[prev in list] [next in list] [prev in thread] [next in thread]
List: vorbis
Subject: Re: [Vorbis] libvorbis 1.3.6 - critical security update
From: Jean-Marc Valin <jmvalin () jmvalin ! ca>
Date: 2018-03-16 17:34:50
Message-ID: dff20e49-d15c-3994-cd35-14070014bfa6 () jmvalin ! ca
[Download RAW message or body]
Many thanks to Thomas for handling this security issue quickly. For
those who need just the most critical CVE (though the other CVEs should
be patched as well), the fixes are:
Vorbis:
https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4a
Tremor:
https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4
Cheers,
Jean-Marc
On 03/16/2018 01:19 PM, Thomas Daede wrote:
> libvorbis 1.3.6 has been released. This release fixes several
> vulnerabilities, including CVE-2018-5146, that could allow code
> execution from a specially crafted Ogg Vorbis file.
>
> * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
> * Fix CVE-2017-14632 - free() on unitialized data
> * Fix CVE-2017-14633 - out-of-bounds read
> * Fix bitrate metadata parsing.
> * Fix out-of-bounds read in codebook parsing.
> * Fix residue vector size in Vorbis I spec.
> * Appveyor support
> * Travis CI support
> * Add secondary CMake build system.
> * Build system fixes
>
> https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz
> https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz.gpg
>
> Tremor has also been updated in git.
>
> https://git.xiph.org/?p=tremor.git;a=summary
> _______________________________________________
> Vorbis mailing list
> Vorbis@xiph.org
> http://lists.xiph.org/mailman/listinfo/vorbis
>
_______________________________________________
Vorbis mailing list
Vorbis@xiph.org
http://lists.xiph.org/mailman/listinfo/vorbis
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic