update libvorbis to 1.3.6

Bug #1756516 reported by Mike Neac on 2018-03-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvorbis (Ubuntu)

Bug Description

libvorbis 1.3.6 (2018-03-16) -- "Xiph.Org libVorbis I 20180316 (Now 100% fewer shells)"

* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes

information type: Private Security → Public Security
Changed in libvorbis (Ubuntu):
status: New → Confirmed
Florian Schlichting (fschlich) wrote :

libvorbis 1.3.6 is in cosmic and the CVEs were already fixed in bionic (and earlier through security updates, I believe)

Changed in libvorbis (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers