Package: libvorbis0a Version: 1.2.0.dfsg-3 Severity: normal Tags: security Hi
As discussed on IRC with dato, here are the information to this: The following CVE(0) has been issued against vorbis. CVE-2008-2009: Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function. Now the version in unstable is not as old as the one mentioned in the CVE. However, I was wondering, if the sanity checks upstream added in their patch(0) are needed for our debian versions as well? Could someone familiar with the code maybe have a look? Cheers Steffen (0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2009 (1): https://trac.xiph.org/changeset/14811?format=diff&new=14811 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
