USN-498-1: libvorbis vulnerabilities

16 August 2007

libvorbis vulnerabilities

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Details

David Thiel discovered that libvorbis did not correctly verify the size
of certain headers, and did not correctly clean up a broken stream.
If a user were tricked into processing a specially crafted Vorbis stream,
a remote attacker could execute arbitrary code with the user's privileges.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 7.04
  • libvorbis0a - 1.1.2.dfsg-1.2ubuntu2
Ubuntu 6.10
  • libvorbis0a - 1.1.2-1ubuntu1.2
Ubuntu 6.06
  • libvorbis0a - 1.1.2-0ubuntu2.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.