[Vorbis-dev] libvorbis 1.3.6 - critical security update
Thomas Daede
bztdlinux at gmail.com
Fri Mar 16 17:19:46 UTC 2018
libvorbis 1.3.6 has been released. This release fixes several
vulnerabilities, including CVE-2018-5146, that could allow code
execution from a specially crafted Ogg Vorbis file.
* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes
https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz
https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz.gpg
Tremor has also been updated in git.
https://git.xiph.org/?p=tremor.git;a=summary
More information about the Vorbis-dev
mailing list