Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 699862 (CVE-2018-10392, CVE-2018-10393) - <media-libs/libvorbis-1.3.6-r1: multiple vulnerabilities (CVE-2018-{10392,10393})
Summary: <media-libs/libvorbis-1.3.6-r1: multiple vulnerabilities (CVE-2018-{10392,103...
Alias: CVE-2018-10392, CVE-2018-10393
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2019-12-06
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve cleanup]
Depends on:
Blocks: CVE-2017-14160
  Show dependency tree
Reported: 2019-11-11 18:12 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-06 15:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 18:12:27 UTC
CVE-2018-10392 (
  mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not validate
  the number of channels, which allows remote attackers to cause a denial of
  service (heap-based buffer overflow or over-read) or possibly have
  unspecified other impact via a crafted file.

CVE-2018-10393 (
  bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based
  buffer over-read.
Comment 1 Larry the Git Cow gentoo-dev 2019-12-03 00:25:32 UTC
The bug has been referenced in the following commit(s):

commit 733260c31ddf36bc2450e9675eddc93329ab171d
Author:     Thomas Deutschmann <>
AuthorDate: 2019-12-03 00:25:04 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2019-12-03 00:25:19 +0000

    media-libs/libvorbis: security bump
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Thomas Deutschmann <>

 .../files/libvorbis-1.3.6-CVE-2017-14160.patch     | 29 +++++++++++
 .../files/libvorbis-1.3.6-CVE-2018-10392.patch     | 25 +++++++++
 media-libs/libvorbis/libvorbis-1.3.6-r1.ebuild     | 60 ++++++++++++++++++++++
 3 files changed, 114 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-12-03 00:28:20 UTC
Let's wait a few days, ebuild was migrated from EAPI 5 -> 7.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-15 15:14:23 UTC
New GLSA request filed.
Comment 4 Rolf Eike Beer 2020-03-16 17:45:30 UTC
sparc stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-03-16 21:13:55 UTC
This issue was resolved and addressed in
 GLSA 202003-36 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Rolf Eike Beer 2020-03-17 17:45:39 UTC
hppa stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2020-03-17 18:01:26 UTC
Re-opening for remaining architectures.
Comment 8 Mart Raudsepp gentoo-dev 2020-03-17 19:43:34 UTC
arm64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-18 08:50:12 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-18 09:46:29 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-18 11:12:17 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-18 11:14:03 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-03-18 11:17:17 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-03-18 15:22:34 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 15 NATTkA bot gentoo-dev 2020-04-06 15:05:08 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.