On Tue, Sep 26, 2017 at 12:24:14AM +0200, Petter Reinholdtsen wrote: > [Salvatore Bonaccorso] > > the following vulnerability was published for libvorbis. > > Thank you for following up on this. I hope a fix show up from upstream > for this and other security issues. :) > > I was just told on #xiph that this issue also might affect speex: > > <daddesio> rillian: speex may also be affected by that > bark_noise_hybridmp bug (CVE-2017-14160) since it includes that very > same function, via vorbis_psy.c. > <daddesio> see: > > https://git.xiph.org/?p=speex.git;a=blob;f=libspeex/vorbis_psy.c;h=cb385b7a349486a09a3db20adf225100993111c5;hb=HEAD#l189 > > I have not verified that this is the case, but thought it best to > mention it here until someone have time to check it out.
I think you'll find that's only included in speex if VORBIS_PSYCHO is defined, which by default it isn't and there's no configure option to enable it, you'd need to hand hack the source. That was an experiment which never really proved its worth, but the code was still around in case someone had other ideas for it. In the case of the exported tarballs (which the current distro packages are based on) vorbis_psy.c isn't one of the exported files. So it's there in git, but it's not in the Debian source, and I'd be surprised if anyone is building binaries with it enabled anywhere. Cheers, Ron
