oCERT-2008-004 multiple speex implementations insufficient boundary checks

Description:

The reference speex decoder from the Speex library performs insufficient boundary checks on a header structure read from user input, this has been reported in oCERT-2008-002 advisory.

Further investigation showed that several packages include similar code and are therefore vulnerable.

In order to prevent the usage of incorrect header processing reference code, the speex_packet_to_header() function has been modified to bound the returned mode values in Speex >= 1.2beta3.2. This change automatically fixes applications that use the Speex library dynamically.

Affected version:

gstreamer-plugins-good <= 0.10.7

SDL_sound <= 1.0.1

Speex <= 1.1.12 (speexdec)

Sweep <= 0.9.2

vorbis-tools <= 1.2.0

VLC Media Player <= 0.8.6f

xine-lib <= 1.11.1.1

XMMS speex plugin

Fixed version:

gstreamer-plugins-good >= 0.10.8 (patched in CVS)

SDL_sound >= 1.0.2

Speex >= 1.2beta3.2 (patched in CVS)

Sweep >= 0.9.3

vorbis-tools, patched in CVS

VLC Media Player, patched in GIT

xine-lib >= 1.1.12

XMMS speex plugin, N/A

Credit: see oCERT-2008-002, additionally we would like to thank Tomas Hoger from the Red Hat Security Response Team for his help in investigating the issue.

CVE: CVE-2008-1686

Timeline:

2008-04-10: investigation of oCERT-2008-002 leads to discovery of more affected packages
2008-04-10: Speex header processing code fixed in CVS
2008-04-11: contacted upstream maintainers and affected vendors
2008-04-11: gstreamer-plugins-good patched in CVS
2008-04-11: sweep 0.9.3 released
2008-04-11: SDL_sound patched in CVS
2008-04-14: vorbis-tools patched in CVS
2008-04-14: xine-lib 1.1.12 released
2008-04-17: advisory release
2008-04-17: SDL_sound 1.0.2 released
2008-04-17: VLC patched in GIT

References:
oCERT-2008-2
http://trac.xiph.org/changeset/14701
http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r=1.40&r2=1.41
http://trac.metadecks.org/changeset/554
http://svn.icculus.org/SDL_sound?view=rev&revision=537
http://svn.icculus.org/SDL_sound?view=rev&revision=538
http://trac.xiph.org/changeset/14728
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=66e1654718fb;style=gitweb
http://trac.videolan.org/vlc/changeset/8060b3457e20e6223b70927693f8da8f547b8fef