Summary: | media-sound/vorbis-tools <1.2.0-r1 speex implementations insufficient boundary checks | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | aballier, sound, ssuominen |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://trac.xiph.org/ticket/1347 | ||
Whiteboard: | B2 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 217715 | ||
Bug Blocks: |
Description
Matthias Geerdsen (RETIRED)
2008-04-14 09:15:50 UTC
(In reply to comment #0) > This bug is not public yet, please do not disclose any information. > > vorbis-tools appears to include vulnerable speex code > > see http://www.ocert.org/advisories/ocert-2008-2.html > as well as bug 216499 and bug 217373 for similar issues > +*vorbis-tools-1.2.0-r1 (14 Apr 2008) + + 14 Apr 2008; Samuli Suominen <drac@gentoo.org> + +files/vorbis-tools-1.2.0-sec.patch, +vorbis-tools-1.2.0-r1.ebuild: + Fix for security #217603. Should be fine, but kindly review vorbis-tools-1.2.0-sec.patch to verify. (In reply to comment #0) > This bug is not public yet, please do not disclose any information. I've talked it with aballier, and reported at upstream trac (since it has been a pain to get hold of xiph guys by other means) Maybe I should have included a bit more information, but this was not meant to be made public yet (see first sentence in description and CONFIDENTIAL in status whiteboard), even though this was more of a semi-public but a confidential bug. BTW Maintainers have been contacted by oCERT a few days ago afaik. http://www.gentoo.org/security/en/coordinator_guide.xml#doc_chap4 has the details on handling confidential vulnerabilites. Arch Security Liaisons, please test and mark stable: =media-sound/vorbis-tools-1.2.0-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86" CC'ing current Liaisons: alpha : ferdy amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer Stable for HPPA. ppc64 stable Adding Tobias for alpha Sparc stable. amd64 stable x86 stable Stable for alpha. ppc stable now public via http://www.ocert.org/advisories/ocert-2008-004.html This will fixed with the speex update in bug 217715, keeping open until the GLSA has been released. removing arch liaisons, adding herd, ... speex has been sent as GLSA 200804-17, this also fixes this bug. |