Bug 217715 - media-libs/speex <1.2_beta3_p2 introduces checks for negative header mode
Bug#: 217715 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: 
Summary: media-libs/speex <1.2_beta3_p2 introduces checks for negative header mode
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2008-04-14 20:01 0000
Description:   Opened: 2008-04-14 20:01 0000 
xiph's (lib)speex 1.2 beta 3.2 has been tagged that fixes CVE-2008-1686
directly in the the speex_header_to_packet() function which applications use.
Sanitations inside applications are therefore unnecessary.

Patch:
  https://trac.xiph.org/changeset/14701

------- Comment #1 From Samuli Suominen 2008-04-15 09:35:05 0000 ------- 
And we have it in Portage now,

*speex-1.2_beta3_p2 (15 Apr 2008)

  15 Apr 2008; Samuli Suominen <drac@gentoo.org> -speex-1.1.7.ebuild,
  +speex-1.2_beta3_p2.ebuild:
  Version bump.

------- Comment #2 From Robert Buchholz 2008-04-15 10:38:43 0000 ------- 
Arch Security Liaisons, please test and mark stable:
=media-libs/speex-1.2_beta3_p2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

------- Comment #3 From Raúl Porcel 2008-04-15 13:17:57 0000 ------- 
Adding Tobias for alpha

------- Comment #4 From Ferris McCormick 2008-04-15 13:46:01 0000 ------- 
Sparc stable (tested with {.wav}).

------- Comment #5 From Markus Rothe 2008-04-15 16:17:10 0000 ------- 
ppc64 stable

------- Comment #6 From Samuli Suominen 2008-04-15 16:51:29 0000 ------- 
amd64 stable, tested by playing with ogg123 (vorbis-tools using USE speex) and
converting .spx to .wav and back to .spx using speexdec and speexenc
also tested by an AT (VQuickSilver, Freenode), thanks to him

------- Comment #7 From Tobias Klausmann 2008-04-15 20:00:45 0000 ------- 
Stable for alpha.

------- Comment #8 From Robert Buchholz 2008-04-15 21:53:19 0000 ------- 
*** Bug 217820 has been marked as a duplicate of this bug. ***

------- Comment #9 From Tobias Scherbaum 2008-04-16 19:08:12 0000 ------- 
ppc stable

------- Comment #10 From Markus Meier 2008-04-17 01:04:10 0000 ------- 
x86 stable

------- Comment #11 From Matthias Geerdsen 2008-04-17 09:42:39 0000 ------- 
now public via http://www.ocert.org/advisories/ocert-2008-004.html

------- Comment #12 From Matthias Geerdsen 2008-04-17 09:59:20 0000 ------- 
removing arch security liaisons, adding missing arches, adding sound herd
hope I didn't forget to remove/add anyone

glsa request filed

------- Comment #13 From Matthias Geerdsen 2008-04-17 10:02:30 0000 ------- 
really removing this time

------- Comment #14 From Raúl Porcel 2008-04-17 10:18:10 0000 ------- 
ia64 stable

------- Comment #15 From Tobias Klausmann 2008-04-17 10:53:48 0000 ------- 
Removing myself since I stood in for ferdy as sec liaison for Alpha.

------- Comment #16 From Robert Buchholz 2008-04-17 12:15:52 0000 ------- 
GLSA 200804-17.

------- Comment #17 From Peter Volkov 2008-04-21 08:16:15 0000 ------- 
Fixed in release snapshot.