Main Vulnerability Database SB2018021401

SB2018021401 - Ubuntu update for libvorbis

Published: February 14, 2018

Security Bulletin ID SB2018021401

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Memory corruption (CVE-ID: CVE-2017-14632)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0. A remote attacker can supply specially crafted files, trigger memory corruption and execute arbitrary code with elevated privileges.

2) Out-of-bounds read (CVE-ID: CVE-2017-14633)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the function mapping0_forward() in mapping0.c due to out-of-bounds array read. A remote attacker can send the specially crafted audio file, trick the victim into operating it with vorbis_analysis() and cause the application to crash.

Remediation

Install update from vendor's website.

References

http://www.ubuntu.com/usn/usn-3569-1/