[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of vorbis-tools for CVE-2015-6749

[Thorsten Alteholz]
> yes, any LTS upload needs a DLA after the package arrives in the
> archive.  The security tracker contains a script (bin/gen-DLA) that
> creates a template for such a DLA, you just have to fill in some
> description. If you don't want to do this, don't hesitate to inform
> the LTS team and somebody else will do the bookkeeping.

Thank you.  I'm building and testing in wheezy at the moment, and will
upload when I am done.  I would be very happy if someone else took the

> While you are at it, there are also CVE-2014-9640 and CVE-2014-9639, which 
> can be seen in[1].

Ah, good point.  The changelog in git look like this now:

vorbis-tools (1.4.0-1+deb7u1) wheezy-security; urgency=medium

  * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749)
    (Closes: 797461).
  * oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639).
    (Closes: 776086)
  * Fix oggenc crash on closing raw input files by backporting r19117 from upstream
    (CVE-2014-9640) (Closes: #771363).

 -- Petter Reinholdtsen <pere@debian.org>  Sun, 02 Jul 2017 20:53:04 +0200

Happy hacking
Petter Reinholdtsen

Reply to: