CVE-2009-2663

Name	CVE-2009-2663
Description	libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1939-1
Debian Bugs	540958, 540961, 669196

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libvorbis (PTS)	buster	1.3.6-2	fixed
	bookworm, bullseye	1.3.7-1	fixed
	sid, trixie	1.3.7-2	fixed
libvorbisidec (PTS)	buster	1.2.1+git20180316-3	fixed
	sid, trixie, bookworm, bullseye	1.2.1+git20180316-7	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libvorbis	source	etch	1.1.2.dfsg-1.4+etch1		DSA-1939-1
libvorbis	source	lenny	1.2.0.dfsg-3.1+lenny1		DSA-1939-1
libvorbis	source	(unstable)	1.2.0.dfsg-6	medium		540958
libvorbisidec	source	(unstable)	1.0.2+svn16259-2			669196
xulrunner	source	etch	(not affected)
xulrunner	source	lenny	(not affected)
xulrunner	source	(unstable)	1.9.1.2-1	medium		540961

Notes

[squeeze] - libvorbisidec <no-dsa> (Minor issue, no dev-deps)
[etch] - xulrunner <not-affected> (vulnerability introduced in 1.9.1.0)
[lenny] - xulrunner <not-affected> (vulnerability introduced in 1.9.1.0)