Hi Jamie!
I've noticed your USN-611-[123], which patch speex, vorbis-tools and
gstreamer plugins. However, I believe fix in libspeex/speex_header.c
should be sufficient to address this issue in all affected
applications, as they call speex_packet_to_header(). With patch
applied, it'll return NUL
On Wed May 07, 2008 at 18:12:09 -0400, Jamie Strandboge wrote:
> vorbis-tools contains embedded speex code, and although vorbis-tools is linked
> to libspeex, it compiles the vulnerable code. Attached is a debdiff that
> Ubuntu
> is using in its 1.1.1 versions of vorbis-tools (fuzz removed).
I
For what it's worth, 1.2.1 to be released soon already has this fix,
but please feel free to backport it to existing packages.
-Ivo
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Package: vorbis-tools
Version: 1.2.0-1.1
Severity: grave
Tags: patch security
Justification: user security hole
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu hardy ubuntu-patch
vorbis-tools contains embedded speex code, and although vorbis-tools is linked
to libspeex, it compiles the vulnerable
4 matches
Mail list logo
