diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog	2017-03-21 17:09:03.000000000 +0000
+++ audiofile-0.3.6/debian/changelog	2018-10-23 18:16:13.000000000 +0000
@@ -1,3 +1,16 @@
+audiofile (0.3.6-2ubuntu0.14.04.3) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: Denial of service
+    - debian/patches/CVE-2018-13440.patch: fix in
+      libaudiofile/modules/ModuleState.cpp.
+    - CVE-2018-13440
+  * SECURITY UPDATE: Heap-based buffer overflow
+    - debian/patches/CVE-2018-17095.patch: fix in
+      libaudiofile/modules/SimpleModule.cpp.
+    - CVE-2018-17095
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 23 Oct 2018 15:12:20 -0300
+
 audiofile (0.3.6-2ubuntu0.14.04.2) trusty-security; urgency=high
 
   * SECURITY UPDATE: multiple vulnerabilities (LP: #1674005)
diff -Nru audiofile-0.3.6/debian/patches/CVE-2018-13440.patch audiofile-0.3.6/debian/patches/CVE-2018-13440.patch
--- audiofile-0.3.6/debian/patches/CVE-2018-13440.patch	1970-01-01 00:00:00.000000000 +0000
+++ audiofile-0.3.6/debian/patches/CVE-2018-13440.patch	2018-10-23 18:10:22.000000000 +0000
@@ -0,0 +1,28 @@
+From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 10:48:45 +0200
+Subject: [PATCH] ModuleState: handle compress/decompress init failure
+
+When the unit initcompress or initdecompress function fails,
+m_fileModule is NULL. Return AF_FAIL in that case instead of
+causing NULL pointer dereferences later.
+
+Fixes #49
+---
+ libaudiofile/modules/ModuleState.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp
+index 0c29d7a..070fd9b 100644
+--- a/libaudiofile/modules/ModuleState.cpp
++++ b/libaudiofile/modules/ModuleState.cpp
+@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track)
+ 		m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok,
+ 			file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames);
+ 
++	if (!m_fileModule)
++		return AF_FAIL;
++
+ 	if (unit->needsRebuffer)
+ 	{
+ 		assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP);
diff -Nru audiofile-0.3.6/debian/patches/CVE-2018-17095.patch audiofile-0.3.6/debian/patches/CVE-2018-17095.patch
--- audiofile-0.3.6/debian/patches/CVE-2018-17095.patch	1970-01-01 00:00:00.000000000 +0000
+++ audiofile-0.3.6/debian/patches/CVE-2018-17095.patch	2018-10-23 18:10:40.000000000 +0000
@@ -0,0 +1,26 @@
+From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 12:11:12 +0200
+Subject: [PATCH] SimpleModule: set output chunk framecount after pull
+
+After pulling the data, set the output chunk to the amount of
+frames we pulled so that the next module in the chain has the correct
+frame count.
+
+Fixes #50 and #51
+---
+ libaudiofile/modules/SimpleModule.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp
+index 2bae1eb..e87932c 100644
+--- a/libaudiofile/modules/SimpleModule.cpp
++++ b/libaudiofile/modules/SimpleModule.cpp
+@@ -26,6 +26,7 @@
+ void SimpleModule::runPull()
+ {
+ 	pull(m_outChunk->frameCount);
++	m_outChunk->frameCount = m_inChunk->frameCount;
+ 	run(*m_inChunk, *m_outChunk);
+ }
+ 
diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series
--- audiofile-0.3.6/debian/patches/series	2017-03-21 17:08:34.000000000 +0000
+++ audiofile-0.3.6/debian/patches/series	2018-10-23 18:10:40.000000000 +0000
@@ -6,3 +6,5 @@
 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch
 09_Actually-fail-when-error-occurs-in-parseFormat.patch
 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch
+CVE-2018-13440.patch
+CVE-2018-17095.patch