Your submission was sent successfully! Close

CVE-2008-2009

Published: 16 May 2008

Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.

Notes

AuthorNote
mdeslaur
description is misleading, part of the patch applies to
recent versions.
Priority

Low

Status

Package Release Status
libvorbis
Launchpad, Ubuntu, Debian
dapper Ignored
(end of life)
hardy
Released (1.2.0.dfsg-2ubuntu0.3)
intrepid
Released (1.2.0.dfsg-3.1ubuntu0.8.10.2)
jaunty
Released (1.2.0.dfsg-3.1ubuntu0.9.04.2)
karmic Not vulnerable
(1.2.0.dfsg-6)
upstream
Released (1.0)
Patches:
upstream: https://trac.xiph.org/changeset/2959
upstream: https://trac.xiph.org/changeset/2960
upstream: https://trac.xiph.org/changeset/14811