[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1368-1] libvorbis security update

Package        : libvorbis
Version        : 1.3.2-1.3+deb7u1
CVE ID         : CVE-2017-11333 CVE-2017-14632 CVE-2017-14633 CVE-2018-5146

Serious vulnerabilities were found in the libvorbis library, commonly
used to encode and decode audio in OGG containers.


     In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read
     vulnerability exists in the function mapping0_forward() in
     mapping0.c, which may lead to DoS when operating on a crafted
     audio file with vorbis_analysis().


     Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon
     freeing uninitialized memory in the function
     vorbis_analysis_headerout() in info.c when vi->channels<=0, a
     similar issue to Mozilla bug 550184.


     The vorbis_analysis_wrote function in lib/block.c in Xiph.Org
     libvorbis 1.3.5 allows remote attackers to cause a denial of
     service (OOM) via a crafted wav file.


     out-of-bounds memory write in the codeboook parsing code of the
     Libvorbis multimedia library could result in the execution of
     arbitrary code.

For Debian 7 "Wheezy", these problems have been fixed in version

We recommend that you upgrade your libvorbis packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: