Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

libvorbis 1.1.2 - Multiple memory corruption flaws

from [David Thiel] Network Security [Permanent Link]
Subject: libvorbis 1.1.2 - Multiple memory corruption flaws
Date: Thu, 26 Jul 2007 10:18:33 -0700 
iSEC Partners Security Advisory - 2007-003-libvorbis
http://www.isecpartners.com
--------------------------------------------

libvorbis 1.1.2 - Multiple memory corruption flaws

Vendor: Xiph.org
Vendor URL: http://www.xiph.org
Systems Affected: All tested software based upon libvorbis 1.1.2
Severity: High (Heap corruption, Denial of Service, Potential code execution)
Author: David Thiel <david[at]isecpartners[dot]com>

Vendor notified: 2007-06-05
Public release: 2007-07-26
Advisory URL: http://www.isecpartners.com/advisories/2007-003-libvorbis.txt

Summary:
--------

libvorbis 1.1.2 contains several vulnerabilities allowing heap overwrite,
read violations and a function pointer overwrite. These bugs cause a
at least a denial of service, and potentially code execution.

Details:
--------

Invalid blocksize_0 and blocksize_1 values result in a heap overwrite in
the _01inverse() function of res0.c.

An invalid mapping type causes an out of bounds dispatch table
lookup, offset by an attacker-controlled value, during cleanup in
vorbis_info_clear() in info.c.

Additionally, invalid blocksize values cause a segmentation fault on 
read in block.c.

Fix Information:
----------------

These issues are resolved in libvorbis 1.2.0, available at:

http://downloads.xiph.org/releases/vorbis/libvorbis-1.2.0.tar.bz2

Thanks to:
----------

Ralph Giles and Xiphmont of Xiph.org for their detailed help determining
root causes of and fixes for these issues.

About iSEC Partners:
--------------------

iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification, with offices in San Francisco and 
Seattle.

Information on testing media players and codecs to expose and prevent
similar bugs and tools to do the same will be presented at BlackHat USA
2007.

http://www.isecpartners.com
info@isecpartners.com
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • libvorbis 1.1.2 - Multiple memory corruption flaws, David Thiel <=
Previous by Date:  [security bulletin] HPSBMA02133 SSRT061201 rev.5 - HP Oracle for OpenView (OfO) Critical Patch Update, security-alert
Next by Date:  Guidance Software response to iSEC report on EnCase, larry . gill
Previous by Thread:  [security bulletin] HPSBMA02133 SSRT061201 rev.5 - HP Oracle for OpenView (OfO) Critical Patch Update, security-alert
Next by Thread:  Guidance Software response to iSEC report on EnCase, larry . gill
Indexes:  [Date] [Thread] [Top] [All Lists]