oCERT-2008-002 libfishsound insufficient boundary checks

Description:

The libfishsound decoder library incorrectly implements the reference speex decoder from the Speex library, performing insufficient boundary checks on a header structure read from user input.

A user controlled field in the header structure is used to build a function pointer. The libfishsound implementation does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution.

A patch has been committed to the libfishsound public repository.

Affected version: <= 0.9.0

Fixed version: 0.9.1

Additional affected packages:

Speex <= 1.1.12, the reference implementation from which libfishsound is derived.

Illiminable DirectShow Filters, which statically include the libfishsound library.

Annodex Plugins for Firefox.

Credit: reporter wishes to remain anonymous

CVE: CVE-2008-1686

Timeline:

2008-04-05: vulnerability report received
2008-04-05: contacted libfishsound maintainers
2008-04-06: upstream maintainer publicly releases patch
2008-04-06: advisory release
2008-04-07: assigned CVE
2008-04-07: libfishsound 0.9.1 released
2008-04-07: added Speex to affected packages
2008-04-10: further investigation leads to discovery of more affected packages, see oCERT-2008-004

References:
http://trac.annodex.net/changeset/3535
http://trac.annodex.net/changeset/3536
http://lists.xiph.org/pipermail/speex-dev/2008-April/006636.html
http://blog.kfish.org/2008/04/release-libfishsound-091.html