[Vorbis] libvorbis 1.3.6 - critical security update

Thomas Daede bztdlinux at gmail.com
Fri Mar 16 17:19:46 UTC 2018


libvorbis 1.3.6 has been released. This release fixes several
vulnerabilities, including CVE-2018-5146, that could allow code
execution from a specially crafted Ogg Vorbis file.

* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes

https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz
https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz.gpg

Tremor has also been updated in git.

https://git.xiph.org/?p=tremor.git;a=summary


More information about the Vorbis mailing list