Vulnerability Description
Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xiph.Org | Libvorbis | 1.0 |
| Canonical | Ubuntu Linux | 8.04 |
References
- http://secunia.com/advisories/30247Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2008-0271.htmlThird Party Advisory
- http://www.securitytracker.com/id?1020029Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-861-1Third Party Advisory
- http://www.vupen.com/english/advisories/2008/1510/referencesThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=444443Issue TrackingThird Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42521Third Party AdvisoryVDB Entry
- http://secunia.com/advisories/30247Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2008-0271.htmlThird Party Advisory
- http://www.securitytracker.com/id?1020029Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-861-1Third Party Advisory
- http://www.vupen.com/english/advisories/2008/1510/referencesThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=444443Issue TrackingThird Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42521Third Party AdvisoryVDB Entry
FAQ
What is CVE-2008-2009?
CVE-2008-2009 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory c...
How severe is CVE-2008-2009?
CVE-2008-2009 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-2009?
Check the references section above for vendor advisories and patch information. Affected products include: Xiph.Org Libvorbis, Canonical Ubuntu Linux.