From https://bugzilla.redhat.com/show_bug.cgi?id=1412632: A vulnerability was found in libebml. A use after free/double free vulnerability can occur in libebml while parsing Track elements of the MKV container which would crash the application. References: http://www.talosintelligence.com/reports/TALOS-2016-0037/ From https://bugzilla.redhat.com/show_bug.cgi?id=1412629: A vulnerability was found in libebml. A specially crafted unicode string can cause an off-by-few read on the heap in unicode string parsing code in libebml. This issue can potentially be used for information leaks. References: http://www.talosintelligence.com/reports/TALOS-2016-0036/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@maintainers, Has this been stabilized? Can this be sent to glsa? Mike Boyle Gentoo Security Padawan
Per https://bugzilla.redhat.com/show_bug.cgi?id=1303861 , this was fixed in anything newer than 1.3.3... and we have 1.3.4 and 1.3.5 in the tree
Downgrading to B3 since it's a DoS vulnerability. Tree clean. GLSA Vote: No