Bug#876780: libvorbis: CVE-2017-14160
Ron
ron at debian.org
Tue Sep 26 03:35:01 UTC 2017
On Tue, Sep 26, 2017 at 12:24:14AM +0200, Petter Reinholdtsen wrote:
> [Salvatore Bonaccorso]
> > the following vulnerability was published for libvorbis.
>
> Thank you for following up on this. I hope a fix show up from upstream
> for this and other security issues. :)
>
> I was just told on #xiph that this issue also might affect speex:
>
> <daddesio> rillian: speex may also be affected by that
> bark_noise_hybridmp bug (CVE-2017-14160) since it includes that very
> same function, via vorbis_psy.c.
> <daddesio> see:
> https://git.xiph.org/?p=speex.git;a=blob;f=libspeex/vorbis_psy.c;h=cb385b7a349486a09a3db20adf225100993111c5;hb=HEAD#l189
>
> I have not verified that this is the case, but thought it best to
> mention it here until someone have time to check it out.
I think you'll find that's only included in speex if VORBIS_PSYCHO
is defined, which by default it isn't and there's no configure option
to enable it, you'd need to hand hack the source.
That was an experiment which never really proved its worth, but the
code was still around in case someone had other ideas for it.
In the case of the exported tarballs (which the current distro packages
are based on) vorbis_psy.c isn't one of the exported files. So it's
there in git, but it's not in the Debian source, and I'd be surprised
if anyone is building binaries with it enabled anywhere.
Cheers,
Ron
More information about the pkg-xiph-maint
mailing list