[Speex-dev] speex affected by vulnerability described in [oCERT 2008-02]
Conrad Parker
conrad at metadecks.org
Mon Apr 7 19:39:43 PDT 2008
On 08/04/2008, Jean-Marc Valin <jean-marc.valin at usherbrooke.ca> wrote:
> Andrea Barisani a écrit :
>
> > We
> > published yesterday an advisory about libfishsound, you can find it at the
> > following URL:
> >
> > http://www.ocert.org/advisories/ocert-2008-2.html
> >
> > The issues seems to affect Speex (since the code is the same) versions <=
> > 1.1.12. While the 1.2beta branch is not vulnerable we advise that you fix
> > with a security release what's advertised as stable version as well.
>
>
> The fundamental issue is actually not with Speex itself. What happens is
> that libfishsound would use the Speex call to parse the header, but
> wouldn't actually sanitise them.
I think Andrea is saying that the speexdec shipped in <= 1.1.12 does
have the bug, and suggesting a 1.0.x release that fixes it (as 1.0.5
is still advertised as the "stable" branch at
http://speex.org/downloads/).
> That being said, I think it's worth
> putting a workaround in Speex that just rejects headers that have
> invalid modes or other invalid data.
I sent Jean-Marc a patch that does that recently. This issue is also
avoided if the speex_lib_get_mode() function is used instead of
indexing into the global speex_mode_list[]. See
http://blog.kfish.org/2008/04/release-libfishsound-091.html
for a discussion about that.
Anyway, I wouldn't call these "workarounds", just part of making a
robust API :-)
cheers,
Conrad.
More information about the Speex-dev
mailing list