Security update for libvorbis SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1345-1 Final 1 1 2018-05-18T10:57:47Z current 2018-05-18T10:57:47Z 2018-05-18T10:57:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libvorbis This update for libvorbis fixes the following issues: Security issues fixed: - CVE-2018-10393: Fixed stack-based buffer over-read in bark_noise_hybridm (bsc#1091072). - CVE-2017-14160: Fixed out-of-bounds access inside bark_noise_hybridmp function (bsc#1059812). This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00084.html E-Mail link for openSUSE-SU-2018:1345-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libvorbis-1.3.3-14.1 libvorbis-devel-1.3.3-14.1 libvorbis-doc-1.3.3-14.1 libvorbis0-1.3.3-14.1 libvorbis0-32bit-1.3.3-14.1 libvorbisenc2-1.3.3-14.1 libvorbisenc2-32bit-1.3.3-14.1 libvorbisfile3-1.3.3-14.1 libvorbisfile3-32bit-1.3.3-14.1 libvorbis-1.3.3-14.1 as a component of openSUSE Leap 42.3 libvorbis-devel-1.3.3-14.1 as a component of openSUSE Leap 42.3 libvorbis-doc-1.3.3-14.1 as a component of openSUSE Leap 42.3 libvorbis0-1.3.3-14.1 as a component of openSUSE Leap 42.3 libvorbis0-32bit-1.3.3-14.1 as a component of openSUSE Leap 42.3 libvorbisenc2-1.3.3-14.1 as a component of openSUSE Leap 42.3 libvorbisenc2-32bit-1.3.3-14.1 as a component of openSUSE Leap 42.3 libvorbisfile3-1.3.3-14.1 as a component of openSUSE Leap 42.3 libvorbisfile3-32bit-1.3.3-14.1 as a component of openSUSE Leap 42.3 The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file. CVE-2017-14160 openSUSE Leap 42.3:libvorbis-1.3.3-14.1 openSUSE Leap 42.3:libvorbis-devel-1.3.3-14.1 openSUSE Leap 42.3:libvorbis-doc-1.3.3-14.1 openSUSE Leap 42.3:libvorbis0-1.3.3-14.1 openSUSE Leap 42.3:libvorbis0-32bit-1.3.3-14.1 openSUSE Leap 42.3:libvorbisenc2-1.3.3-14.1 openSUSE Leap 42.3:libvorbisenc2-32bit-1.3.3-14.1 openSUSE Leap 42.3:libvorbisfile3-1.3.3-14.1 openSUSE Leap 42.3:libvorbisfile3-32bit-1.3.3-14.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00084.html https://www.suse.com/security/cve/CVE-2017-14160.html CVE-2017-14160 https://bugzilla.suse.com/1059812 SUSE Bug 1059812 https://bugzilla.suse.com/1091072 SUSE Bug 1091072 bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based buffer over-read. CVE-2018-10393 openSUSE Leap 42.3:libvorbis-1.3.3-14.1 openSUSE Leap 42.3:libvorbis-devel-1.3.3-14.1 openSUSE Leap 42.3:libvorbis-doc-1.3.3-14.1 openSUSE Leap 42.3:libvorbis0-1.3.3-14.1 openSUSE Leap 42.3:libvorbis0-32bit-1.3.3-14.1 openSUSE Leap 42.3:libvorbisenc2-1.3.3-14.1 openSUSE Leap 42.3:libvorbisenc2-32bit-1.3.3-14.1 openSUSE Leap 42.3:libvorbisfile3-1.3.3-14.1 openSUSE Leap 42.3:libvorbisfile3-32bit-1.3.3-14.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00084.html https://www.suse.com/security/cve/CVE-2018-10393.html CVE-2018-10393 https://bugzilla.suse.com/1091072 SUSE Bug 1091072