Arch Linux Security Advisory ASA-201803-21 ========================================== Severity: Critical Date : 2018-03-19 CVE-ID : CVE-2017-14632 CVE-2017-14633 CVE-2018-5146 Package : lib32-libvorbis Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-658 Summary ======= The package lib32-libvorbis before version 1.3.6-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 1.3.6-1. # pacman -Syu "lib32-libvorbis>=1.3.6-1" The problems have been fixed upstream in version 1.3.6. Workaround ========== None. Description =========== - CVE-2017-14632 (arbitrary code execution) fXiph.Org libvorbis before 1.3.6 allows remote code execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184. - CVE-2017-14633 (denial of service) In Xiph.Org libvorbis before 1.3.6, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). - CVE-2018-5146 (arbitrary code execution) An out of bounds memory write vulnerability has been discovered in libvorbis before 1.3.6 while processing Vorbis audio data related to codebooks that are not an exact divisor of the partition size. Impact ====== A remote attacker is able to execute arbitrary code or crash the application by tricking the user into playing a specially crafted vorbis file. References ========== https://github.com/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d32... https://github.com/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab9... https://github.com/xiph/vorbis/commit/667ceb4aab60c1f74060143bb24e5f427b3cce... http://seclists.org/oss-sec/2018/q1/243 https://security.archlinux.org/CVE-2017-14632 https://security.archlinux.org/CVE-2017-14633 https://security.archlinux.org/CVE-2018-5146