=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN147
_____________________________________________________________________

DATE                      : 21/04/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running speex decoder.

======================================================================
http://www.ocert.org/advisories/ocert-2008-004.html
______________________________________________________________________

#2008-004 multiple speex implementations insufficient boundary checks

Description:

The reference speex decoder from the Speex library performs insufficient
boundary checks on a header structure read from user input, this has
been reported in oCERT-2008-002 advisory.

Further investigation showed that several packages include similar code
and are therefore vulnerable.

In order to prevent the usage of incorrect header processing reference
code, the speex_packet_to_header() function has been modified to bound
the returned mode values in Speex >= 1.2beta3.2. This change
automatically fixes applications that use the Speex library dynamically.


Affected version:

gstreamer-plugins-good <= 0.10.8

SDL_sound <= 1.0.1

Speex <= 1.1.12 (speexdec)

Sweep <= 0.9.2

vorbis-tools <= 1.2.0

VLC Media Player <= 0.8.6f

xine-lib <= 1.11.1.1

XMMS speex plugin


Fixed version:

gstreamer-plugins-good >= 0.10.8 (patched in CVS)

SDL_sound >= 1.0.2

Speex >= 1.2beta3.2 (patched in CVS)

Sweep >= 0.9.3

vorbis-tools, patched in CVS

VLC Media Player, patched in GIT

xine-lib >= 1.1.12

XMMS speex plugin, N/A


Credit:

see oCERT-2008-002, additionally we would like to thank Tomas Hoger from
the Red Hat Security Response Team for his help in investigating the
issue.

CVE:

CVE-2008-1686


Timeline:

2008-04-10: investigation of oCERT-2008-002 leads to discovery of more 
affected packages
2008-04-10: Speex header processing code fixed in CVS
2008-04-11: contacted upstream maintainers and affected vendors
2008-04-11: gstreamer-plugins-good patched in CVS
2008-04-11: sweep 0.9.3 released
2008-04-11: SDL_sound patched in CVS
2008-04-14: vorbis-tools patched in CVS
2008-04-14: xine-lib 1.1.12 released
2008-04-17: advisory release
2008-04-17: SDL_sound 1.0.2 released
2008-04-17: VLC patched in GIT


References:

http://www.ocert.org/advisories/ocert-2008-2.html
http://trac.xiph.org/changeset/14701
http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r=1.40&r2=1.41
http://trac.metadecks.org/changeset/554
http://svn.icculus.org/SDL_sound?view=rev&revision=537
http://svn.icculus.org/SDL_sound?view=rev&revision=538
http://trac.xiph.org/changeset/14728
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=66e1654718fb;style=gitweb 
http://trac.videolan.org/vlc/changeset/8060b3457e20e6223b70927693f8da8f547b8fef

Permalink:
http://www.ocert.org/advisories/ocert-2008-004.html



======================================================================

           =========================================================
           Les serveurs de re'fe'rence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================