libvorbis 1.3.6 is in cosmic and the CVEs were already fixed in bionic
(and earlier through security updates, I believe)
** Changed in: libvorbis (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libvorbis in Ubuntu.
https://bugs.launchpad.net/bugs/1756516
Title:
update libvorbis to 1.3.6
Status in libvorbis package in Ubuntu:
Fix Released
Bug description:
libvorbis 1.3.6 (2018-03-16) -- "Xiph.Org libVorbis I 20180316 (Now
100% fewer shells)"
* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvorbis/+bug/1756516/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
