ESB-2018.0468 - [Win][UNIX/Linux][Debian][Apple iOS][Android] libvorbis: Multiple vulnerabilities 2018-02-16

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0468
                         libvorbis security update
                             16 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libvorbis
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
                   Android
                   Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14633 CVE-2017-14632 

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4113

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running libvorbis check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4113-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 14, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libvorbis
CVE ID         : CVE-2017-14632 CVE-2017-14633

Two vulnerabilities were discovered in the libraries of the Vorbis audio
compression codec, which could result in denial of service or the
execution of arbitrary code if a malformed media file is processed.

For the stable distribution (stretch), these problems have been fixed in
version 1.3.5-4+deb9u1.

We recommend that you upgrade your libvorbis packages.

For the detailed security status of libvorbis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvorbis

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqErOMACgkQEMKTtsN8
TjZNOw//YMP8ZyqSVk7xYtQikuRcz1twEgR0ar7XnJKBM1qNASj0KGPyhMfYOIJq
hifULdaLqkn9ZxNQJw8hN6jvxngdYvp+Edlg2NwCSXzVwUPLjh7WdE4yTFd+WzbN
YnMKfk0JX08KasPXOxmFUgGT2/o3VscdjnufvMzAuisJIKip8EzCEaWa/NJUfUZH
pxXPTPV5N4Z5ZKqst1RecjjSOcq1IQ0Bu/RiJoRdxntpYFGk5TuoCS6yt3HOP4xb
Sm9d6cSC9PObBgzij2LALYrfIaDctxAZ3WJ6imfuLp4vXUi0Ef7J8Rco5zCYf/Cu
RAKkk8CUI0Yl1/Ac0CGczImKzkyXo52YntFY8NExYg7HYB/RQy1KVQvFKropLhKd
uhs69QzOBCo1eOHWA2nGFbw0SiuLFoVG1ACnxuJPeWkzmgNsfs4d7XnjP/nAf7gk
yB7A7l/qOnpWmoEjdqc7h3MHIXrRFo1mOsKvLsSyRzHb59EUbRmDJGZzpIBYixen
Q9lKiNkjk3MIwkNoQ4qmhgPcisEXwgWCBcRi1lfuLuVLEYn+XnozSD47PJ2phuOa
obrAFt2TogcGsvrXAD8IwfBJxp8Fr0I8E0egtAdrhR4i7m44QmSHVUXbW/IE+au1
b/mAtE4zejmkfUQnt+N6OJhePQE+Bf3HmTnFAl2qtjeMPPo02P0=
=61Eu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWoYr0Ix+lLeg9Ub1AQhLuw/9EMd+XBMsslntNnC2ltQiIZ8N4Z7c8Uwb
qfvLS1B39wGJSgf7LaF/NgobyunxOTgVj7XTU/fVPVpSCi8+nNPqTh4YTcHfg7x4
dG+85+X0PjuGWK3Cf0JRvBVhERu8MxnoP227iQaWlSIE3t8SdRCwmL0KN0cBPGTB
8LDt3CJriDOPlDL58tMZsvvRL6XvlSdnTDJmQw4l3hPGzr/oc+encdpNGJZaKrjT
zofB9o6k4CRneMVvUqTxsjLjUezgd4J+YmWk/KdIuYk8YYkGH+JqlL5GZGaTubSb
MyeQgro/CSPtKyPswH+z2sPnmMD51DWJpUEYO4l2OFd1+fY+eJhirbsDIwjdlfU2
1Nqf0ZxU+WExFN/ABY3s5dx6ppny8stxL/oSeJH6rwCg2isONcxRI5zEOsBq4Fmb
zOJFv6CuL9rX/AZhHQSE7GmKsnRmPrFlQ+c46kupqHQm/pMYrAwC1NLkmH6m5oex
UZzJ3SUKBwZFzO0RoHwrnaothaKx6A0BBiQkizUw0u3OM9XJB2mdHYEmOLxC6CkQ
ReN50VQZeVvCgTQoRgubISKrnIEUm/a6nRjEFJtAg7j3+bRJpILnuYE3ftu86W0O
yX1Ur1tv7WQpSY6QBuu687Qag4zH+8313j/wIa4vkefwy8YODvohqBLZYOgBRKsT
9jCyuiwkOnA=
=uuyG
-----END PGP SIGNATURE-----

« Back to bulletins