CVE-2008-1686 in Ubuntu

CVE-2008-1686

Priority

Description

Array index vulnerability in Speex 1.1.12 and earlier, as used in
libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters
and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other
products, allows remote attackers to execute arbitrary code via a header
structure containing a negative offset, which is used to dereference a
function pointer.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
https://ubuntu.com/security/notices/USN-611-1
https://ubuntu.com/security/notices/USN-611-2
https://ubuntu.com/security/notices/USN-611-3
https://ubuntu.com/security/notices/USN-635-1

Bugs

https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652
https://qa.mandriva.com/show_bug.cgi?id=39768

Assigned-to

jdstrand

Notes

jdstrand

upstream libfishsound should have a patch
filed Debian bug #480059 for vorbis-tools (to hopefully get via
merge in intrepid)
Mandriva reference is a regression bug (and fix) for xine-lib

Package

Source: gst-plugins-good0.10 (LP Ubuntu Debian)

Upstream:	released (0.10.8)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (0.10.8-2)

Patches:

Vendor:	http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:092
Upstream:	http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r1=1.40&r2=1.41

Package

Source: libfishsound (LP Ubuntu Debian)

Upstream:	released (0.7.0-2.2)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (0.7.0-2.3)

Patches:

Package

Source: speex (LP Ubuntu Debian)

Upstream:	released (1.2beta3.2)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (1.2~beta3.2-1)

Patches:

Vendor:	http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:094
Vendor:	http://rhn.redhat.com/errata/RHSA-2008-0235.html

Package

Source: sweep (LP Ubuntu Debian)

Upstream:	released (0.9.3)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (0.9.3-1)

Patches:

Package

Source: vlc (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	released (0.8.6.release.h-1ubuntu1)

Patches:

Other:

http://trac.videolan.org/vlc/changeset/c1c81073e661f7d80197711ab11753e1e170b44c

Package

Source: vorbis-tools (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	released (1.2.0-2)

Patches:

Vendor:	http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:093
Upstream:	https://trac.xiph.org/changeset/14701

Package

Source: xine-lib (LP Ubuntu Debian)

Upstream:	released (1.1.12)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (1.1.12-2ubuntu2)

Patches:

Other:

http://hg.debian.org/hg/xine-lib/xine-lib/?cmd=changeset;node=d8e1305c13820b82d896f7bc77d196b9c9645dd6;style=raw

Package

Source: xmms-speex (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	DNE

Patches:

More Information

Updated: 2022-02-10 23:31:35 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)