libvorbis 1.3.6 fixes one of the vulns found in firefox during the pwn2own competition and two other less severe vulns: https://github.com/xiph/vorbis/releases/tag/v1.3.6 The other vulns are already tracked in #631632. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b027a1630d19999f03a141f7d1be13d285571f6 commit 8b027a1630d19999f03a141f7d1be13d285571f6 Author: Alexis Ballier <aballier@gentoo.org> AuthorDate: 2018-03-17 13:43:20 +0000 Commit: Alexis Ballier <aballier@gentoo.org> CommitDate: 2018-03-17 13:43:30 +0000 media-libs/libvorbis: bump to 1.3.6 Bug: https://bugs.gentoo.org/631632 Bug: https://bugs.gentoo.org/650654 Package-Manager: Portage-2.3.24, Repoman-2.3.6 media-libs/libvorbis/Manifest | 1 + media-libs/libvorbis/libvorbis-1.3.6.ebuild | 40 +++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+)}
There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin stating that tremor is affected by the same thing, pointing to commit: https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4 The mailing list archive online do not seem to cover 2018. I have sent a copy to Hanno now, though. Should there be a dedicated bug for tremor or should this ticket be about both of them? Only once could be aliases to CVE-2018-5146 if we make two tickets, I suppose.
(In reply to Sebastian Pipping from comment #2) > There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin > stating that tremor is affected by the same thing, pointing to commit: > > https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4 > > The mailing list archive online do not seem to cover 2018. I have sent a > copy to Hanno now, though. > > Should there be a dedicated bug for tremor or should this ticket be about > both of them? Only once could be aliases to CVE-2018-5146 if we make two > tickets, I suppose. bug 650656 is assigned for tremor, which has CVE-2018-5147
(In reply to Sebastian Pipping from comment #2) > There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin > stating that tremor is affected by the same thing, pointing to commit: > > https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4 > > The mailing list archive online do not seem to cover 2018. I have sent a > copy to Hanno now, though. > > Should there be a dedicated bug for tremor or should this ticket be about > both of them? Only once could be aliases to CVE-2018-5146 if we make two > tickets, I suppose. We can create a tracker bug for the issue.
@arches, please stabilize.
(In reply to Aaron Bauman from comment #4) > (In reply to Sebastian Pipping from comment #2) > > There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin > > stating that tremor is affected by the same thing, pointing to commit: > > > > https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4 > > > > The mailing list archive online do not seem to cover 2018. I have sent a > > copy to Hanno now, though. > > > > Should there be a dedicated bug for tremor or should this ticket be about > > both of them? Only once could be aliases to CVE-2018-5146 if we make two > > tickets, I suppose. > > We can create a tracker bug for the issue. disregard
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdbbf187fd7e4710e247d003f3af2e83a448160a commit fdbbf187fd7e4710e247d003f3af2e83a448160a Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-06 00:40:16 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-06 00:41:02 +0000 media-libs/libvorbis: amd64 stable Bug: https://bugs.gentoo.org/650654 Package-Manager: Portage-2.3.28, Repoman-2.3.9 media-libs/libvorbis/libvorbis-1.3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Stable on alpha.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05663070a8588ac39b87c95e2eb4b8e4f1e9aefa commit 05663070a8588ac39b87c95e2eb4b8e4f1e9aefa Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-07 08:09:47 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-07 10:42:15 +0000 media-libs/libvorbis: stable 1.3.6 for sparc Bug: https://bugs.gentoo.org/650654 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" media-libs/libvorbis/libvorbis-1.3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
ppc/ppc64 stable
arm stable
hppa stable
GLSA Vote: No
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d018a14c77675c9cfe98b2147006ecf583a015c commit 2d018a14c77675c9cfe98b2147006ecf583a015c Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-22 21:28:26 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-22 21:28:51 +0000 media-libs/libvorbis: drop vulnerable Closes: https://bugs.gentoo.org/650654 Package-Manager: Portage-2.3.31, Repoman-2.3.9 media-libs/libvorbis/Manifest | 1 - media-libs/libvorbis/libvorbis-1.3.5.ebuild | 39 ----------------------------- 2 files changed, 40 deletions(-)
