[Speex-dev] speex affected by vulnerability described in [oCERT 2008-02]

Jean-Marc Valin jean-marc.valin at usherbrooke.ca
Mon Apr 7 18:46:16 PDT 2008


Andrea Barisani a écrit :
> we've tried contacting Jean-Marc Valin but email address bounces. 

What email address did you use? This email address has always been
listed for Speex.

> We
> published yesterday an advisory about libfishsound, you can find it at the
> following URL:
> 
> http://www.ocert.org/advisories/ocert-2008-2.html
> 
> The issues seems to affect Speex (since the code is the same) versions <=
> 1.1.12. While the 1.2beta branch is not vulnerable we advise that you fix
> with a security release what's advertised as stable version as well.

The fundamental issue is actually not with Speex itself. What happens is
that libfishsound would use the Speex call to parse the header, but
wouldn't actually sanitise them. That being said, I think it's worth
putting a workaround in Speex that just rejects headers that have
invalid modes or other invalid data.

> We have contacted vendors that ship speex package, if you know of any project
> that links statically or includes the vulnerable code (coming from both speex or
> libfishsound) please let us know so that we can send out appropriate
> notifications.

Note that not all apps would be vulnerable, only apps that *both* 1) use
Ogg (not VoIP apps) and 2) don't properly check the parsed headers.

	Jean-Marc


More information about the Speex-dev mailing list