CVE-2009-2663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2663): libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file.
Created attachment 200418 [details, diff] 0001-First-half-of-fix-for-Mozilla-BZ-500254.patch
Created attachment 200419 [details, diff] 0002-Second-half-of-fix-to-Mozilla-BZ-5000254-sanity-chec.patch
These are in 1.2.3. I verified by checking the code line by line. It can go stable.
Thanks for the fast check ;-)
Arches, please test and mark stable: =media-libs/libvorbis-1.2.3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
media-libs/fmod (both slots) bundle a libvorbis interfaces; whether this is libVorbis itself, tremor or nothing at all I cannot tell (since it's proprietary closed source).
x86 stable
ppc64 done
Stable for HPPA.
Stable on alpha.
amd64 stable
arm/ia64/sh/sparc stable
ppc stable
GLSA request filed.
GLSA 200909-02