Wheezy update of vorbis-tools for CVE-2015-6749
Petter Reinholdtsen
pere at hungry.com
Sun Jul 2 19:26:52 UTC 2017
[Thorsten Alteholz]
> yes, any LTS upload needs a DLA after the package arrives in the
> archive. The security tracker contains a script (bin/gen-DLA) that
> creates a template for such a DLA, you just have to fill in some
> description. If you don't want to do this, don't hesitate to inform
> the LTS team and somebody else will do the bookkeeping.
Thank you. I'm building and testing in wheezy at the moment, and will
upload when I am done. I would be very happy if someone else took the
bookkeeping.
> While you are at it, there are also CVE-2014-9640 and CVE-2014-9639, which
> can be seen in[1].
Ah, good point. The changelog in git look like this now:
vorbis-tools (1.4.0-1+deb7u1) wheezy-security; urgency=medium
* oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749)
(Closes: 797461).
* oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639).
(Closes: 776086)
* Fix oggenc crash on closing raw input files by backporting r19117 from upstream
(CVE-2014-9640) (Closes: #771363).
-- Petter Reinholdtsen <pere at debian.org> Sun, 02 Jul 2017 20:53:04 +0200
--
Happy hacking
Petter Reinholdtsen
More information about the pkg-xiph-maint
mailing list