According to Secunia: Some vulnerabilities have been reported in AlsaPlayer, which potentially can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to boundary errors in the vorbis input plug-in when processing .OGG files. These can be exploited to cause buffer overflows via a specially crafted .OGG file with overly long comments. Successful exploitation may allow execution of arbitrary code. Solution: The vendor has released 0.99.80-rc3, which fixes the vulnerabilities. Provided and/or discovered by: The vendor credits Erik Sjölund.
0.99.80-rc3 is already in the tree, 0.99.80-rc4 was released as a bugfix today. Sound, please advise for a fixed version to stable.
(In reply to comment #1) > 0.99.80-rc3 is already in the tree, 0.99.80-rc4 was released as a bugfix today. > > Sound, please advise for a fixed version to stable. > Yes, we have -rc3 in tree, but this has never been stable, so status should be ~2. Also, the said vulnerability has been fixed in -rc3, not -rc4, so nothing has to be done here wrt security. -rc4 seems to fix other bugs, not this one. Closing, please re-open in case I'm fatally wrong.
And rc4 is in tree now.
(In reply to comment #2) > Yes, we have -rc3 in tree, but this has never been stable, so status should be > ~2. My bad, need new pair of eyes.
