Updated libvorbis packages fix security vulnerabilities
Publication date: 24 Jun 2018Modification date: 24 Jun 2018
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-14160 , CVE-2018-10392 , CVE-2018-10393
Description
The updated packages fix security vulnerabilities:
The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows
remote attackers to cause a denial of service (out-of-bounds access and
application crash) or possibly have unspecified other impact via a crafted mp4
file. (CVE-2017-14160)
mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not validate the
number of channels, which allows remote attackers to cause a denial of service
(heap-based buffer overflow or over-read) or possibly have unspecified other
impact via a crafted file. (CVE-2018-10392)
bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based
buffer over-read. (CVE-2018-10393)
References
- https://bugs.mageia.org/show_bug.cgi?id=23145
- https://lists.opensuse.org/opensuse-updates/2018-05/msg00067.html
- http://lists.suse.com/pipermail/sle-security-updates/2018-June/004158.html
- https://lists.opensuse.org/opensuse-updates/2018-06/msg00047.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14160
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10392
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10393
SRPMS
5/core
- libvorbis-1.3.5-1.4.mga5
6/core
- libvorbis-1.3.5-2.4.mga6