Advisories » MGASA-2018-0084

Updated libvorbis packages fix security vulnerabilities

Publication date: 14 Jan 2018
Modification date: 14 Jan 2018
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-14632 , CVE-2017-14633

Description

Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in
info.c when vi->channels<=0, a similar issue to Mozilla bug 550184
(CVE-2017-14632).

In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
exists in the function mapping0_forward() in mapping0.c, which may lead
to DoS when operating on a crafted audio file with vorbis_analysis()
(CVE-2017-14633).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=22378
• https://lists.opensuse.org/opensuse-updates/2018-01/msg00015.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633

SRPMS

5/core

• libvorbis-1.3.5-1.1.mga5