blob: b85a37b67a6d261c930a3b0cfb6ce391727e9286 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200909-02">
<title>libvorbis: User-assisted execution of arbitrary code</title>
A processing error in libvorbis might result in the execution of arbitrary
code or a Denial of Service.
<product type="ebuild">libvorbis</product>
<announced>September 07, 2009</announced>
<revised>September 07, 2009: 01</revised>
<package name="media-libs/libvorbis" auto="yes" arch="*">
<unaffected range="ge">1.2.3</unaffected>
<vulnerable range="lt">1.2.3</vulnerable>
libvorbis is the reference implementation of the Ogg Vorbis
audio file format. It is used by many applications for playback of Ogg
Vorbis files.
Lucas Adamski reported that libvorbis does not correctly process file
headers, related to static mode headers and encoding books.
<impact type="normal">
A remote attacker could entice a user to play a specially crafted OGG
Vorbis file using an application that uses libvorbis, possibly
resulting in the execution of arbitrary code with the privileges of the
user running the application, or a Denial of Service.
There is no known workaround at this time.
All libvorbis users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=media-libs/libvorbis-1.2.3&quot;</code>
<uri link="">CVE-2009-2663</uri>
<metadata tag="requester" timestamp="Mon, 31 Aug 2009 02:17:32 +0000">
<metadata tag="submitter" timestamp="Mon, 31 Aug 2009 02:42:12 +0000">
<metadata tag="bugReady" timestamp="Mon, 31 Aug 2009 03:38:56 +0000">