From bztdlinux at gmail.com  Fri Mar 16 17:19:46 2018
From: bztdlinux at gmail.com (Thomas Daede)
Date: Fri, 16 Mar 2018 10:19:46 -0700
Subject: [Vorbis] libvorbis 1.3.6 - critical security update
Message-ID: <85db4d54-abc5-7916-6c99-052a4b7cb43d@gmail.com>

libvorbis 1.3.6 has been released. This release fixes several
vulnerabilities, including CVE-2018-5146, that could allow code
execution from a specially crafted Ogg Vorbis file.

* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes

https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz
https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz.gpg

Tremor has also been updated in git.

https://git.xiph.org/?p=tremor.git;a=summary

From jmvalin at jmvalin.ca  Fri Mar 16 17:34:50 2018
From: jmvalin at jmvalin.ca (Jean-Marc Valin)
Date: Fri, 16 Mar 2018 13:34:50 -0400
Subject: [Vorbis] libvorbis 1.3.6 - critical security update
In-Reply-To: <85db4d54-abc5-7916-6c99-052a4b7cb43d@gmail.com>
References: <85db4d54-abc5-7916-6c99-052a4b7cb43d@gmail.com>
Message-ID: <dff20e49-d15c-3994-cd35-14070014bfa6@jmvalin.ca>

Many thanks to Thomas for handling this security issue quickly. For
those who need just the most critical CVE (though the other CVEs should
be patched as well), the fixes are:

Vorbis:
https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4a

Tremor:
https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4

Cheers,

	Jean-Marc

On 03/16/2018 01:19 PM, Thomas Daede wrote:
> libvorbis 1.3.6 has been released. This release fixes several
> vulnerabilities, including CVE-2018-5146, that could allow code
> execution from a specially crafted Ogg Vorbis file.
> 
> * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
> * Fix CVE-2017-14632 - free() on unitialized data
> * Fix CVE-2017-14633 - out-of-bounds read
> * Fix bitrate metadata parsing.
> * Fix out-of-bounds read in codebook parsing.
> * Fix residue vector size in Vorbis I spec.
> * Appveyor support
> * Travis CI support
> * Add secondary CMake build system.
> * Build system fixes
> 
> https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz
> https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz.gpg
> 
> Tremor has also been updated in git.
> 
> https://git.xiph.org/?p=tremor.git;a=summary
> _______________________________________________
> Vorbis mailing list
> Vorbis at xiph.org
> http://lists.xiph.org/mailman/listinfo/vorbis
>