retitle 776086 CVE-2014-9638 CVE-2014-9639 thanks
Dear Salvatore, thank you for reporting this! Salvatore Bonaccorso wrote:
CVE-2014-9638[0]: Oggenc division by zero issue
Confirmed with 1.4.0-6 as well as with the current git head. There doesn't seem to be a fix yet, so I am going to look into it.
CVE-2014-9639[1]: Oggenc channel integer overflow
Confirmed with 1.4.0-6 as well as with the current git head. There doesn't seem to be a fix yet, so I am going to look into it.
CVE-2014-9640[2]: segfault when trying to encode trivial raw input
This one is a duplicate of Debian bug #771363, which we fixed in December in version 1.4.0-6 (which made it into Jessie). No idea why the Debian security tracker lists 1.4.0-6 as vulnerable. This should be changed, but I don't know how.
Since it's classified as a security issue now, we should probably backport the fix to stable, shouldn't we?
If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Will do, at least for the remaining 2 issues. For CVE-2014-9640 there was no CVE identifier when we fixed it.
Cheers, Martin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
