Bug#876779: libvorbis: CVE-2017-14632
Guido Günther
agx at sigxcpu.org
Thu Dec 21 13:38:07 UTC 2017
Hi,
On Mon, Sep 25, 2017 at 09:49:33PM +0200, Salvatore Bonaccorso wrote:
> Source: libvorbis
> Version: 1.3.5-4
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2328
>
> Hi,
>
> the following vulnerability was published for libvorbis.
>
> CVE-2017-14633[0]:
> | In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
> | exists in the function mapping0_forward() in mapping0.c, which may lead
> | to DoS when operating on a crafted audio file with vorbis_analysis().
>
> The reproducer was not attached to the upstream issue, since looks was
> not possible for the reporter to include it in the report.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I have uploaded an NMU with the attached debdiff to fix this CVE and
CVE-2017-14633 delayed/7. Please let me know if you want me to cancel
it (or go a head with a quicker upload).
Cheers,
-- Guido
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.3.5-4.1.diff
Type: text/x-diff
Size: 4810 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xiph-maint/attachments/20171221/eb83b4fc/attachment.diff>
More information about the pkg-xiph-maint
mailing list