Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#44172 - [vorbis-tools][CVE-2014-9638][CVE-2014-9639][CVE-2014-9640] Denial of Service

Attached to Project: Arch Linux
Opened by Christian Rebischke (Shibumi) - Friday, 13 March 2015, 15:13 GMT
Last edited by Eric Belanger (Snowman) - Wednesday, 25 March 2015, 00:28 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Summary
=======

CVE-2014-9638
--------------
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
-------------
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
--------------
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

References
==========
http://www.openwall.com/lists/oss-security/2015/01/22/9
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9638
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9639
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9640
This task depends upon

Closed by  Eric Belanger (Snowman)
Wednesday, 25 March 2015, 00:28 GMT
Reason for closing:  Fixed
Additional comments about closing:  vorbis-tools-1.4.0-5

Loading...