[Speex-dev] speex affected by vulnerability described in [oCERT 2008-02]

Andrea Barisani lcars at ocert.org
Mon Apr 7 06:34:29 PDT 2008

Hi folks,

we've tried contacting Jean-Marc Valin but email address bounces. We
published yesterday an advisory about libfishsound, you can find it at the
following URL:


The issues seems to affect Speex (since the code is the same) versions <=
1.1.12. While the 1.2beta branch is not vulnerable we advise that you fix
with a security release what's advertised as stable version as well.

We have contacted vendors that ship speex package, if you know of any project
that links statically or includes the vulnerable code (coming from both speex or
libfishsound) please let us know so that we can send out appropriate

Bye and thanks!

Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars at ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

More information about the Speex-dev mailing list