CVE-2007-3106
published 2007-07-26CVE-2007-3106: lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute…
PriorityP426medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
3.14%
86.3th percentile
lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libvorbis | < libvorbis 1.2.0.dfsg-1 (bookworm) | libvorbis 1.2.0.dfsg-1 (bookworm) |
| debian | libvorbisidec | < libvorbis 1.2.0.dfsg-1 (bookworm) | libvorbis 1.2.0.dfsg-1 (bookworm) |
| libvorbis | libvorbis | <= 1.2.0 | — |
| libvorbis | libvorbis | — | — |
| xiph.org | libvorbis | >= 0 < 1.2.0.dfsg-1 | 1.2.0.dfsg-1 |
| xiph.org | libvorbis | >= 0 < 1.2.0.dfsg-1 | 1.2.0.dfsg-1 |
| xiph.org | libvorbis | >= 0 < 1.2.0.dfsg-1 | 1.2.0.dfsg-1 |
| xiph.org | libvorbis | >= 0 < 1.2.0.dfsg-1 | 1.2.0.dfsg-1 |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g2r6-v9mj-qx9w: lib/info
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2007-3106 [MEDIUM] GHSA-g2r6-v9mj-qx9w: lib/info
lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.
OSV
CVE-2007-3106: lib/info
osv·2007-07-26·CVSS 6.8
CVE-2007-3106 [MEDIUM] CVE-2007-3106: lib/info
lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.
Ubuntu
libvorbis vulnerabilities
vendor_ubuntu·2007-08-16
CVE-2007-3106 libvorbis vulnerabilities
Title: libvorbis vulnerabilities
Summary: libvorbis vulnerabilities
David Thiel discovered that libvorbis did not correctly verify the size
of certain headers, and did not correctly clean up a broken stream.
If a user were tricked into processing a specially crafted Vorbis stream,
a remote attacker could execute arbitrary code with the user's privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
libvorbis array boundary condition
vendor_redhat·2007-07-26·CVSS 6.8
CVE-2007-3106 [MEDIUM] libvorbis array boundary condition
libvorbis array boundary condition
lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.
Debian
CVE-2007-3106: libvorbis - lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows ...
vendor_debian·2007·CVSS 6.8
CVE-2007-3106 [MEDIUM] CVE-2007-3106: libvorbis - lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows ...
lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.
Scope: local
bookworm: resolved (fixed in 1.2.0.dfsg-1)
bullseye: resolved (fixed in 1.2.0.dfsg-1)
forky: resolved (fixed in 1.2.0.dfsg-1)
sid: resolved (fixed in 1.2.0.dfsg-1)
trixie: resolved (fixed in 1.2.0.dfsg-1)
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005665; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Explo
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005666; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Explo
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005667; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Explo
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005668; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploi
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005663; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Explo
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005664; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_techniq
No public exploits indexed.
Bugzilla
CVE-2007-3106 libvorbis array boundary condition [F7]
bugzilla·2007-08-02·CVSS 6.8
CVE-2007-3106 [MEDIUM] CVE-2007-3106 libvorbis array boundary condition [F7]
CVE-2007-3106 libvorbis array boundary condition [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Built libvorbis-1.1.2-3.fc7
---
libvorbis-1.1.2-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-3106 libvorbis array boundary condition [FC6]
bugzilla·2007-08-02·CVSS 6.8
CVE-2007-3106 [MEDIUM] CVE-2007-3106 libvorbis array boundary condition [FC6]
CVE-2007-3106 libvorbis array boundary condition [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Behdad: Ping. Please push a fixed package into FC6.
---
Built libvorbis-1.1.2-2.fc6
---
Behdad: Could you please push the package?
---
Is it still not pushed?
---
libvorbis-1.1.2-2.fc6 FC6 Final
Bugzilla
CVE-2007-3106 libvorbis array boundary condition
bugzilla·2007-06-27·CVSS 6.8
CVE-2007-3106 [MEDIUM] CVE-2007-3106 libvorbis array boundary condition
CVE-2007-3106 libvorbis array boundary condition
Chris Montgomery has informed us of a bug found in libvorbis.
The patch is in revision 13160 from http://svn.xiph.org/trunk/vorbis
(svn diff -r 13159:13160 http://svn.xiph.org/trunk/vorbis)
I'm calling this bug an "array boundary condition flaw". It's the best
definition I could find that matched up with something MITRE uses. The
issue in question is related to the usage of a function pointer table.
Here is an example:
_mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);
What happens is the value of 'ci->map_type[i]' can be an attacker
controlled 16 bit unsigned integer. The amount of play with the that
function pointer is a bit suspect I admit, but I suspect it's still
exploitable (some peer review from someone better at this sort
http://secunia.com/advisories/24923http://secunia.com/advisories/26087http://secunia.com/advisories/26232http://secunia.com/advisories/26299http://secunia.com/advisories/26429http://secunia.com/advisories/26535http://secunia.com/advisories/26865http://secunia.com/advisories/27099http://secunia.com/advisories/28614http://security.gentoo.org/glsa/glsa-200710-03.xmlhttp://www.debian.org/security/2008/dsa-1471http://www.isecpartners.com/advisories/2007-003-libvorbis.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2007:167-1http://www.redhat.com/support/errata/RHSA-2007-0845.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0912.htmlhttp://www.securityfocus.com/archive/1/474729/100/0/threadedhttp://www.securityfocus.com/bid/25082http://www.tellini.org/blog/archives/32-Music-Box-1.6.htmlhttp://www.ubuntu.com/usn/usn-498-1http://www.vupen.com/english/advisories/2007/2698http://www.vupen.com/english/advisories/2007/2760https://bugzilla.redhat.com/show_bug.cgi?id=245991https://bugzilla.redhat.com/show_bug.cgi?id=249780https://exchange.xforce.ibmcloud.com/vulnerabilities/35622https://issues.rpath.com/browse/RPL-1590https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11449https://trac.xiph.org/changeset/13160http://secunia.com/advisories/24923http://secunia.com/advisories/26087http://secunia.com/advisories/26232http://secunia.com/advisories/26299http://secunia.com/advisories/26429http://secunia.com/advisories/26535http://secunia.com/advisories/26865http://secunia.com/advisories/27099http://secunia.com/advisories/28614http://security.gentoo.org/glsa/glsa-200710-03.xmlhttp://www.debian.org/security/2008/dsa-1471http://www.isecpartners.com/advisories/2007-003-libvorbis.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2007:167-1http://www.redhat.com/support/errata/RHSA-2007-0845.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0912.htmlhttp://www.securityfocus.com/archive/1/474729/100/0/threadedhttp://www.securityfocus.com/bid/25082http://www.tellini.org/blog/archives/32-Music-Box-1.6.htmlhttp://www.ubuntu.com/usn/usn-498-1http://www.vupen.com/english/advisories/2007/2698http://www.vupen.com/english/advisories/2007/2760https://bugzilla.redhat.com/show_bug.cgi?id=245991https://bugzilla.redhat.com/show_bug.cgi?id=249780https://exchange.xforce.ibmcloud.com/vulnerabilities/35622https://issues.rpath.com/browse/RPL-1590https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11449https://trac.xiph.org/changeset/13160
2007-07-26
Published