CVE-2008-1686 — HIGH (9.3) — White Hats Nepal

Q: How severe is CVE-2008-1686?

CVE-2008-1686 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2008-1686?

Check the references section above for vendor advisories and patch information. Affected products include: Xine Xine-Lib, Xiph Speex, Xiph Libfishsound.

Vulnerability Description

Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.

CVSS Score

9.3

HIGH

AV:N/AC:M/Au:N/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Xine	Xine-Lib	<= 1.1.11.1
Xiph	Speex	<= 1.1.12
Xiph	Libfishsound	<= 0.9.0

Related Weaknesses (CWE)

CWE-189

References

http://blog.kfish.org/2008/04/release-libfishsound-091.html
http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00001.html
http://lists.xiph.org/pipermail/speex-dev/2008-April/006636.html
http://secunia.com/advisories/29672Vendor Advisory
http://secunia.com/advisories/29727Vendor Advisory
http://secunia.com/advisories/29835Vendor Advisory
http://secunia.com/advisories/29845Vendor Advisory
http://secunia.com/advisories/29854Vendor Advisory
http://secunia.com/advisories/29866Vendor Advisory
http://secunia.com/advisories/29878Vendor Advisory
http://secunia.com/advisories/29880Vendor Advisory
http://secunia.com/advisories/29881Vendor Advisory
http://secunia.com/advisories/29882Vendor Advisory
http://secunia.com/advisories/29898Vendor Advisory
http://secunia.com/advisories/30104Vendor Advisory

FAQ

What is CVE-2008-1686?

CVE-2008-1686 is a vulnerability with a CVSS score of 9.3 (HIGH). Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and ...

How severe is CVE-2008-1686?

CVE-2008-1686 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2008-1686?

Check the references section above for vendor advisories and patch information. Affected products include: Xine Xine-Lib, Xiph Speex, Xiph Libfishsound.