Ubuntu
libvorbis package

update libvorbis to 1.3.6

Bug #1756516 reported by Mike Neac on 2018-03-17

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libvorbis (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

libvorbis 1.3.6 (2018-03-16) -- "Xiph.Org libVorbis I 20180316 (Now 100% fewer shells)"

* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes

Seth Arnold (seth-arnold) on 2018-03-19

information type:	Private Security → Public Security
Changed in libvorbis (Ubuntu):
status:	New → Confirmed

Revision history for this message

Florian Schlichting (fschlich) wrote on 2019-02-25:

libvorbis 1.3.6 is in cosmic and the CVEs were already fixed in bionic (and earlier through security updates, I believe)

Changed in libvorbis (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulibvorbis package

update libvorbis to 1.3.6

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
libvorbis package