In association with heise online

15 May 2008, 09:01

Security leaks in libvorbis enable code injection

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Will Drewry of the Google Security Team has discovered several vulnerabilities in the open-source libvorbis multimedia library that attackers can exploit in order to inject malicious code using crafted media files.

Defective or manipulated Ogg Vorbis files with a codebook dimension of zero can make applications that link to libvorbis crash, enter an endless loop, or even execute code that has been injected onto the heap by an induced buffer overflow. When processing a file with a zero size codebook, integer overflows can occur and cause heap-based buffer overflows when the quantization values and the size of the quantization table are being calculated.

The developers have already eliminated these and other similar flaws in their version management system. Red Hat is now providing updated packages, and the other Linux distributors are likely to do so shortly. Users should rapidly import the new packages as soon as they are available.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit