__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Speex Security Update [Red Hat RHSA-2008:0235-4] April 25, 2008 12:00 GMT Number S-272 [REVISED 29 May 2008] ______________________________________________________________________________ PROBLEM: The Speex library was found to not properly validate input values read from the Speex files headers, which could allow arbitrary code execution. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS, ES, WS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 4.0 (etch) DAMAGE: DoS or execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker could create a malicious Speex ASSESSMENT: file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. ______________________________________________________________________________ CVSS 2 BASE SCORE: 7.5 TEMPORAL SCORE: 6.2 VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-272.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0235.html ADDITIONAL LINKS: http://www.debian.org/security/2008/dsa-1585 http://www.debian.org/security/2008/dsa-1584 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-1686 ______________________________________________________________________________ REVISION HISTORY: 05/29/2008 - revised S-272 to add links to Debian Security Advisories DSA-1585-1 and DSA-1584-1 for Debian GNU/Linux 4.0 (etch). [***** Start Red Hat RHSA-2008:0235-4 *****] Important: speex security update Advisory: RHSA-2008:0235-4 Type: Security Advisory Severity: Important Issued on: 2008-04-16 Last updated on: 2008-04-16 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20080235.xml CVEs (cve.mitre.org): CVE-2008-1686 Details Updated speex packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: speex-devel-1.0.5-4.el5_1.1.i386.rpm de7b31841265dceb0194a29b43600a0f x86_64: speex-devel-1.0.5-4.el5_1.1.i386.rpm de7b31841265dceb0194a29b43600a0f speex-devel-1.0.5-4.el5_1.1.x86_64.rpm 90598b4597e624b29b6447c5e03a4701 Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: speex-1.0.4-4.el4_6.1.src.rpm 0569bc09963ac90cc81ab477b94d5cdb IA-32: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-devel-1.0.4-4.el4_6.1.i386.rpm a3af80221e3ed856efbb1b98860d5fc4 x86_64: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-1.0.4-4.el4_6.1.x86_64.rpm 46daa064f7f708d20bffac8290fadf4c speex-devel-1.0.4-4.el4_6.1.x86_64.rpm 2b80106aa0fb2a4a6d4dd239209aee71 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: speex-1.0.5-4.el5_1.1.src.rpm bf3661e73017a6b54e8b629e257ea028 IA-32: speex-1.0.5-4.el5_1.1.i386.rpm 2360abba1923b59b76939c513c98187c speex-devel-1.0.5-4.el5_1.1.i386.rpm de7b31841265dceb0194a29b43600a0f IA-64: speex-1.0.5-4.el5_1.1.ia64.rpm b0113d1eeb3a07635ef0ad463c3a5ff9 speex-devel-1.0.5-4.el5_1.1.ia64.rpm 2b4e8504cf2590b9d9b5724eb92bdde4 PPC: speex-1.0.5-4.el5_1.1.ppc.rpm 794d4c083965ea9b30c12768d12e9383 speex-1.0.5-4.el5_1.1.ppc64.rpm b63a2763f9ded78014eea1ddbdfa2abe speex-devel-1.0.5-4.el5_1.1.ppc.rpm c0df12cad280c7d1984b4860ce34e2f8 speex-devel-1.0.5-4.el5_1.1.ppc64.rpm b0fdf703a4c460389e243e24ac1efbab s390x: speex-1.0.5-4.el5_1.1.s390.rpm ca3d6fbfadb8c97bc77ccd6c05e0c76e speex-1.0.5-4.el5_1.1.s390x.rpm c9b763abb4d99260d1d179e8a3be6474 speex-devel-1.0.5-4.el5_1.1.s390.rpm 2398dab7f9fdfe54c24b2964c235a138 speex-devel-1.0.5-4.el5_1.1.s390x.rpm 31d521fa54360aaaa9e173d879e9b51e x86_64: speex-1.0.5-4.el5_1.1.i386.rpm 2360abba1923b59b76939c513c98187c speex-1.0.5-4.el5_1.1.x86_64.rpm 0af19186d828489ca323b05a6297c45b speex-devel-1.0.5-4.el5_1.1.i386.rpm de7b31841265dceb0194a29b43600a0f speex-devel-1.0.5-4.el5_1.1.x86_64.rpm 90598b4597e624b29b6447c5e03a4701 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: speex-1.0.4-4.el4_6.1.src.rpm 0569bc09963ac90cc81ab477b94d5cdb IA-32: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-devel-1.0.4-4.el4_6.1.i386.rpm a3af80221e3ed856efbb1b98860d5fc4 IA-64: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-1.0.4-4.el4_6.1.ia64.rpm f3d8b9563ec89805ecd34a7bec593f5a speex-devel-1.0.4-4.el4_6.1.ia64.rpm 7d7ca9dc6cf9163673aa967045fae396 PPC: speex-1.0.4-4.el4_6.1.ppc.rpm 3eef98b41f28c83e0c7677a265d71f54 speex-1.0.4-4.el4_6.1.ppc64.rpm 9991a64d4c66902a1c1c33864cefd392 speex-devel-1.0.4-4.el4_6.1.ppc.rpm 9ecf3fd30881497a7f225113233d0df9 s390: speex-1.0.4-4.el4_6.1.s390.rpm baaa440346a67dcf9e0b4c7481f27aa6 speex-devel-1.0.4-4.el4_6.1.s390.rpm 57b3e8a3efb40736e70a3a92acd4b395 s390x: speex-1.0.4-4.el4_6.1.s390.rpm baaa440346a67dcf9e0b4c7481f27aa6 speex-1.0.4-4.el4_6.1.s390x.rpm 303afbd764a015caa30b0eb22d3f77ed speex-devel-1.0.4-4.el4_6.1.s390x.rpm 56e2ab2e4ae5ec9edc9118dc71b0c397 x86_64: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-1.0.4-4.el4_6.1.x86_64.rpm 46daa064f7f708d20bffac8290fadf4c speex-devel-1.0.4-4.el4_6.1.x86_64.rpm 2b80106aa0fb2a4a6d4dd239209aee71 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: speex-1.0.5-4.el5_1.1.src.rpm bf3661e73017a6b54e8b629e257ea028 IA-32: speex-1.0.5-4.el5_1.1.i386.rpm 2360abba1923b59b76939c513c98187c x86_64: speex-1.0.5-4.el5_1.1.i386.rpm 2360abba1923b59b76939c513c98187c speex-1.0.5-4.el5_1.1.x86_64.rpm 0af19186d828489ca323b05a6297c45b Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: speex-1.0.4-4.el4_6.1.src.rpm 0569bc09963ac90cc81ab477b94d5cdb IA-32: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-devel-1.0.4-4.el4_6.1.i386.rpm a3af80221e3ed856efbb1b98860d5fc4 IA-64: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-1.0.4-4.el4_6.1.ia64.rpm f3d8b9563ec89805ecd34a7bec593f5a speex-devel-1.0.4-4.el4_6.1.ia64.rpm 7d7ca9dc6cf9163673aa967045fae396 x86_64: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-1.0.4-4.el4_6.1.x86_64.rpm 46daa064f7f708d20bffac8290fadf4c speex-devel-1.0.4-4.el4_6.1.x86_64.rpm 2b80106aa0fb2a4a6d4dd239209aee71 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: speex-1.0.4-4.el4_6.1.src.rpm 0569bc09963ac90cc81ab477b94d5cdb IA-32: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-devel-1.0.4-4.el4_6.1.i386.rpm a3af80221e3ed856efbb1b98860d5fc4 IA-64: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-1.0.4-4.el4_6.1.ia64.rpm f3d8b9563ec89805ecd34a7bec593f5a speex-devel-1.0.4-4.el4_6.1.ia64.rpm 7d7ca9dc6cf9163673aa967045fae396 x86_64: speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29 speex-1.0.4-4.el4_6.1.x86_64.rpm 46daa064f7f708d20bffac8290fadf4c speex-devel-1.0.4-4.el4_6.1.x86_64.rpm 2b80106aa0fb2a4a6d4dd239209aee71 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 441239 - CVE-2008-1686 speex, libfishsound: insufficient boundary checks References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0235-4 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update