Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Jan 2015 11:50:16 -0500 (EST)
From: cve-assign@...re.org
To: Hanno Böck <hanno@...eck.de>
cc: mprpic@...hat.com, oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: CVE request: two issues in vorbis-tools


On Wed, 21 Jan 2015, Hanno Böck wrote:

> On Wed, 21 Jan 2015 13:50:46 +0100
> Martin Prpic <mprpic@...hat.com> wrote:
>
>> Two issues were reported in vorbis-tools on Full Disclosure:
>>
>> http://seclists.org/fulldisclosure/2015/Jan/78

CVE-2014-9638 - https://trac.xiph.org/ticket/2137 (division by zero)

CVE-2014-9639 - https://trac.xiph.org/ticket/2136 (integer overflow)

(These received IDs from 2014 due to the date of the bug report.)

> In addition to that: I reported this issue
> https://trac.xiph.org/ticket/2009
> a while back which also crashes oggenc.
>
> I didn't think about security implications back then, but it's also an
> out of bounds read issue.
>
> After bugging the devs on irc it got fixed in the code but never saw a
> release.

Use CVE-2014-9640.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ