Seems this piece of code is widely bundled. xine-lib 1.1.12 mentions CVE in release announcement, so bump should do it. libfishsound should be ok with in-portage version 0.9.1. speex: unsure, probably unfixed.
looks like duplicate of bug 217715
*** This bug has been marked as a duplicate of bug 217715 ***