CVE-2007-3106
libvorbis - several vulnerabilities
EPSS 3.0%
Description
lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.
How to fix CVE-2007-3106
To remediate CVE-2007-3106, upgrade the affected package to a fixed version below.
- Debian/libvorbis—upgrade to 1.2.0.dfsg-1 or later
- —upgrade to 1.1.2.dfsg-1.3 or later
- —upgrade to 1.0.2+svn16259-2 or later
Is CVE-2007-3106 being exploited?
Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.2.0.dfsg-1
- from 0, < 1.1.2.dfsg-1.3
- from 0, < 1.0.2+svn16259-2