Bug#870341: libvorbis: CVE-2017-11333
Guido Günther
agx at sigxcpu.org
Mon Nov 20 15:39:51 UTC 2017
Hi Petter,
On Tue, Aug 01, 2017 at 08:02:47PM +0200, Petter Reinholdtsen wrote:
> Control: retitle -1 libvorbis: CVE-2017-11333 OOM via crafted WAV file
>
> I've tried to figure out of the recently reported security problems are
> reported upstream, but the upstream bug tracker is being moved from
> trac.xiph.org to https://gitlab.xiph.org/xiph and the migration is
> not done yet, so it seem to be impossible to register it with upstream
> so far.
The issue is at https://gitlab.xiph.org/xiph/vorbis/issues/2332
>
> Thus I have no idea if there are any patches for this issue yet. Anyone
> know?
The wav file also seems to suffer from too many channels. When I apply
the patch from #876778 and then the attached patch sox aborts
correctly. I did not check if there are other issues in the wav file
besides too many channels.
(Attaching the patch here since the upstream sox list doesn't seem to
list my submission).
Cheers,
-- Guido
>
> --
> Happy hacking
> Petter Reinholdtsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Handle-vorbis_analysis_headerout-errors.patch
Type: text/x-diff
Size: 1576 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xiph-maint/attachments/20171120/90009a11/attachment.patch>
More information about the pkg-xiph-maint
mailing list