CVE-2008-1419 — Improper Input Validation in Libvorbis

CWE-20 — Improper Input Validation CWE-835 — Infinite Loop7 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

13.1%

top 5.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xiph.org Libvorbis Debian Libvorbis Debian Libvorbisidec

Timeline

PublishedMay 16

Latest updateMay 1

Description

Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶Debianxiph.org/libvorbis< 1.2.0.dfsg-3.1+3

▶NVDxiph.org/libvorbis6 versions+5

▶debiandebian/libvorbis< libvorbis 1.2.0.dfsg-3.1 (bookworm)

▶debiandebian/libvorbisidec< libvorbis 1.2.0.dfsg-3.1 (bookworm)

🔴Vulnerability Details

GHSA

GHSA-j65j-225q-hjwr: Xiph↗2022-05-01

▶

OSV

CVE-2008-1419: Xiph↗2008-05-16

▶

📋Vendor Advisories

Ubuntu

libvorbis vulnerabilities↗2008-12-01

▶

Red Hat

vorbis: zero-dim codebooks can cause crash, infinite loop or heap overflow↗2008-05-14

▶

Debian

CVE-2008-1419: libvorbis - Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for c...↗2008

▶

💬Community

Bugzilla

CVE-2008-1419 vorbis: zero-dim codebooks can cause crash, infinite loop or heap overflow↗2008-04-04

▶