CVE-2017-14160
published 2017-09-21CVE-2017-14160: The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and…
PriorityP340high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
4.58%
90.4th percentile
The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libvorbis | < libvorbis 1.3.6-2 (bookworm) | libvorbis 1.3.6-2 (bookworm) |
| xiph.org | libvorbis | — | — |
| xiph.org | libvorbis | >= 0 < 1.3.6-2 | 1.3.6-2 |
| xiph.org | libvorbis | >= 0 < 1.3.6-2 | 1.3.6-2 |
| xiph.org | libvorbis | >= 0 < 1.3.6-2 | 1.3.6-2 |
| xiph.org | libvorbis | >= 0 < 1.3.6-2 | 1.3.6-2 |
| xiph.org | libvorbis | >= 0 < 1.3.5-3ubuntu0.2+esm1 | 1.3.5-3ubuntu0.2+esm1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Vorbis vulnerabilities
vendor_ubuntu·2022-05-12·CVSS 8.8
CVE-2018-10392 [HIGH] Vorbis vulnerabilities
Title: Vorbis vulnerabilities
Summary: Several security issues were fixed in Vorbis.
It was discovered that Vorbis incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code.
(CVE-2017-14160, CVE-2018-10392, CVE-2018-10393)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libvorbis: Out-of-bounds read in the bark_noise_hybridmp function
vendor_redhat·2017-09-21·CVSS 8.8
CVE-2017-14160 [HIGH] CWE-125 libvorbis: Out-of-bounds read in the bark_noise_hybridmp function
libvorbis: Out-of-bounds read in the bark_noise_hybridmp function
The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.
Package: libvorbis (Red Hat Enterprise Linux 5) - Will not fix
Package: libvorbis (Red Hat Enterprise Linux 6) - Will not fix
Package: libvorbis (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2017-14160: libvorbis - The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows rem...
vendor_debian·2017·CVSS 8.8
CVE-2017-14160 [HIGH] CVE-2017-14160: libvorbis - The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows rem...
The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.
Scope: local
bookworm: resolved (fixed in 1.3.6-2)
bullseye: resolved (fixed in 1.3.6-2)
forky: resolved (fixed in 1.3.6-2)
sid: resolved (fixed in 1.3.6-2)
trixie: resolved (fixed in 1.3.6-2)
GHSA
GHSA-g94q-v9xg-xv9r: The bark_noise_hybridmp function in psy
ghsa_unreviewed·2022-05-13
CVE-2017-14160 [HIGH] CWE-119 GHSA-g94q-v9xg-xv9r: The bark_noise_hybridmp function in psy
The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.
OSV
libvorbis vulnerabilities
osv·2022-05-12·CVSS 8.8
CVE-2017-14160 [HIGH] libvorbis vulnerabilities
libvorbis vulnerabilities
It was discovered that Vorbis incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code.
(CVE-2017-14160, CVE-2018-10392, CVE-2018-10393)
OSV
CVE-2017-14160: The bark_noise_hybridmp function in psy
osv·2017-09-21·CVSS 8.8
CVE-2017-14160 [HIGH] CVE-2017-14160: The bark_noise_hybridmp function in psy
The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-14160 libvorbis: Out-of-bounds read in the bark_noise_hybridmp function
bugzilla·2017-10-09·CVSS 8.8
CVE-2017-14160 [HIGH] CVE-2017-14160 libvorbis: Out-of-bounds read in the bark_noise_hybridmp function
CVE-2017-14160 libvorbis: Out-of-bounds read in the bark_noise_hybridmp function
The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.
References:
http://openwall.com/lists/oss-security/2017/09/21/2
Upstream issue:
https://gitlab.xiph.org/xiph/vorbis/issues/2330
Discussion:
Created libvorbis tracking bugs for this issue:
Affects: fedora-all [bug 1480650]
Created mingw-libvorbis tracking bugs for this issue:
Affects: epel-7 [bug 1480649]
Affects: fedora-all [bug 1480648]
Bugzilla
CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 mingw-libvorbis: various flaws [fedora-all]
bugzilla·2017-08-11·CVSS 5.5
CVE-2017-11333 [MEDIUM] CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 mingw-libvorbis: various flaws [fedora-all]
CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 mingw-libvorbis: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
Bugzilla
CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 libvorbis: various flaws [fedora-all]
bugzilla·2017-08-11·CVSS 5.5
CVE-2017-11333 [MEDIUM] CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 libvorbis: various flaws [fedora-all]
CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 libvorbis: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 mingw-libvorbis: various flaws [epel-7]
bugzilla·2017-08-11·CVSS 5.5
CVE-2017-11333 [MEDIUM] CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 mingw-libvorbis: various flaws [epel-7]
CVE-2017-11333 CVE-2017-11735 CVE-2017-14160 CVE-2017-14632 CVE-2017-14633 mingw-libvorbis: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use th
http://openwall.com/lists/oss-security/2017/09/21/2http://www.securityfocus.com/bid/101045https://lists.debian.org/debian-lts-announce/2019/11/msg00031.htmlhttps://lists.debian.org/debian-lts-announce/2021/11/msg00023.htmlhttps://security.gentoo.org/glsa/202003-36http://openwall.com/lists/oss-security/2017/09/21/2http://www.securityfocus.com/bid/101045https://lists.debian.org/debian-lts-announce/2019/11/msg00031.htmlhttps://lists.debian.org/debian-lts-announce/2021/11/msg00023.htmlhttps://security.gentoo.org/glsa/202003-36
2017-09-21
Published