CVE-2020-23903 (https://github.com/xiph/speex/issues/13): A Divide by Zero vulnerability in the function static int read_samples of Speex v1.2 allows attackers to cause a denial of service (DoS) via a crafted WAV file. CVE-2020-23904 (https://github.com/xiph/speex/issues/14): A stack buffer overflow in speexenc.c of Speex v1.2 allows attackers to cause a denial of service (DoS) via a crafted WAV file. The former has a patch merged: https://github.com/xiph/speex/commit/870ff845b32f314aec0036641ffe18aba4916887
Upstream says they can't reproduce the second issue, and I can't either. Let's treat that one as invalid. The first issue is fixed in 1.2.1, and tree is clean. All done.