Bug#776086: vorbis-tools: CVE-2014-9638 CVE-2014-9639 CVE-2014-9640
Martin Steghöfer
martin at steghoefer.eu
Sun Jan 25 17:35:14 UTC 2015
retitle 776086 CVE-2014-9638 CVE-2014-9639
thanks
Dear Salvatore,
thank you for reporting this!
Salvatore Bonaccorso wrote:
> CVE-2014-9638[0]:
> Oggenc division by zero issue
Confirmed with 1.4.0-6 as well as with the current git head. There
doesn't seem to be a fix yet, so I am going to look into it.
> CVE-2014-9639[1]:
> Oggenc channel integer overflow
Confirmed with 1.4.0-6 as well as with the current git head. There
doesn't seem to be a fix yet, so I am going to look into it.
>
> CVE-2014-9640[2]:
> segfault when trying to encode trivial raw input
This one is a duplicate of Debian bug #771363, which we fixed in
December in version 1.4.0-6 (which made it into Jessie). No idea why the
Debian security tracker lists 1.4.0-6 as vulnerable. This should be
changed, but I don't know how.
Since it's classified as a security issue now, we should probably
backport the fix to stable, shouldn't we?
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Will do, at least for the remaining 2 issues. For CVE-2014-9640 there
was no CVE identifier when we fixed it.
Cheers,
Martin
More information about the pkg-xiph-maint
mailing list