CVE-2008-1423

Publication date 16 May 2008

Last updated 24 July 2024

Ubuntu priority

Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libvorbis	8.10 intrepid	Not affected
	8.04 LTS hardy	Fixed 1.2.0.dfsg-2ubuntu0.1
	7.10 gutsy	Fixed 1.2.0.dfsg-1ubuntu0.1
	7.04 feisty	Ignored end of life, was needed
	6.06 LTS dapper	Fixed 1.1.2-0ubuntu2.3

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libvorbis	Upstream: https://trac.xiph.org/changeset/14604 Vendor: https://bugzilla.redhat.com/show_bug.cgi?id=440709 Vendor: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482518

References

Related Ubuntu Security Notices (USN)

USN-682-1
libvorbis vulnerabilities
1 December 2008

CVE-2008-1423

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references