009-2663"], "description": "===========================================================\r\nUbuntu Security Notice USN-825-1 August 24, 2009\r\nlibvorbis vulnerability\r\nCVE-2008-1420, CVE-2009-2663\r\n===========================================================\r\n\r\nA security issue affects the following Ubuntu releases:\r\n\r\nUbuntu 8.04 LTS\r\nUbuntu 8.10\r\nUbuntu 9.04\r\n\r\nThis advisory also applies to the corresponding versions of\r\nKubuntu, Edubuntu, and Xubuntu.\r\n\r\nThe problem can be corrected by upgrading your system to the\r\nfollowing package versions:\r\n\r\nUbuntu 8.04 LTS:\r\n libvorbis0a 1.2.0.dfsg-2ubuntu0.2\r\n\r\nUbuntu 8.10:\r\n libvorbis0a 1.2.0.dfsg-3.1ubuntu0.8.10.1\r\n\r\nUbuntu 9.04:\r\n libvorbis0a 1.2.0.dfsg-3.1ubuntu0.9.04.1\r\n\r\nAfter a standard system upgrade you need to restart any applications that\r\nuse libvorbis, such as Totem and gtkpod, to effect the necessary changes.\r\n\r\nDetails follow:\r\n\r\nIt was discovered that libvorbis did not correctly handle certain malformed\r\nogg files. If a user were tricked into opening a specially crafted ogg file\r\nwith an application that uses libvorbis, an attacker could execute\r\narbitrary code with the user's privileges. (CVE-2009-2663)\r\n\r\nUSN-682-1 provided updated libvorbis packages to fix multiple security\r\nvulnerabilities. The upstream security patch to fix CVE-2008-1420\r\nintroduced a regression when reading sound files encoded with libvorbis\r\n1.0beta1. This update corrects the problem.\r\n\r\nOriginal advisory details:\r\n\r\n It was discovered that libvorbis did not correctly handle certain\r\n malformed sound files. If a user were tricked into opening a specially\r\n crafted sound file with an application that uses libvorbis, an attacker\r\n could execute arbitrary code with the user's privileges. (CVE-2008-1420)\r\n\r\n\r\nUpdated packages for Ubuntu 8.04 LTS:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.2.diff.gz\r\n Size/MD5: 7638 5ef4a460b5fd50930d7fff2a3ae16525\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.2.dsc\r\n Size/MD5: 936 d8ad7ba3c0193a2f3316bdc5fd1d5e3a\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz\r\n Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_amd64.deb\r\n Size/MD5: 475166 de6d259598243961b3c5182c94100f1b\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_amd64.deb\r\n Size/MD5: 103952 88f017ca397bc19027405bc68a5289ce\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_amd64.deb\r\n Size/MD5: 94498 76e594149cea4b564987e11dbafec73a\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_amd64.deb\r\n Size/MD5: 19140 538a4089efae6cdfc04566fc58b42891\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_i386.deb\r\n Size/MD5: 455682 de7271e005d596055ae7fa9b1b4bc62b\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_i386.deb\r\n Size/MD5: 98852 bd8fa74c395c206003e6e91aadf6deeb\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_i386.deb\r\n Size/MD5: 76234 8504521d4e73b31a0a6c609ab774e8ce\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_i386.deb\r\n Size/MD5: 19986 98e7e407c4b79bd621fa30d2b84f9b2c\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_lpia.deb\r\n Size/MD5: 457660 14ed971b555ea3670d5dd42f611620ce\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_lpia.deb\r\n Size/MD5: 99468 07e87d8d7af71050d53166ced47504fe\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_lpia.deb\r\n Size/MD5: 76374 6c8d29103543fb88fd1a062f1bfe5b0d\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_lpia.deb\r\n Size/MD5: 19988 34bea1bc33491a9f6fc23cfbbe2e6fdd\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_powerpc.deb\r\n Size/MD5: 484518 642acb42cf899742df77c023f611a5c3\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_powerpc.deb\r\n Size/MD5: 108862 1b97fcc0cf8d5d761f4527ceec4ae6c5\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_powerpc.deb\r\n Size/MD5: 83746 b063ec251329025e942c2957c7bec973\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_powerpc.deb\r\n Size/MD5: 23846 9ea8d0f1d7e2feda361483667ee8c98b\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.2_sparc.deb\r\n Size/MD5: 462056 23faf950e87cdc4ca8afbb7e0ebf8efb\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.2_sparc.deb\r\n Size/MD5: 99760 70afdb67c094d2f0335d6b0fc8613e39\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.2_sparc.deb\r\n Size/MD5: 80730 e90392526ecb5627c47d0a0d7b0712c5\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.2_sparc.deb\r\n Size/MD5: 19260 3cb72f75781984eb6d348f09e4892dea\r\n\r\nUpdated packages for Ubuntu 8.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.1.diff.gz\r\n Size/MD5: 8801 f3917fc3cf6a8e35febf6b334cda2cdf\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.1.dsc\r\n Size/MD5: 1388 4ba46a758620e3fe5d938cfe97ed038f\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz\r\n Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb\r\n Size/MD5: 479182 1eeb2b5e550c6f815c33324df5554f76\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb\r\n Size/MD5: 108578 e960e8b794da2927d930f1cf4334ec23\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb\r\n Size/MD5: 95710 84bbe4ccb1f4b302c0710c2c86f5b89a\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_amd64.deb\r\n Size/MD5: 20338 34698dc57acb94faa3464a9f0b5d2c50\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb\r\n Size/MD5: 459476 9281d6ab6f50761dff11d81a8579a884\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb\r\n Size/MD5: 101988 77988363a0bf4a683b941cae203e6e5e\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb\r\n Size/MD5: 77430 430623540170ef59f74808456daecd5f\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_i386.deb\r\n Size/MD5: 21394 f46e5ee13b6c7c8adebad46f274caa43\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb\r\n Size/MD5: 461190 ef1e6948c399b4b4d34b4993ca1a0fd8\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb\r\n Size/MD5: 102700 685a266d67332245778e49e208ab60eb\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb\r\n Size/MD5: 77588 266965c986c24dc8acbf9f0ecee6121e\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_lpia.deb\r\n Size/MD5: 21222 4df718e05f80a23ebb5accc4a627933f\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb\r\n Size/MD5: 490558 ffe86da6864c8d83c7f7b5931c9ef0e4\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb\r\n Size/MD5: 114702 b8e2d3ab8557085c3c834ae57ca68490\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb\r\n Size/MD5: 85080 d1d00cca1f654d523fa6a6f054a89df8\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_powerpc.deb\r\n Size/MD5: 25152 ea2c19f249936b64a5110b2330394533\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb\r\n Size/MD5: 465326 78eaf19b4bb88f020a41699894f1d502\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb\r\n Size/MD5: 104264 4a602b8bebfb44f3cfa7add1187af42a\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb\r\n Size/MD5: 82016 4ed85df7024e4b2d9826a8191b3cf112\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.1_sparc.deb\r\n Size/MD5: 20786 d7b24c2778ce94510823f86fd94d1e04\r\n\r\nUpdated packages for Ubuntu 9.04:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.1.diff.gz\r\n Size/MD5: 8809 9a4601ba8d5ef852360032dc4f28135b\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.1.dsc\r\n Size/MD5: 1388 7bf6c7ee35a1ca2b0d4b25e8188585b5\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz\r\n Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb\r\n Size/MD5: 479242 f585f7e7ae50de3569efc48dfed2dd55\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb\r\n Size/MD5: 108562 3ba8aada28f378b9776e0c8305e271fc\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb\r\n Size/MD5: 95702 68add631494d9a565d58a8b22a5f9bf0\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_amd64.deb\r\n Size/MD5: 20328 da6cc0a70f79cfa253445d563ee5c250\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb\r\n Size/MD5: 459624 8e285a17020f6b93dc375af4f8284920\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb\r\n Size/MD5: 102166 6148fa7ea86461915751f0dba2ef00c6\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb\r\n Size/MD5: 77442 505253f72260e8f365ce68d947acab36\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_i386.deb\r\n Size/MD5: 21392 fee6650bfc4b4463a5a71e3dd12528bf\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb\r\n Size/MD5: 461294 24968b96a1ddafaef908011c82a6b9ee\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb\r\n Size/MD5: 102760 30ee010aefe3420151f6ace2e4a92b2b\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb\r\n Size/MD5: 77590 b6c9b556dfb4eae270f45fd1e9670700\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_lpia.deb\r\n Size/MD5: 21216 791d88d0551b48a2f6af17612c4e096e\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb\r\n Size/MD5: 490584 dc808a4fd3fdabfb9a76a10ec23f6529\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb\r\n Size/MD5: 114712 cdfdd11b2c932cb2a017c27d1001fbc1\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb\r\n Size/MD5: 85096 6cb5a1202e3db005ce69d7f2e0f8813c\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_powerpc.deb\r\n Size/MD5: 25156 9ddf20413d09f546d061b3a0b093ad1e\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb\r\n Size/MD5: 465382 4de8bfe56cdcbf0490c2a69de7bca0e9\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb\r\n Size/MD5: 104286 6a238cd48456d2bd4b1b6dad87a0b506\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb\r\n Size/MD5: 81958 ce25c1cc928142e84a20c8f37caecf52\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.1_sparc.deb\r\n Size/MD5: 20758 976ef82da1d5cb2de170dc5dcf4532b9\r\n\r\n\r\n", "edition": 1, "modified": "2009-08-25T00:00:00", "published": "2009-08-25T00:00:00", "id": "SECURITYVULNS:DOC:22365", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22365", "title": "[USN-825-1] libvorbis vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2008-2009", "CVE-2009-3379"], "description": "===========================================================\r\nUbuntu Security Notice USN-861-1 November 24, 2009\r\nlibvorbis vulnerabilities\r\nCVE-2008-2009, CVE-2009-3379\r\n===========================================================\r\n\r\nA security issue affects the following Ubuntu releases:\r\n\r\nUbuntu 8.04 LTS\r\nUbuntu 8.10\r\nUbuntu 9.04\r\nUbuntu 9.10\r\n\r\nThis advisory also applies to the corresponding versions of\r\nKubuntu, Edubuntu, and Xubuntu.\r\n\r\nThe problem can be corrected by upgrading your system to the\r\nfollowing package versions:\r\n\r\nUbuntu 8.04 LTS:\r\n libvorbis0a 1.2.0.dfsg-2ubuntu0.3\r\n\r\nUbuntu 8.10:\r\n libvorbis0a 1.2.0.dfsg-3.1ubuntu0.8.10.2\r\n\r\nUbuntu 9.04:\r\n libvorbis0a 1.2.0.dfsg-3.1ubuntu0.9.04.2\r\n\r\nUbuntu 9.10:\r\n libvorbis0a 1.2.0.dfsg-6ubuntu0.1\r\n\r\nAfter a standard system upgrade you need to restart any applications that\r\nuse libvorbis, such as Totem and gtkpod, to effect the necessary changes.\r\n\r\nDetails follow:\r\n\r\nIt was discovered that libvorbis did not correctly handle ogg files with\r\nunderpopulated Huffman trees. If a user were tricked into opening a\r\nspecially crafted ogg file with an application that uses libvorbis, an\r\nattacker could cause a denial of service. (CVE-2008-2009)\r\n\r\nIt was discovered that libvorbis did not correctly handle certain malformed\r\nogg files. If a user were tricked into opening a specially crafted ogg file\r\nwith an application that uses libvorbis, an attacker could cause a denial\r\nof service or possibly execute arbitrary code with the user's privileges.\r\n(CVE-2009-3379)\r\n\r\n\r\nUpdated packages for Ubuntu 8.04 LTS:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.3.diff.gz\r\n Size/MD5: 12991 d7ac1cea7fd18471b0366844c4f2d434\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-2ubuntu0.3.dsc\r\n Size/MD5: 937 b9ab7e79ef09dbe4cc523245a179853c\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz\r\n Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.3_amd64.deb\r\n Size/MD5: 476030 a96358bb558f637d96a4354101f9bb2c\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.3_amd64.deb\r\n Size/MD5: 104488 5463be3057e6f7e8db31b1acf3c8502d\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.3_amd64.deb\r\n Size/MD5: 94894 2c21a6d370070b7d12bed48f96036463\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.3_amd64.deb\r\n Size/MD5: 19630 a5a80fc2df2729b88590addfe3982cfb\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.3_i386.deb\r\n Size/MD5: 456398 9e41b7ea54511a6b6127c5c643eddb1e\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.3_i386.deb\r\n Size/MD5: 99448 ffc9abdb63cc0312fef0566473f4c13d\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.3_i386.deb\r\n Size/MD5: 76726 8dc17f35d4699557bff77dc8a2673de8\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.3_i386.deb\r\n Size/MD5: 20402 cc111d8b13c33c5b03a364b0d1bb95d1\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.3_lpia.deb\r\n Size/MD5: 458366 c2d4e954201ef68cc3d241a7dda3ea93\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.3_lpia.deb\r\n Size/MD5: 100038 b371e7f6d202b427614a656cd618e407\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.3_lpia.deb\r\n Size/MD5: 76912 b219d40cdaadb9aa368b4e3449a0de0b\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.3_lpia.deb\r\n Size/MD5: 20406 cc10625815d7cb3516ad3e2e7325e7f8\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.3_powerpc.deb\r\n Size/MD5: 485154 86ff174f93f9000e89aa84ae7ba8e702\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.3_powerpc.deb\r\n Size/MD5: 109396 5e52e396225668911249ad4840ba89d2\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.3_powerpc.deb\r\n Size/MD5: 84090 053277cac971a8dd5854b25bc82f1275\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.3_powerpc.deb\r\n Size/MD5: 24256 7b644a68479f137d1c31cb7bc6e11239\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-2ubuntu0.3_sparc.deb\r\n Size/MD5: 462624 43611553a9ff71736ad1829ee2d48ee6\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-2ubuntu0.3_sparc.deb\r\n Size/MD5: 100454 5d94a781fafacdb33752fbe8c687f4a6\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-2ubuntu0.3_sparc.deb\r\n Size/MD5: 81230 e7c3fcb35cd9f255af91fb850fce7718\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-2ubuntu0.3_sparc.deb\r\n Size/MD5: 19678 5c6725ecf7ad2f5697ddd80ec7181d99\r\n\r\nUpdated packages for Ubuntu 8.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.2.diff.gz\r\n Size/MD5: 14099 3b381e5b9d4ff995371549d0f4049b17\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.8.10.2.dsc\r\n Size/MD5: 1391 f693d0a5b8d382d11eafee3eeaec74b5\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz\r\n Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.2_amd64.deb\r\n Size/MD5: 479892 fa93b658c3490a316a40440d66791937\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.2_amd64.deb\r\n Size/MD5: 109252 ef6627a20fb4892a1069ded79fe379be\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.2_amd64.deb\r\n Size/MD5: 96200 4fe223431c6c290695ae9c27fac0966a\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.2_amd64.deb\r\n Size/MD5: 20768 cb51f1c14be4d5bd735bc2ac74c4084f\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.2_i386.deb\r\n Size/MD5: 460236 8d03a67ad77c3065462e07bfac250e79\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.2_i386.deb\r\n Size/MD5: 102638 29966392d03df0d2523aa3177434a158\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.2_i386.deb\r\n Size/MD5: 77906 10ad5e56f23d2b8f4ebb385df163b676\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.2_i386.deb\r\n Size/MD5: 21822 877561be88e24e6de4874c393257ba62\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.2_lpia.deb\r\n Size/MD5: 462006 8e817bd23febab8094cd11e99864bc92\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.2_lpia.deb\r\n Size/MD5: 103306 3d377b2b715e457858f7a3afa72e3a34\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.2_lpia.deb\r\n Size/MD5: 78054 87197ab70eab21d293d06a03b925a30a\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.2_lpia.deb\r\n Size/MD5: 21654 916bdeadfed79e9521fc44c10f414f23\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.2_powerpc.deb\r\n Size/MD5: 491454 62a722a76f9169182787e6646a01549b\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.2_powerpc.deb\r\n Size/MD5: 115404 d951d55225968eebf9464d18f6faab2f\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.2_powerpc.deb\r\n Size/MD5: 85524 cb9fa0eff43344cbcd177c44455ca863\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.2_powerpc.deb\r\n Size/MD5: 25540 6252523c4b9cb8e91af913dfa94a4509\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.8.10.2_sparc.deb\r\n Size/MD5: 465890 7bb9b029adab1877f2ae9b66ad650da6\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.8.10.2_sparc.deb\r\n Size/MD5: 105036 b5efdeab1f1ae5bf0f68032fae4de733\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.8.10.2_sparc.deb\r\n Size/MD5: 82522 217424eb3438493636c8e2e2e947a951\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.8.10.2_sparc.deb\r\n Size/MD5: 21210 fe7a01c235dcde80427cdc1c4218c650\r\n\r\nUpdated packages for Ubuntu 9.04:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.2.diff.gz\r\n Size/MD5: 14106 806c51558b40e8a0173258e322126dfc\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-3.1ubuntu0.9.04.2.dsc\r\n Size/MD5: 1391 8237287820fda9e5caaf1645917012a9\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz\r\n Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.2_amd64.deb\r\n Size/MD5: 479954 ed840c38ac73f07d2594485992810cf3\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.2_amd64.deb\r\n Size/MD5: 109254 fa9ecb0116a031ea24c068f7c104a6c5\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.2_amd64.deb\r\n Size/MD5: 96190 92cce557b7dc8367962bd71f5d2e16ed\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.2_amd64.deb\r\n Size/MD5: 20752 b092b5312c1fdc3ca3b68efb67c6d788\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.2_i386.deb\r\n Size/MD5: 460350 dcab6f09451ee399e6c3718fd7a290b4\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.2_i386.deb\r\n Size/MD5: 102774 c0294bc33be421dc97b5a41f0962a305\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.2_i386.deb\r\n Size/MD5: 77908 4f631989517676b33426d8196ce86089\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.2_i386.deb\r\n Size/MD5: 21798 fd715839d6a485a560dc4ba3d6bd25f9\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.2_lpia.deb\r\n Size/MD5: 462086 df504130bd6ba53055514188ae319608\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.2_lpia.deb\r\n Size/MD5: 103382 81883010e7f156576925e34ee1bf3650\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.2_lpia.deb\r\n Size/MD5: 78050 4b0c1e4270759a4ebb0a4a3b3e819921\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.2_lpia.deb\r\n Size/MD5: 21628 f598818f8da06a03e82811d325a0d6aa\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.2_powerpc.deb\r\n Size/MD5: 491462 de9941dcdf7fbcce2ce1771157283b41\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.2_powerpc.deb\r\n Size/MD5: 115408 bf40900dd80d91fc9ba0da14079ba8ba\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.2_powerpc.deb\r\n Size/MD5: 85526 476aadeedd5fe54e094dd754eaf67a1a\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.2_powerpc.deb\r\n Size/MD5: 25534 2ce93cbcb6112d91c6b9099cb1f750ce\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-3.1ubuntu0.9.04.2_sparc.deb\r\n Size/MD5: 465896 ab3725414d6572e1d7297a9374aa29c7\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-3.1ubuntu0.9.04.2_sparc.deb\r\n Size/MD5: 105040 70accc7b795a5d0871ba555377860b77\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-3.1ubuntu0.9.04.2_sparc.deb\r\n Size/MD5: 82470 e9e0d296fac9c00496f07d743c52c7a9\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-3.1ubuntu0.9.04.2_sparc.deb\r\n Size/MD5: 21170 efa8d7e1d2a14f843d14f80dae9c755c\r\n\r\nUpdated packages for Ubuntu 9.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-6ubuntu0.1.diff.gz\r\n Size/MD5: 14077 1472bf5d0d81031673a907939ca5e13f\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-6ubuntu0.1.dsc\r\n Size/MD5: 1240 06738b4c14538449ec70061555bd5b95\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg.orig.tar.gz\r\n Size/MD5: 1477935 3c7fff70c0989ab3c1c85366bf670818\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6ubuntu0.1_amd64.deb\r\n Size/MD5: 481960 03bdebc10b57dff61913983f7e2c6b12\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6ubuntu0.1_amd64.deb\r\n Size/MD5: 110800 1cd3c19e86f96a82543f00ecc200e450\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6ubuntu0.1_amd64.deb\r\n Size/MD5: 96410 fd88dda1df522a5e4caa3a51f0af75ea\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6ubuntu0.1_amd64.deb\r\n Size/MD5: 21064 f0206b2785ab195deddfbe3c551c1d53\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6ubuntu0.1_i386.deb\r\n Size/MD5: 460010 a465712a5dee205bb3572c69882d84b3\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6ubuntu0.1_i386.deb\r\n Size/MD5: 102444 335555688456137832536be14bc89c30\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6ubuntu0.1_i386.deb\r\n Size/MD5: 78058 3528e4ca888274ae7c081425238d80f4\r\n http://security.ubuntu.com/ubuntu/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6ubuntu0.1_i386.deb\r\n Size/MD5: 22528 3e089ed25e17995ad21e0f9e48e2c192\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6ubuntu0.1_lpia.deb\r\n Size/MD5: 461842 ca8cae4e451a3c39c8485d784a762688\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6ubuntu0.1_lpia.deb\r\n Size/MD5: 103222 3372e8291fe8cbf4fb10ff8cef8daf46\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6ubuntu0.1_lpia.deb\r\n Size/MD5: 78064 67727a08216b600b5a355e1a6c4a2723\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6ubuntu0.1_lpia.deb\r\n Size/MD5: 22282 f8c2669196b70ae210155d5c49127c8e\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6ubuntu0.1_powerpc.deb\r\n Size/MD5: 491998 f7edf9891a62bdaf437d24c012c0995a\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6ubuntu0.1_powerpc.deb\r\n Size/MD5: 113120 3d8780b8b7983e7dac75c021a53a6b9d\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6ubuntu0.1_powerpc.deb\r\n Size/MD5: 84114 a03a7b5b903cd91a3f9ac799ea3c8b91\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6ubuntu0.1_powerpc.deb\r\n Size/MD5: 23840 56dda24b70b6717c7117bbec29d4e3fe\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-6ubuntu0.1_sparc.deb\r\n Size/MD5: 466488 2fd2ffcbb529131155b0f05fba03f376\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-6ubuntu0.1_sparc.deb\r\n Size/MD5: 106288 1d69667318f1e5deece70dc1af2dafac\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-6ubuntu0.1_sparc.deb\r\n Size/MD5: 82834 0a22a390ed4456a001a5b75db9394916\r\n http://ports.ubuntu.com/pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-6ubuntu0.1_sparc.deb\r\n Size/MD5: 21412 354a11cb80e57366d473c1f490210a26\r\n\r\n\r\n", "edition": 1, "modified": "2009-11-25T00:00:00", "published": "2009-11-25T00:00:00", "id": "SECURITYVULNS:DOC:22832", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22832", "title": "[USN-861-1] libvorbis vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:34", "bulletinFamily": "software", "cvelist": ["CVE-2008-2009", "CVE-2009-3379"], "description": "Multiple vulnerabilities on ogg files parsing.", "edition": 1, "modified": "2009-11-25T00:00:00", "published": "2009-11-25T00:00:00", "id": "SECURITYVULNS:VULN:10419", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10419", "title": "libvorbis library multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "edition": 1, "description": "### Background\n\nlibvorbis is the reference implementation of the Xiph.org Ogg Vorbis audio file format. It is used by many applications for playback of Ogg Vorbis files. \n\n### Description\n\nWill Drewry of the Google Security Team reported multiple vulnerabilities in libvorbis: \n\n * A zero value for \"codebook.dim\" is not properly handled, leading to a crash, infinite loop or triggering an integer overflow (CVE-2008-1419). \n * An integer overflow in \"residue partition value\" evaluation might lead to a heap-based buffer overflow (CVE-2008-1420). \n * An integer overflow in a certain \"quantvals\" and \"quantlist\" calculation might lead to a heap-based buffer overflow (CVE-2008-1423). \n\n### Impact\n\nA remote attacker could exploit these vulnerabilities by enticing a user to open a specially crafted Ogg Vorbis file or network stream with an application using libvorbis. This might lead to the execution of arbitrary code with the privileges of the user playing the file or a Denial of Service by a crash or CPU consumption. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll libvorbis users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/libvorbis-1.2.1_rc1\"", "modified": "2008-06-23T00:00:00", "published": "2008-06-23T00:00:00", "id": "GLSA-200806-09", "href": "https://security.gentoo.org/glsa/200806-09", "type": "gentoo", "title": "libvorbis: Multiple vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-11-11T13:21:17", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1420", "CVE-2008-1419", "CVE-2008-1423"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1591-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nJune 03, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : libvorbis\nVulnerability : several\nProblem type : local (remote)\nDebian-specific: no\nCVE Id(s) : CVE-2008-1419 CVE-2008-1420 CVE-2008-1423\nDebian Bug : 482518\n\nSeveral local (remote) vulnerabilities have been discovered in libvorbis,\na library for the Vorbis general-purpose compressed audio codec. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2008-1419\n\n libvorbis does not properly handle a zero value which allows remote\n attackers to cause a denial of service (crash or infinite loop) or\n trigger an integer overflow.\n\nCVE-2008-1420\n\n Integer overflow in libvorbis allows remote attackers to execute\n arbitrary code via a crafted OGG file, which triggers a heap overflow.\n\nCVE-2008-1423\n\n Integer overflow in libvorbis allows remote attackers to cause a denial\n of service (crash) or execute arbitrary code via a crafted OGG file\n which triggers a heap overflow.\n\nFor the stable distribution (etch), these problems have been fixed in version\n1.1.2.dfsg-1.4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.2.0.dfsg-3.1. \n\nWe recommend that you upgrade your libvorbis package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.dsc\n Size/MD5 checksum: 787 2f0bfd28fb368c43c56332e7de7a2e3d\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg.orig.tar.gz\n Size/MD5 checksum: 1312540 44cf09fef7f78e7c6ba7dd63b6137412\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis_1.1.2.dfsg-1.4.diff.gz\n Size/MD5 checksum: 15782 62527e6adcff1dca42018a0252b19b91\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_alpha.deb\n Size/MD5 checksum: 94500 edb2728b48cd6fc0357f62a7dc8fca5c\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_alpha.deb\n Size/MD5 checksum: 110468 8273babee8a08c373671b468469b2ede\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_alpha.deb\n Size/MD5 checksum: 19202 925dfba3f212e8b69c760c433b119716\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_alpha.deb\n Size/MD5 checksum: 494958 0052fe78f4be43cb9a7f42ea2b25f7fe\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_amd64.deb\n Size/MD5 checksum: 17790 f49da89a8b972614687f3a5e2f6c5bac\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_amd64.deb\n Size/MD5 checksum: 93498 241499415b96f3e348d1ec9c66a45981\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_amd64.deb\n Size/MD5 checksum: 101508 63e1e8392876a822dc664e21b19e0185\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_amd64.deb\n Size/MD5 checksum: 468670 8c6c80eb7b8e7f8b49be1447357ebce1\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_arm.deb\n Size/MD5 checksum: 75744 03dad28341cde24fbbfd20444bf346c2\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_arm.deb\n Size/MD5 checksum: 18528 508cb939f65a367447c44add9dd8c11a\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_arm.deb\n Size/MD5 checksum: 98190 a09c2d3021f7b9d2d9b2bf04b2d30957\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_arm.deb\n Size/MD5 checksum: 458578 6dcadbb28c56a0a9368bfcd67b28d3fa\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_hppa.deb\n Size/MD5 checksum: 483196 0435784553fb2b9c08c915da58c3c7e1\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_hppa.deb\n Size/MD5 checksum: 21978 6ade3e3b040f8e01c4fe023df6faf2de\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_hppa.deb\n Size/MD5 checksum: 108084 7d263ee14d29b787b0f32710ae2bffdf\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_hppa.deb\n Size/MD5 checksum: 92430 72180513d203103e56e4929ca6da035f\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_i386.deb\n Size/MD5 checksum: 453652 55bc31f817b6806d19d8f0696cc288cd\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_i386.deb\n Size/MD5 checksum: 18884 5d4f1bccf5efa0d5ba5767b49f97d253\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_i386.deb\n Size/MD5 checksum: 75346 f11509bd2b430f8be62706a13748d6bc\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_i386.deb\n Size/MD5 checksum: 98176 d5b46716c8ab083b9c00b523a73a81b9\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_ia64.deb\n Size/MD5 checksum: 98022 dabf436427e867a81074bdca0c53ef6e\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_ia64.deb\n Size/MD5 checksum: 510180 1c4e1c58e7d63f10ff7efaf3a6555f46\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_ia64.deb\n Size/MD5 checksum: 24700 8dadf685db0738f52c4b47420eff588a\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_ia64.deb\n Size/MD5 checksum: 136046 b5d657cad9154915f0a9c0779e68cf1c\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_mips.deb\n Size/MD5 checksum: 104986 3d6d14fff3621ed344e88e7bb57ae627\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_mips.deb\n Size/MD5 checksum: 81588 e776156e4d5647f0aa591ea8b01d3aad\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_mips.deb\n Size/MD5 checksum: 20946 5f5eca06d6b715087a4298d2db944fcf\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_mips.deb\n Size/MD5 checksum: 479286 4a9404dab651fd387901d6eb223bd835\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_mipsel.deb\n Size/MD5 checksum: 76982 63638be1a06154fa1126e5be3a4ac95e\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_mipsel.deb\n Size/MD5 checksum: 469086 9c31f061ab04690bf52876821a9383ea\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_mipsel.deb\n Size/MD5 checksum: 20944 5f59636c00cbe76590ac1ef23235cd8d\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_mipsel.deb\n Size/MD5 checksum: 104948 be1bf5fd730d239f5cd62a92cd4b75e4\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_powerpc.deb\n Size/MD5 checksum: 105760 ba397af813b092de9bea72accb46db4b\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_powerpc.deb\n Size/MD5 checksum: 21394 7e12a198ce7bed6922d20da108e5bad5\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_powerpc.deb\n Size/MD5 checksum: 82558 1299949b45c3a6fdba4fa64fcf48dc53\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_powerpc.deb\n Size/MD5 checksum: 475206 7cda1ebdffc9b47d90efa594bea5d5b8\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_s390.deb\n Size/MD5 checksum: 452736 403af241544bf4fd66f4993003f0f192\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_s390.deb\n Size/MD5 checksum: 90546 f2f4a9e7410b946b91c4d44cef18f5af\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_s390.deb\n Size/MD5 checksum: 102548 ad43cb11ddff398ee0a83ded1a024321\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_s390.deb\n Size/MD5 checksum: 20920 7ffdc1f9962394073efae81356780428\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis0a_1.1.2.dfsg-1.4_sparc.deb\n Size/MD5 checksum: 98252 fad4afe3566e986fe819a0fff6a2376e\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbis-dev_1.1.2.dfsg-1.4_sparc.deb\n Size/MD5 checksum: 453410 ce3775bb59d55b9ba7e34469225e0d20\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisfile3_1.1.2.dfsg-1.4_sparc.deb\n Size/MD5 checksum: 17888 4eaf8a0cfd4f3b1c6f8332ccf1bf6ef4\n http://security.debian.org/pool/updates/main/libv/libvorbis/libvorbisenc2_1.1.2.dfsg-1.4_sparc.deb\n Size/MD5 checksum: 79796 57795226ac31a7b5bf7793e4e14dc89a\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2008-06-03T11:30:58", "published": "2008-06-03T11:30:58", "id": "DEBIAN:DSA-1591-1:C813C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00171.html", "title": "[SECURITY] [DSA 1591-1] New libvorbis packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1419", "CVE-2008-1420", "CVE-2008-1423"], "description": "Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates from 16 to 128 kbps/channel. The libvorbis package contains runtime libraries for use in programs that support Ogg Voribs. ", "modified": "2008-05-14T22:08:55", "published": "2008-05-14T22:08:55", "id": "FEDORA:M4EM8E0Z000569", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 7 Update: libvorbis-1.1.2-4.fc7", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1419", "CVE-2008-1420", "CVE-2008-1423"], "description": "Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates from 16 to 128 kbps/channel. The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis. ", "modified": "2008-05-14T22:10:23", "published": "2008-05-14T22:10:23", "id": "FEDORA:M4EMAF5Y000682", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: libvorbis-1.2.0-4.fc9", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1419", "CVE-2008-1420", "CVE-2008-1423"], "description": "Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates from 16 to 128 kbps/channel. The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis. ", "modified": "2008-05-14T22:08:15", "published": "2008-05-14T22:08:15", "id": "FEDORA:M4EM8C0V000542", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: libvorbis-1.2.0-2.fc8", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}