Comment 1 Larry the Git Cow 2018-03-17 13:43:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b027a1630d19999f03a141f7d1be13d285571f6

commit 8b027a1630d19999f03a141f7d1be13d285571f6
Author:     Alexis Ballier <aballier@gentoo.org>
AuthorDate: 2018-03-17 13:43:20 +0000
Commit:     Alexis Ballier <aballier@gentoo.org>
CommitDate: 2018-03-17 13:43:30 +0000

    media-libs/libvorbis: bump to 1.3.6
    
    Bug: https://bugs.gentoo.org/631632
    Bug: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 media-libs/libvorbis/Manifest               |  1 +
 media-libs/libvorbis/libvorbis-1.3.6.ebuild | 40 +++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)}

Comment 2 Sebastian Pipping 2018-03-17 15:09:56 UTC

There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin stating that tremor is affected by the same thing, pointing to commit:

  https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4

The mailing list archive online do not seem to cover 2018.  I have sent a copy to Hanno now, though.

Should there be a dedicated bug for tremor or should this ticket be about both of them?  Only once could be aliases to CVE-2018-5146 if we make two tickets, I suppose.

Comment 3 Christopher Díaz Riveros (RETIRED) 2018-03-17 15:58:41 UTC

(In reply to Sebastian Pipping from comment #2)
> There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin
> stating that tremor is affected by the same thing, pointing to commit:
> 
>   https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4
> 
> The mailing list archive online do not seem to cover 2018.  I have sent a
> copy to Hanno now, though.
> 
> Should there be a dedicated bug for tremor or should this ticket be about
> both of them?  Only once could be aliases to CVE-2018-5146 if we make two
> tickets, I suppose.

bug 650656 is assigned for tremor, which has CVE-2018-5147

Comment 4 Aaron Bauman (RETIRED) 2018-04-05 17:48:57 UTC

(In reply to Sebastian Pipping from comment #2)
> There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin
> stating that tremor is affected by the same thing, pointing to commit:
> 
>   https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4
> 
> The mailing list archive online do not seem to cover 2018.  I have sent a
> copy to Hanno now, though.
> 
> Should there be a dedicated bug for tremor or should this ticket be about
> both of them?  Only once could be aliases to CVE-2018-5146 if we make two
> tickets, I suppose.

We can create a tracker bug for the issue.

Comment 5 Aaron Bauman (RETIRED) 2018-04-05 17:51:00 UTC

@arches, please stabilize.

Comment 6 Aaron Bauman (RETIRED) 2018-04-05 17:51:38 UTC

(In reply to Aaron Bauman from comment #4)
> (In reply to Sebastian Pipping from comment #2)
> > There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin
> > stating that tremor is affected by the same thing, pointing to commit:
> > 
> >   https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4
> > 
> > The mailing list archive online do not seem to cover 2018.  I have sent a
> > copy to Hanno now, though.
> > 
> > Should there be a dedicated bug for tremor or should this ticket be about
> > both of them?  Only once could be aliases to CVE-2018-5146 if we make two
> > tickets, I suppose.
> 
> We can create a tracker bug for the issue.

disregard

Comment 7 Thomas Deutschmann (RETIRED) 2018-04-05 23:21:55 UTC

x86 stable

Comment 8 Larry the Git Cow 2018-04-06 00:42:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdbbf187fd7e4710e247d003f3af2e83a448160a

commit fdbbf187fd7e4710e247d003f3af2e83a448160a
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-06 00:40:16 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-06 00:41:02 +0000

    media-libs/libvorbis: amd64 stable
    
    Bug: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 media-libs/libvorbis/libvorbis-1.3.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}

Comment 9 Tobias Klausmann (RETIRED) 2018-04-06 17:14:32 UTC

Stable on alpha.

Comment 10 Larry the Git Cow 2018-04-07 10:43:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05663070a8588ac39b87c95e2eb4b8e4f1e9aefa

commit 05663070a8588ac39b87c95e2eb4b8e4f1e9aefa
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-04-07 08:09:47 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-07 10:42:15 +0000

    media-libs/libvorbis: stable 1.3.6 for sparc
    
    Bug: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 media-libs/libvorbis/libvorbis-1.3.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}

Comment 11 Matt Turner 2018-04-08 04:59:48 UTC

ppc/ppc64 stable

Comment 12 Mikle Kolyada (RETIRED) 2018-04-21 11:54:14 UTC

arm stable

Comment 13 Matt Turner 2018-04-22 20:19:55 UTC

hppa stable

Comment 14 Aaron Bauman (RETIRED) 2018-04-22 21:27:36 UTC

GLSA Vote: No

Comment 15 Larry the Git Cow 2018-04-22 21:28:59 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d018a14c77675c9cfe98b2147006ecf583a015c

commit 2d018a14c77675c9cfe98b2147006ecf583a015c
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-22 21:28:26 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-22 21:28:51 +0000

    media-libs/libvorbis: drop vulnerable
    
    Closes: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.31, Repoman-2.3.9

 media-libs/libvorbis/Manifest               |  1 -
 media-libs/libvorbis/libvorbis-1.3.5.ebuild | 39 -----------------------------
 2 files changed, 40 deletions(-)