This bug is not public yet, please do not disclose any information. gst-plugins-good appears to include vulnerable speex code see http://www.ocert.org/advisories/ocert-2008-2.html as well as bug 216499 and bug 217373 for similar issues
patch is available: http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r1=1.40&r2=1.41
I wonder how this affects media-plugins/gst-plugins-speex
+*gst-plugins-speex-0.10.7-r1 (14 Apr 2008) + + 14 Apr 2008; Samuli Suominen <drac@gentoo.org> + +files/gst-plugins-speex-0.10.7-sec.patch, + +gst-plugins-speex-0.10.7-r1.ebuild: + Fix for security #217609.
gst-plugins-speex is a "gentoo split" from -good, so that's where it should be patched and for arches, http://samples.mplayerhq.hu/A-codecs/speex/talk109-q5.spx, a sample file
Arch Security Liaisons, please test and mark stable: =media-plugins/gst-plugins-speex-0.10.7-r1 Target keywords : "ppc ppc64 release sparc" CC'ing current Liaisons: ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor
ppc64 stable
corsair, fmccor, and others. because this needs gstreamer 0.10.17, make sure you stable also newer version of gst-plugins-ugly, 0.10.6-r1 or newer is OK. this is to avoid blockers, repoman won't reveal this.
Sparc stable for gst-plugins-speex <0.10.7-r1. This requires also sparc stable for: gstreamer-0.10.7 gst-plugins-base-0.10.7 gst-plugins-ugly-10.6-r1 All done.
now public via http://www.ocert.org/advisories/ocert-2008-004.html
This will be fixed with the speex update in bug 217715, keeping open until the GLSA has been released.
speex has been sent as GLSA 200804-17, this also fixes this bug.
