control: tags -1 +patch Hi, On Mon, Sep 25, 2017 at 09:46:53PM +0200, Salvatore Bonaccorso wrote: > Source: libvorbis > Version: 1.3.5-4 > Severity: important > Tags: security upstream > Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2329 > > Hi, > > the following vulnerability was published for libvorbis. > > CVE-2017-14633[0]: > | In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability > | exists in the function mapping0_forward() in mapping0.c, which may lead > | to DoS when operating on a crafted audio file with vorbis_analysis(). > > On upstream issue there is no reproducer attached, and no patch > available as per 2017-09-25 yet. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-14633 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633 > [1] https://gitlab.xiph.org/xiph/vorbis/issues/2329 > > Please adjust the affected versions in the BTS as needed, when known > more.
I've proposed a fix upstream here: https://github.com/xiph/vorbis/pull/34 Cheers, -- Guido