control: clone -1 -2 control: retitle -2 missing error checking when encoding vorbis control: tags -2 +patch
Hi sox mantainers, On Mon, Nov 20, 2017 at 04:39:51PM +0100, Guido Günther wrote: > Hi Petter, > On Tue, Aug 01, 2017 at 08:02:47PM +0200, Petter Reinholdtsen wrote: > > Control: retitle -1 libvorbis: CVE-2017-11333 OOM via crafted WAV file > > > > I've tried to figure out of the recently reported security problems are > > reported upstream, but the upstream bug tracker is being moved from > > trac.xiph.org to https://gitlab.xiph.org/xiph and the migration is > > not done yet, so it seem to be impossible to register it with upstream > > so far. > > The issue is at https://gitlab.xiph.org/xiph/vorbis/issues/2332 > > > > > Thus I have no idea if there are any patches for this issue yet. Anyone > > know? > > The wav file also seems to suffer from too many channels. When I apply > the patch from #876778 and then the attached patch sox aborts > correctly. I did not check if there are other issues in the wav file > besides too many channels. > > (Attaching the patch here since the upstream sox list doesn't seem to > list my submission). There seems to be missing error checking in sox https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870341#19 which might cause trouble if libvorbis indicates an error. I've submited this patch upstream too but it doesn't seem to make it to the sourceforge list. Cheers, -- Guido _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers