PublicDateAtUSN: 2008-05-16
PublicDate: 2008-05-16 12:54:00 UTC
Candidate: CVE-2008-2009
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2009
 https://bugzilla.redhat.com/show_bug.cgi?id=444443
 https://ubuntu.com/security/notices/USN-861-1
Description:
 Xiph.org libvorbis before 1.0 does not properly check for underpopulated
 Huffman trees, which allows remote attackers to cause a denial of service
 (crash) via a crafted OGG file that triggers memory corruption during
 execution of the _make_decode_tree function.
Ubuntu-Description:
Notes:
 mdeslaur> description is misleading, part of the patch applies to
 mdeslaur> recent versions.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482039
 https://bugzilla.redhat.com/show_bug.cgi?id=444443
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_libvorbis:
 upstream: https://trac.xiph.org/changeset/2959
 upstream: https://trac.xiph.org/changeset/2960
 upstream: https://trac.xiph.org/changeset/14811
upstream_libvorbis: released (1.0)
dapper_libvorbis: ignored (end of life)
hardy_libvorbis: released (1.2.0.dfsg-2ubuntu0.3)
intrepid_libvorbis: released (1.2.0.dfsg-3.1ubuntu0.8.10.2)
jaunty_libvorbis: released (1.2.0.dfsg-3.1ubuntu0.9.04.2)
karmic_libvorbis: not-affected (1.2.0.dfsg-6)
devel_libvorbis: not-affected (1.2.3-3)