xiph's (lib)speex 1.2 beta 3.2 has been tagged that fixes CVE-2008-1686 directly in the the speex_header_to_packet() function which applications use. Sanitations inside applications are therefore unnecessary. Patch: https://trac.xiph.org/changeset/14701
And we have it in Portage now, *speex-1.2_beta3_p2 (15 Apr 2008) 15 Apr 2008; Samuli Suominen <drac@gentoo.org> -speex-1.1.7.ebuild, +speex-1.2_beta3_p2.ebuild: Version bump.
Arch Security Liaisons, please test and mark stable: =media-libs/speex-1.2_beta3_p2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86" CC'ing current Liaisons: alpha : ferdy amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer
Adding Tobias for alpha
Sparc stable (tested with {.wav}).
ppc64 stable
amd64 stable, tested by playing with ogg123 (vorbis-tools using USE speex) and converting .spx to .wav and back to .spx using speexdec and speexenc also tested by an AT (VQuickSilver, Freenode), thanks to him
Stable for alpha.
*** Bug 217820 has been marked as a duplicate of this bug. ***
ppc stable
x86 stable
now public via http://www.ocert.org/advisories/ocert-2008-004.html
removing arch security liaisons, adding missing arches, adding sound herd hope I didn't forget to remove/add anyone glsa request filed
really removing this time
ia64 stable
Removing myself since I stood in for ferdy as sec liaison for Alpha.
GLSA 200804-17.
Fixed in release snapshot.