Thomas Daede
2018-Mar-16 17:19 UTC
[Vorbis-dev] libvorbis 1.3.6 - critical security update
libvorbis 1.3.6 has been released. This release fixes several vulnerabilities, including CVE-2018-5146, that could allow code execution from a specially crafted Ogg Vorbis file. * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding. * Fix CVE-2017-14632 - free() on unitialized data * Fix CVE-2017-14633 - out-of-bounds read * Fix bitrate metadata parsing. * Fix out-of-bounds read in codebook parsing. * Fix residue vector size in Vorbis I spec. * Appveyor support * Travis CI support * Add secondary CMake build system. * Build system fixes https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz.gpg Tremor has also been updated in git. https://git.xiph.org/?p=tremor.git;a=summary
Jean-Marc Valin
2018-Mar-16 17:34 UTC
[Vorbis-dev] [Vorbis] libvorbis 1.3.6 - critical security update
Many thanks to Thomas for handling this security issue quickly. For those who need just the most critical CVE (though the other CVEs should be patched as well), the fixes are: Vorbis: https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4a Tremor: https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4 Cheers, Jean-Marc On 03/16/2018 01:19 PM, Thomas Daede wrote:> libvorbis 1.3.6 has been released. This release fixes several > vulnerabilities, including CVE-2018-5146, that could allow code > execution from a specially crafted Ogg Vorbis file. > > * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding. > * Fix CVE-2017-14632 - free() on unitialized data > * Fix CVE-2017-14633 - out-of-bounds read > * Fix bitrate metadata parsing. > * Fix out-of-bounds read in codebook parsing. > * Fix residue vector size in Vorbis I spec. > * Appveyor support > * Travis CI support > * Add secondary CMake build system. > * Build system fixes > > https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz > https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz.gpg > > Tremor has also been updated in git. > > https://git.xiph.org/?p=tremor.git;a=summary > _______________________________________________ > Vorbis mailing list > Vorbis at xiph.org > http://lists.xiph.org/mailman/listinfo/vorbis >