Summary: | <media-libs/libvorbis-1.3.6-r1: bark_noise_hybridmp() out of bounds access | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ian Zimmerman <nobrowser> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sound |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://openwall.com/lists/oss-security/2017/09/21/3 | ||
See Also: | https://gitlab.xiph.org/xiph/vorbis/issues/2330 | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 699862 | ||
Bug Blocks: |
Description
Ian Zimmerman
2017-09-21 15:06:52 UTC
Classifying as A3 basec on indication of to DoS vector (crash). No further exploit analysis done. https://gitlab.xiph.org/xiph/vorbis/issues/2330 has potential patch for this issue The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=733260c31ddf36bc2450e9675eddc93329ab171d commit 733260c31ddf36bc2450e9675eddc93329ab171d Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-12-03 00:25:04 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-12-03 00:25:19 +0000 media-libs/libvorbis: security bump Bug: https://bugs.gentoo.org/631646 Bug: https://bugs.gentoo.org/699862 Package-Manager: Portage-2.3.80, Repoman-2.3.19 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../files/libvorbis-1.3.6-CVE-2017-14160.patch | 29 +++++++++++ .../files/libvorbis-1.3.6-CVE-2018-10392.patch | 25 +++++++++ media-libs/libvorbis/libvorbis-1.3.6-r1.ebuild | 60 ++++++++++++++++++++++ 3 files changed, 114 insertions(+) Note that patch for CVE-2017-14160 is the same like patch for CVE-2018-10393 (bug 699862). Added to an existing GLSA. This issue was resolved and addressed in GLSA 202003-36 at https://security.gentoo.org/glsa/202003-36 by GLSA coordinator Thomas Deutschmann (whissi). |