CVE-2007-3106
libvorbis array boundary condition
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.
En la biblioteca lib/info.c en libvorbis versión 1.1.2, y posiblemente otras versiones anteriores a 1.2.0, permite a los atacantes dependiendo del contexto causar una denegación de servicio y posiblemente ejecutar código arbitrario por medio de valores no válidos (1) blocksize_0 y (2) blocksize_1, que desencadenan una "heap overwrite" en la función _01inverse en el archivo res0.c. NOTA: este problema ha sido REESTRUCTURADO para que el CVE-2007-4029 maneje vectores adicionales.
David Thiel of iSEC Partners discovered a heap-based buffer overflow in the _01inverse() function in res0.c and a boundary checking error in the vorbis_info_clear() function in info.c. libvorbis is also prone to several Denial of Service vulnerabilities in form of infinite loops and invalid memory access with unknown impact. Versions less than 1.2.0 are affected.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2007-06-07 CVE Reserved
- 2007-07-26 CVE Published
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-399: Resource Management Errors
CAPEC
References (28)
| URL | Tag | Source |
|---|---|---|
| http://www.isecpartners.com/advisories/2007-003-libvorbis.txt | X_refsource_misc | |
| http://www.securityfocus.com/archive/1/474729/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/25082 | Vdb Entry | |
| http://www.tellini.org/blog/archives/32-Music-Box-1.6.html | X_refsource_confirm | |
| https://bugzilla.redhat.com/show_bug.cgi?id=249780 | X_refsource_confirm | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/35622 | Vdb Entry | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11449 | Signature | |
| https://trac.xiph.org/changeset/13160 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://issues.rpath.com/browse/RPL-1590 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | <= 1.2.0 Search vendor "Libvorbis" for product "Libvorbis" and version " <= 1.2.0" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1 Search vendor "Rpath" for product "Rpath Linux" and version "1" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | <= 1.2.0 Search vendor "Libvorbis" for product "Libvorbis" and version " <= 1.2.0" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.1 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.1" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | <= 1.2.0 Search vendor "Libvorbis" for product "Libvorbis" and version " <= 1.2.0" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.2 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.2" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | <= 1.2.0 Search vendor "Libvorbis" for product "Libvorbis" and version " <= 1.2.0" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.3 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.3" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | <= 1.2.0 Search vendor "Libvorbis" for product "Libvorbis" and version " <= 1.2.0" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.4 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.4" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | <= 1.2.0 Search vendor "Libvorbis" for product "Libvorbis" and version " <= 1.2.0" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.5 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.5" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | <= 1.2.0 Search vendor "Libvorbis" for product "Libvorbis" and version " <= 1.2.0" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.6 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.6" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | 1.1.2 Search vendor "Libvorbis" for product "Libvorbis" and version "1.1.2" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1 Search vendor "Rpath" for product "Rpath Linux" and version "1" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | 1.1.2 Search vendor "Libvorbis" for product "Libvorbis" and version "1.1.2" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.1 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.1" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | 1.1.2 Search vendor "Libvorbis" for product "Libvorbis" and version "1.1.2" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.2 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.2" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | 1.1.2 Search vendor "Libvorbis" for product "Libvorbis" and version "1.1.2" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.3 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.3" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | 1.1.2 Search vendor "Libvorbis" for product "Libvorbis" and version "1.1.2" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.4 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.4" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | 1.1.2 Search vendor "Libvorbis" for product "Libvorbis" and version "1.1.2" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.5 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.5" | - |
Safe
|
| Libvorbis Search vendor "Libvorbis" | Libvorbis Search vendor "Libvorbis" for product "Libvorbis" | 1.1.2 Search vendor "Libvorbis" for product "Libvorbis" and version "1.1.2" | - |
Affected
| in | Rpath Search vendor "Rpath" | Rpath Linux Search vendor "Rpath" for product "Rpath Linux" | 1.0.6 Search vendor "Rpath" for product "Rpath Linux" and version "1.0.6" | - |
Safe
|