<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Thank you Ralph!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ralph Giles <giles@thaumas.net> <br>
<b>Sent:</b> Tuesday, June 30, 2020 11:58 AM<br>
<b>To:</b> Ellen Johnson <ellenj@mathworks.com>; Vorbis Codec Mailing List <vorbis-dev@xiph.org><br>
<b>Subject:</b> Re: [Vorbis-dev] can we help with libvorbis release for CVE fixes?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yes, the gitlab instance is the correct upstream development<br>
repository. We maintain a mirror at github for the convenience of<br>
developers there.<br>
<br>
Cheers,<br>
Ralph<br>
<br>
On Mon, 2020-06-29 at 21:27 +0000, Ellen Johnson wrote:<br>
> Hi Ralph and libvorbis developers,<br>
> I thought the vorbis gitlab project was the main development site (<br>
> <a href="https://gitlab.xiph.org/xiph/vorbis">
https://gitlab.xiph.org/xiph/vorbis</a>) because that's what the NVD CVE<br>
> tracker points to for the two CVEs I mentioned. But I just realized<br>
> there's also a vorbis github project (<a href="https://github.com/xiph/vorbis">https://github.com/xiph/vorbis</a>)<br>
> . Both appear to have recent activity.<br>
> Is the gitlab project the correct one to get the CVE fixes from so<br>
> we can patch our 1.3.6 to have latest security fixes?<br>
> Thanks!<br>
> ellen<br>
> <br>
> -----Original Message-----<br>
> From: Ellen Johnson <br>
> Sent: Friday, June 12, 2020 12:19 PM<br>
> To: Ralph Giles <<a href="mailto:giles@thaumas.net">giles@thaumas.net</a>>; <a href="mailto:vorbis-dev@xiph.org">
vorbis-dev@xiph.org</a><br>
> Subject: RE: [Vorbis-dev] can we help with libvorbis release for CVE<br>
> fixes?<br>
> <br>
> Hi Ralph,<br>
> Thank you for your reply! <br>
> For context -- we consider reported CVEs as bugs even if it's in a<br>
> third-party library we use (such as libvorbis). We first determine<br>
> if the CVE is something that would impact our customer workflows. In<br>
> this case because of our use of libvorbis for audio I/O, it does<br>
> impact our customers so we need to resolve the CVE as soon as<br>
> possible.<br>
> In the short term until a new version is released, I'd like to<br>
> patch our libvorbis 1.3.6 with the two CVE fixes that I think are on<br>
> the master branch. From the gitlab comments, I'm pretty sure CVE-<br>
> 2018-10392 is fixed via issue 2335, but I'm still fuzzy on whether<br>
> CVE-2018-10393 is fixed via issue 2334 because of its link to<br>
> duplicate issue 2330 which doesn't exist. See <br>
> <a href="https://gitlab.xiph.org/xiph/vorbis/-/issues/2334">
https://gitlab.xiph.org/xiph/vorbis/-/issues/2334</a> and the comment by<br>
> Monty saying it's a dup of 2330, but Pierre comments that 2330<br>
> doesn't exist so he asked if Monty can point to the fix.<br>
> In the longer term, we'd love to talk more about how we can help<br>
> move the next release along and contribute to the libvorbis project<br>
> in general.<br>
> Yes, if you can please verify that both these CVEs are fixed in<br>
> master branch, I'd really appreciate it.<br>
> Thank you!<br>
> ellen<br>
> MATLAB Audio, Video, Image, and Scientific Data Formats<br>
> MathWorks<br>
> <br>
> -----Original Message-----<br>
> From: Ralph Giles <<a href="mailto:giles@thaumas.net">giles@thaumas.net</a>><br>
> Sent: Wednesday, June 10, 2020 6:58 PM<br>
> To: Ellen Johnson <<a href="mailto:ellenj@mathworks.com">ellenj@mathworks.com</a>>;
<a href="mailto:vorbis-dev@xiph.org">vorbis-dev@xiph.org</a><br>
> Subject: Re: [Vorbis-dev] can we help with libvorbis release for CVE<br>
> fixes?<br>
> <br>
> Hi Ellen,<br>
> <br>
> Thanks for your kind offer to help the release along. We have indeed<br>
> been having trouble finding resources for that.<br>
> <br>
> You can certainly help by testing the git master branch with your<br>
> software and reporting any issues you find. Otherwise, triaging<br>
> outstanding bug reports and patches is always helpful, although<br>
> that's not essential for a security-based release.<br>
> <br>
> I'll try to find out what the resolution on the reported CVEs was.<br>
> <br>
> Cheers,<br>
> -r<br>
> <br>
> On Wed, 2020-06-10 at 18:51 +0000, Ellen Johnson wrote:<br>
> > Hi libvorbis developers!<br>
> > I’m wondering if you had a chance to see my request for<br>
> > releasing a <br>
> > new libvorvis version – this is to have an official libvorbis<br>
> > release <br>
> > containing the CVE fixes that appear to be fixed in the master<br>
> > branch.<br>
> > Is there anything we can do to help with getting a release out?<br>
> > We’re happy to work with you on this. Please let us know if we can<br>
> > do <br>
> > anything to help move this along.<br>
> > Thank you!<br>
> > Ellen Johnson<br>
> > MATLAB Audio, Video, Image, and Scientific Data Formats<br>
> > MathWorks<br>
> > <br>
> > <br>
> > From: Ellen Johnson<br>
> > Sent: Tuesday, May 26, 2020 5:48 PM<br>
> > To: <a href="mailto:vorbis-dev@xiph.org">vorbis-dev@xiph.org</a><br>
> > Subject: libvorbis release for recent CVE fixes?<br>
> > <br>
> > Hi libvorbis developers, <br>
> > I hope you all are well!<br>
> > Here at MathWorks we use libvorbis as part of our MATLAB audio<br>
> > I/O <br>
> > functionality, and our current version is your latest version<br>
> > 1.3.6.<br>
> > We’ve had the following libvorbis CVEs reported to us which appear<br>
> > to <br>
> > be fixed in your gitlab master branch and which impact our customer<br>
> > workflows:<br>
> > CVE-2018-10392 (looks like it’s fixed via gitlab issue 2335)<br>
> > CVE-2018-10393 (looks like it’s fixed via gitlab issue 2334,<br>
> > but <br>
> > the link to its duplicate issue 2330 does not work so I’m not 100% <br>
> > sure if this is fixed)<br>
> > Can you please do a point release so that we can be security <br>
> > compliant for our MATLAB customers?<br>
> > Thank you!<br>
> > Ellen Johnson<br>
> > MATLAB Audio, Video, Image, and Scientific Data Formats<br>
> > MathWorks<br>
> > <br>
> > _______________________________________________<br>
> > Vorbis-dev mailing list<br>
> > <a href="mailto:Vorbis-dev@xiph.org">Vorbis-dev@xiph.org</a><br>
> > <a href="http://lists.xiph.org/mailman/listinfo/vorbis-dev">
http://lists.xiph.org/mailman/listinfo/vorbis-dev</a>.<br>
> > xiph.org<o:p></o:p></p>
</div>
</body>
</html>