CVE-2009-3379

Name	CVE-2009-3379
Description	Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1939-1
Debian Bugs	669196

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libvorbis (PTS)	buster	1.3.6-2	fixed
	bookworm, bullseye	1.3.7-1	fixed
	sid, trixie	1.3.7-2	fixed
libvorbisidec (PTS)	buster	1.2.1+git20180316-3	fixed
	sid, trixie, bookworm, bullseye	1.2.1+git20180316-7	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libvorbis	source	etch	1.1.2.dfsg-1.4+etch1		DSA-1939-1
libvorbis	source	lenny	1.2.0.dfsg-3.1+lenny1		DSA-1939-1
libvorbis	source	(unstable)	1.2.3-1	medium
libvorbisidec	source	(unstable)	1.0.2+svn18153-0.1			669196
xulrunner	source	etch	(not affected)
xulrunner	source	lenny	(not affected)
xulrunner	source	(unstable)	1.9.1.4-1

Notes

[squeeze] - libvorbisidec <no-dsa> (Minor issue, no dev-deps)
[lenny] - xulrunner <not-affected> (Only affects Firefox 3.5)
[etch] - xulrunner <not-affected> (Only affects Firefox 3.5)