CVE-2008-2009 - Vulnerability Details - OpenCVE

Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Redhat	Enterprise Linux
Xiph.org	Libvorbis

Configuration 1 [-]

OR	cpe:2.3:a:xiph.org:libvorbis:1.0:beta4::::::
	cpe:2.3:a:xiph.org:libvorbis:1.0:rc1::::::
	cpe:2.3:a:xiph.org:libvorbis:1.0:rc2::::::

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:8.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:8.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:9.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:9.10:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 2.1
libvorbis-0:1.0rc2-9.el2	cpe:/o:redhat:enterprise_linux:2.1	RHSA-2008:0271	2008-05-14T00:00:00Z

References

Link	Providers
http://secunia.com/advisories/30247
http://www.redhat.com/support/errata/RHSA-2008-0271.html
http://www.securitytracker.com/id?1020029
http://www.ubuntu.com/usn/USN-861-1
http://www.vupen.com/english/advisories/2008/1510/references
https://bugzilla.redhat.com/show_bug.cgi?id=444443
https://exchange.xforce.ibmcloud.com/vulnerabilities/42521
https://nvd.nist.gov/vuln/detail/CVE-2008-2009
https://www.cve.org/CVERecord?id=CVE-2008-2009

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2008-05-16T06:54:00

Updated: 2024-08-07T08:41:00.433Z

Reserved: 2008-04-29T00:00:00

Link: CVE-2008-2009

Vulnrichment

No data.

NVD

Status : Modified

Published: 2008-05-16T12:54:00.000

Modified: 2024-11-21T00:45:52.663

Link: CVE-2008-2009

Redhat

Severity : Important

Publid Date: 2008-05-14T00:00:00Z

Links: CVE-2008-2009 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-05-14T00:00:00", "descriptions": [{"lang": "en", "value": "Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=444443"}, {"name": "RHSA-2008:0271", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0271.html"}, {"name": "1020029", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1020029"}, {"name": "USN-861-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-861-1"}, {"name": "ADV-2008-1510", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/1510/references"}, {"name": "30247", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30247"}, {"name": "libvorbis-makedecodetree-dos(42521)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42521"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T08:41:00.433Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=444443"}, {"name": "RHSA-2008:0271", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0271.html"}, {"name": "1020029", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1020029"}, {"name": "USN-861-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-861-1"}, {"name": "ADV-2008-1510", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/1510/references"}, {"name": "30247", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30247"}, {"name": "libvorbis-makedecodetree-dos(42521)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42521"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2008-2009", "datePublished": "2008-05-16T06:54:00", "dateReserved": "2008-04-29T00:00:00", "dateUpdated": "2024-08-07T08:41:00.433Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xiph.org:libvorbis:1.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "6F469817-2DAF-4184-AE56-2AF9609E8D38", "vulnerable": true}, {"criteria": "cpe:2.3:a:xiph.org:libvorbis:1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "6EC995B3-2BEB-464B-B30A-0B32615F7228", "vulnerable": true}, {"criteria": "cpe:2.3:a:xiph.org:libvorbis:1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D01CA748-6299-4776-BC29-19D487BEC0DF", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*", "matchCriteriaId": "C91D2DBF-6DA7-4BA2-9F29-8BD2725A4701", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*", "matchCriteriaId": "4747CC68-FAF4-482F-929A-9DA6C24CB663", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*", "matchCriteriaId": "A5D026D0-EF78-438D-BEDD-FC8571F3ACEB", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*", "matchCriteriaId": "A2BCB73E-27BB-4878-AD9C-90C4F20C25A0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function."}, {"lang": "es", "value": "Xiph.org libvorbis versiones anteriores a 1.0 no comprueba apropiadamente para \u00e1rboles poco poblados Huffman, lo cual permite a atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) a trav\u00e9s de ficheros OGG manipulados que disparan una corrupci\u00f3n de memoria durante la ejecuci\u00f3n de la funci\u00f3n _make_decode_tree."}], "evaluatorComment": "Per http://svn.xiph.org/trunk/vorbis/CHANGES, 1.0 is the first stable release of libvorbis. No version of libvorbis before 1.0 has been confirmed at this time.", "id": "CVE-2008-2009", "lastModified": "2024-11-21T00:45:52.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-05-16T12:54:00.000", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30247"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0271.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id?1020029"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-861-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2008/1510/references"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=444443"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42521"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/30247"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0271.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id?1020029"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-861-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2008/1510/references"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=444443"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42521"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}