[Vorbis] libvorbis 1.3.6 - critical security update

Jean-Marc Valin jmvalin at jmvalin.ca
Fri Mar 16 17:34:50 UTC 2018


Many thanks to Thomas for handling this security issue quickly. For
those who need just the most critical CVE (though the other CVEs should
be patched as well), the fixes are:

Vorbis:
https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4a

Tremor:
https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4

Cheers,

	Jean-Marc

On 03/16/2018 01:19 PM, Thomas Daede wrote:
> libvorbis 1.3.6 has been released. This release fixes several
> vulnerabilities, including CVE-2018-5146, that could allow code
> execution from a specially crafted Ogg Vorbis file.
> 
> * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
> * Fix CVE-2017-14632 - free() on unitialized data
> * Fix CVE-2017-14633 - out-of-bounds read
> * Fix bitrate metadata parsing.
> * Fix out-of-bounds read in codebook parsing.
> * Fix residue vector size in Vorbis I spec.
> * Appveyor support
> * Travis CI support
> * Add secondary CMake build system.
> * Build system fixes
> 
> https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz
> https://ftp.osuosl.org/pub/xiph/releases/vorbis/libvorbis-1.3.6.tar.gz.gpg
> 
> Tremor has also been updated in git.
> 
> https://git.xiph.org/?p=tremor.git;a=summary
> _______________________________________________
> Vorbis mailing list
> Vorbis at xiph.org
> http://lists.xiph.org/mailman/listinfo/vorbis
> 


More information about the Vorbis mailing list