-
libvorbis (1.2.0.dfsg-6ubuntu0.1) karmic-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
multiple vulnerabilities
- debian/patches/CVE-2009-3379.patch: Don't try to read past the end of
the comment packet if the string lengths are corrupt in lib/info.c,
check for premature EOP in lib/res0.c, implement hardening in
lib/{codebook,floor1,info,mapping0}.c, eliminate blocklist overflow
in lib/backends.h, don't allow codeword lengths longer than 32 bits
in lib/codebook.c.
- CVE-2009-3379
* SECURITY UPDATE: code execution via heap overflow in residue partition
value (LP: #232150)
- debian/patches/CVE-2008-1420-2.patch: add additional checks to fix
issue, but still maintain backwards compatibility in lib/res0.c,
lib/modes/{residue_44u,residue_44}.h, lib/backends.h.
- CVE-2008-1420
-- Marc Deslauriers <email address hidden> Thu, 12 Nov 2009 15:02:17 -0500
-
libvorbis (1.2.0.dfsg-6) unstable; urgency=high
* Fix CVE-2009-2663: two bugs in libvorbis that allowed a crafted ogg
file to corrupt memory. (Closes: #540958)
* patches/CVE-2008-1420.patch: fix a regression playing files generated
by 1.0b1, from upstream trunk. Thanks Michael Gold. (Closes: #504421)
-- Michael Bienia <email address hidden> Mon, 17 Aug 2009 12:04:33 +0100
-
libvorbis (1.2.0.dfsg-5) unstable; urgency=low
* New maintainer.
* Standards-Version: 3.8.1.
* gcc -fno-finite-math-only on armel, to work around a gcc bug
(fixed upstream in gcc 4.3 and 4.4). (Closes: #515949)
* Fix watch file to unmangle .dfsg in version, thanks Lintian.
* Distinguish the short descriptions of the different lib packages, and
other tweaks to debian/control. Thanks Lintian. (Closes: #432688)
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 01 Jun 2009 10:44:06 +0100
-
libvorbis (1.2.0.dfsg-4) unstable; urgency=low
* Add upstream-r14811_huffman_sanity_checks.diff. closes: #482039.
* Bump to Standards-Version 3.8.0.
* Remove myself from Uploaders.
-- Ubuntu Archive Auto-Sync <email address hidden> Wed, 29 Apr 2009 12:02:31 +0100
-
libvorbis (1.2.0.dfsg-3.1) unstable; urgency=high
* Non-maintainer upload by the security team
* Fix integer overflows (and possible DoS attacks) via crafted
OGG files (Closes: #482518)
Fixes: CVE-2008-1423, CVE-2008-1420, CVE-2008-1419
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 27 May 2008 09:40:41 +0100