Bug#1091633: libtheora: CVE-2024-56431

To: submit@bugs.debian.org
Subject: Bug#1091633: libtheora: CVE-2024-56431
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sat, 28 Dec 2024 23:17:19 +0100
Message-id: <[🔎] Z3B47139txydeSey@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 1091633@bugs.debian.org

Source: libtheora
X-Debbugs-CC: team@security.debian.org
Severity: normal
Tags: security

Hi,

The following vulnerability was published for libtheora.

CVE-2024-56431[0]:
| oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0
| 7180717 has an invalid negative left shift.

https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC
https://github.com/advisories/GHSA-8xp8-gmmj-xc8w
https://github.com/xiph/theora/issues/18

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-56431
    https://www.cve.org/CVERecord?id=CVE-2024-56431

Please adjust the affected versions in the BTS as needed.

Reply to:

Prev by Date: Processing of intel-gmmlib_22.6.0+ds1-1_source.changes
Next by Date: juce is marked for autoremoval from testing
Previous by thread: Processing of intel-gmmlib_22.6.0+ds1-1_source.changes
Next by thread: juce is marked for autoremoval from testing
Index(es):
- Date
- Thread