-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 19 Apr 2018 11:59:46 -0400 Source: libvorbis Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev libvorbis-dbg Architecture: source amd64 Version: 1.3.2-1.3+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org> Changed-By: Antoine Beaupré <anarcat@debian.org> Description: libvorbis-dbg - The Vorbis General Audio Compression Codec (debug files) libvorbis-dev - The Vorbis General Audio Compression Codec (development files) libvorbis0a - The Vorbis General Audio Compression Codec (Decoder library) libvorbisenc2 - The Vorbis General Audio Compression Codec (Encoder library) libvorbisfile3 - The Vorbis General Audio Compression Codec (High Level API) Changes: libvorbis (1.3.2-1.3+deb7u1) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2017-14633: In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). * CVE-2017-14632: Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184. * CVE-2017-11333: The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file. * CVE-2018-5146: out-of-bounds memory write in the codeboook parsing code of the Libvorbis multimedia library could result in the execution of arbitrary code. Checksums-Sha1: 2997e8e228e474780699a529fa59f2fbc5f5a69e 1743 libvorbis_1.3.2-1.3+deb7u1.dsc 4b089ace4c8420c479b2fde9c5b01588cf86c959 1483719 libvorbis_1.3.2.orig.tar.gz c2bcd6756abab358efc0e1de36f40bce3342c3f8 10808 libvorbis_1.3.2-1.3+deb7u1.diff.gz 934f86d438f79bee94787f40006572daaa2eb98d 110238 libvorbis0a_1.3.2-1.3+deb7u1_amd64.deb 799141b1447ca62e8a34ac96a533b8c70eb19fd8 145218 libvorbisenc2_1.3.2-1.3+deb7u1_amd64.deb 26cdd1f202980cfebb5f9189f03a2e09d976136d 25604 libvorbisfile3_1.3.2-1.3+deb7u1_amd64.deb c05e2ffe81d2c8670b2fd65bb8a1fd2d93fd99ab 479786 libvorbis-dev_1.3.2-1.3+deb7u1_amd64.deb cd8a14a8a7f6450988b8d261c4fbca9a1060517d 261050 libvorbis-dbg_1.3.2-1.3+deb7u1_amd64.deb Checksums-Sha256: ebab1c10376395839a9b22e5dbf159626309b0022921027fe7548d85c5e37c40 1743 libvorbis_1.3.2-1.3+deb7u1.dsc eeb4dcada143846dfba760d982954a02f82e08845cbc33871f5dac547b8b6124 1483719 libvorbis_1.3.2.orig.tar.gz 038bc0c4301dc05dd1a0a11ae17554193c457664edefa46306d6bad44d74a207 10808 libvorbis_1.3.2-1.3+deb7u1.diff.gz bac1b77ad291a9e1ec191168f6e7a26c20eb5c5b3c791014a8113b8f25f24061 110238 libvorbis0a_1.3.2-1.3+deb7u1_amd64.deb 21b8ac2486aeca62dc52183080c5819b767b3ca9fbdbb6fdd48b4682590a5458 145218 libvorbisenc2_1.3.2-1.3+deb7u1_amd64.deb 878dde48da3448b9017ff0d3db5ca8df4bf09f7eec917ce21f6988487c852252 25604 libvorbisfile3_1.3.2-1.3+deb7u1_amd64.deb 4595f82311f94e173e9631984b3a9bdd2f177b8fa4d43c82f2b919541b712872 479786 libvorbis-dev_1.3.2-1.3+deb7u1_amd64.deb e37a275a877d140a3d1b206d2e4750e87976a429c889755a72c5ad6c24b0e86f 261050 libvorbis-dbg_1.3.2-1.3+deb7u1_amd64.deb Files: 7d619c39b23299acc8ab14d119368f4f 1743 libs optional libvorbis_1.3.2-1.3+deb7u1.dsc c870b9bd5858a0ecb5275c14486d9554 1483719 libs optional libvorbis_1.3.2.orig.tar.gz 044a9c9cf809d4bb091146136e592866 10808 libs optional libvorbis_1.3.2-1.3+deb7u1.diff.gz 9a7eab1eeb727ebbe86f572d63568e58 110238 libs optional libvorbis0a_1.3.2-1.3+deb7u1_amd64.deb 8fbc160ef16a7dd4fb80746a8dba3205 145218 libs optional libvorbisenc2_1.3.2-1.3+deb7u1_amd64.deb 94c04c5af45972c303d0992c2771b993 25604 libs optional libvorbisfile3_1.3.2-1.3+deb7u1_amd64.deb db6bf2778c0f9abedb8996f43478db19 479786 libdevel optional libvorbis-dev_1.3.2-1.3+deb7u1_amd64.deb c079668aa9bd12cba2881e86054a6df7 261050 debug extra libvorbis-dbg_1.3.2-1.3+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlrmb9oACgkQPqHd3bJh 2XtDtQgAkuSKFmpvOLUbPRSUYTwn3qlxG+syHag9VIglpMbJ5LVboSs/EPu6XLIr HqeRuQUjjKFQzmVXMvjuL3Eyn+ZsmjTvHmNLZqCE0+bMOf/R6Prq6Gd9T0BKy35E fueq/xpXnCCtz9XkOSd8iugDYOkAxHwURsuwmrixRB2RMCBVoxBGe6vx7QDJUIE9 Z/nVtaWf9IAREbatTXGBuxdm2Nhy292O937hfPhfl8wL7tKNNAwDXwKFU9avdxax zHJlZPyHB/23kYoVtnvMW9e+wCgPdqs2kFq1D2BYiFmWuKgEUvEweKrk064dHK4b qDS5NPXhoqqLRhQDfhhw+7aKAljN2A== =nzxv -----END PGP SIGNATURE-----
