Bug#776086: vorbis-tools: CVE-2014-9638 CVE-2014-9639 CVE-2014-9640

Martin Steghöfer martin at steghoefer.eu
Sun Jan 25 17:35:14 UTC 2015


retitle 776086 CVE-2014-9638 CVE-2014-9639
thanks


Dear Salvatore,

thank you for reporting this!


Salvatore Bonaccorso wrote:
> CVE-2014-9638[0]:
> Oggenc division by zero issue

Confirmed with 1.4.0-6 as well as with the current git head. There 
doesn't seem to be a fix yet, so I am going to look into it.

> CVE-2014-9639[1]:
> Oggenc channel integer overflow

Confirmed with 1.4.0-6 as well as with the current git head. There 
doesn't seem to be a fix yet, so I am going to look into it.

>
> CVE-2014-9640[2]:
> segfault when trying to encode trivial raw input

This one is a duplicate of Debian bug #771363, which we fixed in 
December in version 1.4.0-6 (which made it into Jessie). No idea why the 
Debian security tracker lists 1.4.0-6 as vulnerable. This should be 
changed, but I don't know how.

Since it's classified as a security issue now, we should probably 
backport the fix to stable, shouldn't we?

> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Will do, at least for the remaining 2 issues. For CVE-2014-9640 there 
was no CVE identifier when we fixed it.

Cheers,
Martin



More information about the pkg-xiph-maint mailing list