CVE-2009-0475

Credit:
The information has been provided by Owen Arden and Charlie Miller.
The original article can be found at: http://www.ocert.org/advisories/ocert-2009-002.html

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Check for CVE-2009-0475

Vulnerability Assessment and Management.
Automated Pen Testing for 50 to 50,000 nodes
beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* OpenCore versions prior to 2.0

Immune Systems:
* OpenCore version 2.0 with change 8815

References:
* http://review.source.android.com/Gerrit#change,8815
* http://review.source.android.com/Gerrit#change,8604
* http://android.git.kernel.org/?p=platform/external/opencore.git;a=summary
* http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f=codecs_v2/audio/mp3/dec/src/pvmp3_huffman_parsing.cpp;h=491c0cc1b05adecb4ed2d53489c82e7fb4f46108;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded
* http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f=codecs_v2/audio/mp3/dec/src/pvmp3_mpeg2_stereo_proc.cpp;h=bc4c227fbd60f3f0a90355d7d52c71d46cd4a87c;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded

Timeline:
2009-01-21: Android Security Team informed of issue
2009-01-23: Android Security Team requested coordination aid from oCERT
2009-01-24: oCERT investigated for other potential affected projects
2009-02-05: vendor supplied patch
2009-02-05: vendor indicated that no other open source projects affected
2009-02-05: did not discover other open source projects affected
2009-02-05: emailed vendor-sec@lst.de as a cross-check
2009-02-06: supplied vulnerability analysis to upstream vendor
2009-02-06: walked through affected code with upstream vendor
2009-02-06: CVE assignment requested and received
2009-02-07: advisory published

CVE Information:
CVE-2009-0475