Bug#482039: libvorbis0a: potential security patch, needs review
Steffen Joeris
steffen.joeris at skolelinux.de
Tue May 20 12:00:49 UTC 2008
Package: libvorbis0a
Version: 1.2.0.dfsg-3
Severity: normal
Tags: security
Hi
As discussed on IRC with dato, here are the information to this:
The following CVE(0) has been issued against vorbis.
CVE-2008-2009:
Xiph.org libvorbis before 1.0 does not properly check for underpopulated
Huffman trees, which allows remote attackers to cause a denial of
service (crash) via a crafted OGG file that triggers memory corruption
during execution of the _make_decode_tree function.
Now the version in unstable is not as old as the one mentioned in the
CVE. However, I was wondering, if the sanity checks upstream added in
their patch(0) are needed for our debian versions as well?
Could someone familiar with the code maybe have a look?
Cheers
Steffen
(0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2009
(1): https://trac.xiph.org/changeset/14811?format=diff&new=14811
More information about the pkg-xiph-maint
mailing list