Security leaks in libvorbis enable code injection

Will Drewry of the Google Security Team has discovered several vulnerabilities in the open-source libvorbis multimedia library that attackers can exploit in order to inject malicious code using crafted media files.

Defective or manipulated Ogg Vorbis files with a codebook dimension of zero can make applications that link to libvorbis crash, enter an endless loop, or even execute code that has been injected onto the heap by an induced buffer overflow. When processing a file with a zero size codebook, integer overflows can occur and cause heap-based buffer overflows when the quantization values and the size of the quantization table are being calculated.

The developers have already eliminated these and other similar flaws in their version management system. Red Hat is now providing updated packages, and the other Linux distributors are likely to do so shortly. Users should rapidly import the new packages as soon as they are available.

See also:

• libvorbis security update, security report from Red Hat
• Add code to prevent heap attacks, changes in the Xiph version management system
• Don't leave the silly debugging malloc enabled, change in the Xiph version management system
• correctly handle the nonsensical codebook.dim==0 case, changes in the Xiph version management system
• dd checks/rejection for absurdly huge codebooks, change in the Xiph version management system

(mba)