Security Advisory Important: libvorbis security update

Advisory: RHSA-2007:0845-4
Type: Security Advisory
Severity: Important
Issued on: 2007-09-19
Last updated on: 2007-09-19
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2007-3106
CVE-2007-4029
CVE-2007-4065
CVE-2007-4066

Details

Updated libvorbis packages to correct several security issues are now
available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The libvorbis package contains runtime libraries for use in programs that
support Ogg Voribs. Ogg Vorbis is a fully open, non-proprietary, patent-and
royalty-free, general-purpose compressed audio format.

Several flaws were found in the way libvorbis processed audio data. An
attacker could create a carefully crafted OGG audio file in such a way that
it could cause an application linked with libvorbis to crash or execute
arbitrary code when it was opened. (CVE-2007-3106, CVE-2007-4029,
CVE-2007-4065, CVE-2007-4066)

Users of libvorbis are advised to upgrade to this updated package, which
contains backported patches that resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
IA-32:
libvorbis-devel-1.1.2-3.el5.0.i386.rpm
File outdated by:  RHSA-2008:0270		     02630426500b6cf0747ad0fb9e7d8e2a
 
x86_64:
libvorbis-devel-1.1.2-3.el5.0.i386.rpm
File outdated by:  RHSA-2008:0270		     02630426500b6cf0747ad0fb9e7d8e2a
libvorbis-devel-1.1.2-3.el5.0.x86_64.rpm
File outdated by:  RHSA-2008:0270		     2918b1efdf30b62055c9d3cf842d80fe
 
Red Hat Desktop (v. 3)
SRPMS:
libvorbis-1.0-8.el3.src.rpm
File outdated by:  RHSA-2008:0270		     8107795ecfc5fcf28ac0038c2043d29a
 
IA-32:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-devel-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     c5ba155cc3ff3b298152ba00b43e254a
 
x86_64:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-1.0-8.el3.x86_64.rpm
File outdated by:  RHSA-2008:0270		     bd59c6d510084642a568686dc1612705
libvorbis-devel-1.0-8.el3.x86_64.rpm
File outdated by:  RHSA-2008:0270		     fe92d7b73cb2f515b1a148621bd09b71
 
Red Hat Desktop (v. 4)
SRPMS:
libvorbis-1.1.0-2.el4.5.src.rpm
File outdated by:  RHSA-2008:0270		     69c599823f0af348e0f372b386e9bd80
 
IA-32:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-devel-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     22a0a747a347907126a4973bf127648b
 
x86_64:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-1.1.0-2.el4.5.x86_64.rpm
File outdated by:  RHSA-2008:0270		     e54d8995cf759809c9cd602880cd2740
libvorbis-devel-1.1.0-2.el4.5.x86_64.rpm
File outdated by:  RHSA-2008:0270		     410756948e6f994be57489ef5ccc06d4
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
libvorbis-1.1.2-3.el5.0.src.rpm
File outdated by:  RHSA-2008:0270		     ece7f2ca6dc593685a632afeaf6ed62d
 
IA-32:
libvorbis-1.1.2-3.el5.0.i386.rpm
File outdated by:  RHSA-2008:0270		     d270b61d1d2ae651280fcd4980b60afe
libvorbis-devel-1.1.2-3.el5.0.i386.rpm
File outdated by:  RHSA-2008:0270		     02630426500b6cf0747ad0fb9e7d8e2a
 
IA-64:
libvorbis-1.1.2-3.el5.0.ia64.rpm
File outdated by:  RHSA-2008:0270		     c4065d1a29be322d71c3acb897d5e5af
libvorbis-devel-1.1.2-3.el5.0.ia64.rpm
File outdated by:  RHSA-2008:0270		     af81096ecfac9f55f6c19e87d69fa340
 
PPC:
libvorbis-1.1.2-3.el5.0.ppc.rpm
File outdated by:  RHSA-2008:0270		     1a3316787f26fb80385732cf3bf87b56
libvorbis-1.1.2-3.el5.0.ppc64.rpm
File outdated by:  RHSA-2008:0270		     174b43f0ed51ad979d969bbfbb9d7e8e
libvorbis-devel-1.1.2-3.el5.0.ppc.rpm
File outdated by:  RHSA-2008:0270		     519e559e9f83625213f30e71cfa13412
libvorbis-devel-1.1.2-3.el5.0.ppc64.rpm
File outdated by:  RHSA-2008:0270		     aea17a74c47eb57d382c151742d24639
 
s390x:
libvorbis-1.1.2-3.el5.0.s390.rpm
File outdated by:  RHSA-2008:0270		     09a69e1bca67c92fc93913365d65b853
libvorbis-1.1.2-3.el5.0.s390x.rpm
File outdated by:  RHSA-2008:0270		     c27891e50fc9758e3754eda9e5045b36
libvorbis-devel-1.1.2-3.el5.0.s390.rpm
File outdated by:  RHSA-2008:0270		     2f8f3b85beaf374bf399dad2de329b58
libvorbis-devel-1.1.2-3.el5.0.s390x.rpm
File outdated by:  RHSA-2008:0270		     77bacf33bb4f191faaa9c6ffe82ba814
 
x86_64:
libvorbis-1.1.2-3.el5.0.i386.rpm
File outdated by:  RHSA-2008:0270		     d270b61d1d2ae651280fcd4980b60afe
libvorbis-1.1.2-3.el5.0.x86_64.rpm
File outdated by:  RHSA-2008:0270		     7ff9b2bab6593c6e63fdbd4595b4d5b2
libvorbis-devel-1.1.2-3.el5.0.i386.rpm
File outdated by:  RHSA-2008:0270		     02630426500b6cf0747ad0fb9e7d8e2a
libvorbis-devel-1.1.2-3.el5.0.x86_64.rpm
File outdated by:  RHSA-2008:0270		     2918b1efdf30b62055c9d3cf842d80fe
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
libvorbis-1.0-8.el3.src.rpm
File outdated by:  RHSA-2008:0270		     8107795ecfc5fcf28ac0038c2043d29a
 
IA-32:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-devel-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     c5ba155cc3ff3b298152ba00b43e254a
 
IA-64:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-1.0-8.el3.ia64.rpm
File outdated by:  RHSA-2008:0270		     cb56c38c287ea8c5073d264e79989e96
libvorbis-devel-1.0-8.el3.ia64.rpm
File outdated by:  RHSA-2008:0270		     bb6b80dee9560555f99d61a2ac697f9f
 
PPC:
libvorbis-1.0-8.el3.ppc.rpm
File outdated by:  RHSA-2008:0270		     f983629809912bfa70e955bfc309e594
libvorbis-1.0-8.el3.ppc64.rpm
File outdated by:  RHSA-2008:0270		     322dbf918fd05cc43f1b79f383cc4b58
libvorbis-devel-1.0-8.el3.ppc.rpm
File outdated by:  RHSA-2008:0270		     61aeb1d9554a503a1ea442542b06fafd
 
s390:
libvorbis-1.0-8.el3.s390.rpm
File outdated by:  RHSA-2008:0270		     e2955cca69c5a52c2aa9cda3edcbfe0e
libvorbis-devel-1.0-8.el3.s390.rpm
File outdated by:  RHSA-2008:0270		     2f36e33ee1275c6c83dc55892f7de265
 
s390x:
libvorbis-1.0-8.el3.s390.rpm
File outdated by:  RHSA-2008:0270		     e2955cca69c5a52c2aa9cda3edcbfe0e
libvorbis-1.0-8.el3.s390x.rpm
File outdated by:  RHSA-2008:0270		     f3c4c5de67e97827b2e5a2bea359eff8
libvorbis-devel-1.0-8.el3.s390x.rpm
File outdated by:  RHSA-2008:0270		     50075035cec0612d50035bd834f5b49d
 
x86_64:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-1.0-8.el3.x86_64.rpm
File outdated by:  RHSA-2008:0270		     bd59c6d510084642a568686dc1612705
libvorbis-devel-1.0-8.el3.x86_64.rpm
File outdated by:  RHSA-2008:0270		     fe92d7b73cb2f515b1a148621bd09b71
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
libvorbis-1.1.0-2.el4.5.src.rpm
File outdated by:  RHSA-2008:0270		     69c599823f0af348e0f372b386e9bd80
 
IA-32:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-devel-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     22a0a747a347907126a4973bf127648b
 
IA-64:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-1.1.0-2.el4.5.ia64.rpm
File outdated by:  RHSA-2008:0270		     df79ceec009e33f8e4d19af3270df7c7
libvorbis-devel-1.1.0-2.el4.5.ia64.rpm
File outdated by:  RHSA-2008:0270		     95783ef5a4d515933db7d9d6347225d9
 
PPC:
libvorbis-1.1.0-2.el4.5.ppc.rpm
File outdated by:  RHSA-2008:0270		     86f0d999727257eda58e1278b3f21dbd
libvorbis-1.1.0-2.el4.5.ppc64.rpm
File outdated by:  RHSA-2008:0270		     419259ae33a85ddd6314643d84f76f4d
libvorbis-devel-1.1.0-2.el4.5.ppc.rpm
File outdated by:  RHSA-2008:0270		     ba0c50ac7a6b1152deea9765af6ecd5b
 
s390:
libvorbis-1.1.0-2.el4.5.s390.rpm
File outdated by:  RHSA-2008:0270		     4f190e865d5004af3cdb88a76b2305a4
libvorbis-devel-1.1.0-2.el4.5.s390.rpm
File outdated by:  RHSA-2008:0270		     995b8c27ef4bfd8b676a436d3668a2ae
 
s390x:
libvorbis-1.1.0-2.el4.5.s390.rpm
File outdated by:  RHSA-2008:0270		     4f190e865d5004af3cdb88a76b2305a4
libvorbis-1.1.0-2.el4.5.s390x.rpm
File outdated by:  RHSA-2008:0270		     c5dda135c29a240c83a21c62a9f73f14
libvorbis-devel-1.1.0-2.el4.5.s390x.rpm
File outdated by:  RHSA-2008:0270		     f81c7debdd694d7d92299b481f13f42c
 
x86_64:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-1.1.0-2.el4.5.x86_64.rpm
File outdated by:  RHSA-2008:0270		     e54d8995cf759809c9cd602880cd2740
libvorbis-devel-1.1.0-2.el4.5.x86_64.rpm
File outdated by:  RHSA-2008:0270		     410756948e6f994be57489ef5ccc06d4
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
libvorbis-1.1.2-3.el5.0.src.rpm
File outdated by:  RHSA-2008:0270		     ece7f2ca6dc593685a632afeaf6ed62d
 
IA-32:
libvorbis-1.1.2-3.el5.0.i386.rpm
File outdated by:  RHSA-2008:0270		     d270b61d1d2ae651280fcd4980b60afe
 
x86_64:
libvorbis-1.1.2-3.el5.0.i386.rpm
File outdated by:  RHSA-2008:0270		     d270b61d1d2ae651280fcd4980b60afe
libvorbis-1.1.2-3.el5.0.x86_64.rpm
File outdated by:  RHSA-2008:0270		     7ff9b2bab6593c6e63fdbd4595b4d5b2
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
libvorbis-1.0-8.el3.src.rpm
File outdated by:  RHSA-2008:0270		     8107795ecfc5fcf28ac0038c2043d29a
 
IA-32:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-devel-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     c5ba155cc3ff3b298152ba00b43e254a
 
IA-64:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-1.0-8.el3.ia64.rpm
File outdated by:  RHSA-2008:0270		     cb56c38c287ea8c5073d264e79989e96
libvorbis-devel-1.0-8.el3.ia64.rpm
File outdated by:  RHSA-2008:0270		     bb6b80dee9560555f99d61a2ac697f9f
 
x86_64:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-1.0-8.el3.x86_64.rpm
File outdated by:  RHSA-2008:0270		     bd59c6d510084642a568686dc1612705
libvorbis-devel-1.0-8.el3.x86_64.rpm
File outdated by:  RHSA-2008:0270		     fe92d7b73cb2f515b1a148621bd09b71
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
libvorbis-1.1.0-2.el4.5.src.rpm
File outdated by:  RHSA-2008:0270		     69c599823f0af348e0f372b386e9bd80
 
IA-32:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-devel-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     22a0a747a347907126a4973bf127648b
 
IA-64:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-1.1.0-2.el4.5.ia64.rpm
File outdated by:  RHSA-2008:0270		     df79ceec009e33f8e4d19af3270df7c7
libvorbis-devel-1.1.0-2.el4.5.ia64.rpm
File outdated by:  RHSA-2008:0270		     95783ef5a4d515933db7d9d6347225d9
 
x86_64:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-1.1.0-2.el4.5.x86_64.rpm
File outdated by:  RHSA-2008:0270		     e54d8995cf759809c9cd602880cd2740
libvorbis-devel-1.1.0-2.el4.5.x86_64.rpm
File outdated by:  RHSA-2008:0270		     410756948e6f994be57489ef5ccc06d4
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
libvorbis-1.0-8.el3.src.rpm
File outdated by:  RHSA-2008:0270		     8107795ecfc5fcf28ac0038c2043d29a
 
IA-32:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-devel-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     c5ba155cc3ff3b298152ba00b43e254a
 
IA-64:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-1.0-8.el3.ia64.rpm
File outdated by:  RHSA-2008:0270		     cb56c38c287ea8c5073d264e79989e96
libvorbis-devel-1.0-8.el3.ia64.rpm
File outdated by:  RHSA-2008:0270		     bb6b80dee9560555f99d61a2ac697f9f
 
x86_64:
libvorbis-1.0-8.el3.i386.rpm
File outdated by:  RHSA-2008:0270		     95038ec2657791a93747742300738b02
libvorbis-1.0-8.el3.x86_64.rpm
File outdated by:  RHSA-2008:0270		     bd59c6d510084642a568686dc1612705
libvorbis-devel-1.0-8.el3.x86_64.rpm
File outdated by:  RHSA-2008:0270		     fe92d7b73cb2f515b1a148621bd09b71
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
libvorbis-1.1.0-2.el4.5.src.rpm
File outdated by:  RHSA-2008:0270		     69c599823f0af348e0f372b386e9bd80
 
IA-32:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-devel-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     22a0a747a347907126a4973bf127648b
 
IA-64:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-1.1.0-2.el4.5.ia64.rpm
File outdated by:  RHSA-2008:0270		     df79ceec009e33f8e4d19af3270df7c7
libvorbis-devel-1.1.0-2.el4.5.ia64.rpm
File outdated by:  RHSA-2008:0270		     95783ef5a4d515933db7d9d6347225d9
 
x86_64:
libvorbis-1.1.0-2.el4.5.i386.rpm
File outdated by:  RHSA-2008:0270		     0dc97da60bc803c5f7ecd78ec1befd15
libvorbis-1.1.0-2.el4.5.x86_64.rpm
File outdated by:  RHSA-2008:0270		     e54d8995cf759809c9cd602880cd2740
libvorbis-devel-1.1.0-2.el4.5.x86_64.rpm
File outdated by:  RHSA-2008:0270		     410756948e6f994be57489ef5ccc06d4
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

245991 - CVE-2007-3106 libvorbis array boundary condition
249780 - CVE-2007-4065 Multiple libvorbis flaws (CVE-2007-4066, CVE-2007-4029)


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4066
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/