projects / buildroot.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f55ab4a) | patch
libvorbis: add upstream security fixes
authorPeter Korsgaard <peter@korsgaard.com>
Fri, 16 Feb 2018 08:09:55 +0000 (09:09 +0100)
committerPeter Korsgaard <peter@korsgaard.com>
Sun, 18 Feb 2018 20:56:19 +0000 (21:56 +0100)
commitcc9282ae8c346c0b46fb249008696f6e9bc35f2c
tree68730d7714e619de6f848550abc10df7d0232d4atree
parentf55ab4a08ff8e02575759d58a7972824e792e657commit | diff
libvorbis: add upstream security fixes

Fixes the following security issues:

CVE-2017-14632: Libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in info.c
when vi->channels<=0, a similar issue to Mozilla bug 550184.

CVE-2017-14633: In libvorbis 1.3.5, an out-of-bounds array read
vulnerability exists in the function mapping0_forward() in mapping0.c, which
may lead to DoS when operating on a crafted audio file with
vorbis_analysis().

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/libvorbis/0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch [new file with mode: 0644] blob
package/libvorbis/0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch [new file with mode: 0644] blob