Mageia Advisory: MGASA-2018-0070 - Updated libvorbis packages fix security vulnerabilities

Updated libvorbis packages fix security vulnerabilities

Publication date: 12 Jan 2018
Modification date: 12 Jan 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-14632 , CVE-2017-14633

Description

Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in
info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.
(CVE-2017-14632)

In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
exists in the function mapping0_forward() in mapping0.c, which may lead
to DoS when operating on a crafted audio file with vorbis_analysis().
(CVE-2017-14633)

References

https://bugs.mageia.org/show_bug.cgi?id=22370
https://lists.opensuse.org/opensuse-updates/2018-01/msg00015.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633

SRPMS

6/core

libvorbis-1.3.5-2.1.mga6

Advisories » MGASA-2018-0070

Updated libvorbis packages fix security vulnerabilities

Description

References

SRPMS

6/core