This bug is not public yet, please do not disclose any information. vorbis-tools appears to include vulnerable speex code see http://www.ocert.org/advisories/ocert-2008-2.html as well as bug 216499 and bug 217373 for similar issuesspee
Do we have a proof of concept for this ? like a file that would make apps crash to send upstream as the number of affected apps is growing. Patch is easy but upstream should be contacted first; how can we know if it has been done ?
sorry for the lack of information Upstream should have been contacted by oCERT, which is were the notification about the affected applications came from. I asked about which upstreams of affected packages responded and will let you know.
(In reply to comment #1) > Do we have a proof of concept for this ? Unfortunately, not.
This does not need to be fixed if we enable the workaround in libspeex, which is bug 217715.
now public via http://www.ocert.org/advisories/ocert-2008-004.html
closing, see comment #4.