Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4694
libvorbis security update
18 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libvorbis
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-14633 CVE-2017-11333
Reference: ESB-2018.1321
ESB-2018.0468
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/12/msg00021.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : libvorbis
Version : 1.3.4-2+deb8u3
CVE ID : CVE-2017-11333 CVE-2017-14633
Two issues have been found in libvorbis, a decoder library for Vorbis
General Audio Compression Codec.
2017-14633
In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read
vulnerability exists in the function mapping0_forward() in
mapping0.c, which may lead to DoS when operating on a crafted
audio file with vorbis_analysis().
2017-11333
The vorbis_analysis_wrote function in lib/block.c in Xiph.Org
libvorbis 1.3.5 allows remote attackers to cause a denial of
service (OOM) via a crafted wav file.
For Debian 8 "Jessie", these problems have been fixed in version
1.3.4-2+deb8u3.
We recommend that you upgrade your libvorbis packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl35HflfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEdbkBAAknZTSvwoaUD6ITtS9v9lnauD2s33Y/pSI3dxcSY/Nulbc3xNyMspve0T
08pbTSWKb1b0SZWw08vr7cAFdu7xusmq2h978AdiAhwtf/htPn2rRZ3mMJNzkBOe
Ltmbllq5R2OFqlOmyelsIyozoyAmayYVJUirR7MwkNv40Fb1/J8r1c9G2M+2lbJZ
NKtjPyxnFq1WMgOCLXo8gFf4l/mvf0eAM8+ScbaSZkeYNJsauQH+RNwkx0W1S0Jx
bZgIZYsrsXku7UlZJpMu0TKLJX1quTHwOlqQOidvaP5Z7j5e28r2Jyjq8OyVE/JY
JvX9YHHvIEFRTFRevarRfbgz3W76GCle5PSFvcqILe+pS9KEGxFDdjMOHg4aBvQG
LoJSoon1T/VOHzUhHRu8/FDWlkes80m6QHikX2Mw+LshpS8vuO6r97yr15UZ7Z6m
fgqYScumxGKIH6l3J6GNM+zolaVNz9/m2FYqrnVDoDAszYDIvJlOg8iHARPF96f0
mkymp1CZpWtFL6etGQdXkx3TbA6CzQfY38idSI+aHsbCcvadMOPDKnm5MXMoV/Th
T/ou0lmePEiaQvR2549EFLSwChJxbmNkSZttyXBqKGi35F1dXVATz9Ll+E0jt8wJ
c2d6LEzbVVh4A7S9nzCvA/JchxLY38c6SZ2AMTW1L+rjOMLqgRM=
=V+B7
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXflg9GaOgq3Tt24GAQj0Dw//Ukn3Wiu7TSEXi0CIAHBNEgGcg6P0//wX
bHmDakghUulDB6GjWPNHTeGTf9plR4q09OOasbrJbyJcYLLBo1H8Uj7W7Lih/lt5
0BPXMEQrGaGfnCaow910oROqD0V6Y2ywPl1dpUuIP/DS2n5RWjoYsxwcQ+sVymgI
0ds1Cc65sLpk9SIDMFyoiWnKv9c8DdFTROfFP2paBmZqYis0Ggl8LtQgEpGjGyb5
ytfFD6qzKjuzyBr1XqttzpEWyFR3YvkhLrQMBZBX3oAjLoYT/YyfXoykVSnT0Cs7
BmXzIvE2ep3iGB7JbKLTVjv4feQUcRIkXtT0uKbMO0o43wIG1vgeCNCyLddtWRfq
z2y8PBPOB7w1WpDO7LpXTKKeeYL2nIZu4YGZOT6MmKQNT9nif0sWARsRE6nzVus6
9UYFwpQMzjw2l8Mg4VT39v/YuWSqqKmhTb41HHN6eJ1yttLUebUHiWW+XxlldaMv
3tYhwFVazQ+d+utUinnP7JgsYPz8Nj0g1+U7Nbzf9CilGL3zC1e06EWs06LGLovI
aLqZbaroqOMLnoXZt/Jkk6jFGENNSQYDzRBhQ8FOJ7jAcZsbV+bmSE0S16bsco/R
kIHR+jVcjtRYEh1AYAXFSRVMkMciA3EXxt0Kw1JnBG2yA2g8yonc2ziAACLKik1q
ewZy2TsPYlQ=
=WKqH
-----END PGP SIGNATURE-----