[arch-security] [ASA-201503-24] vorbis-tools: denial of service
anthraxx at archlinux.org
Wed Mar 25 01:31:54 UTC 2015
Arch Linux Security Advisory ASA-201503-24
Date : 2015-03-25
CVE-ID : CVE-2014-9638 CVE-2014-9639 CVE-2014-9640
Package : vorbis-tools
Type : denial of service
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE
The package vorbis-tools before version 1.4.0-5 is vulnerable to denial
Upgrade to 1.4.0-5.
# pacman -Syu "vorbis-tools>=1.4.0-5"
The problems have been fixed upstream but no release is available yet.
- CVE-2014-9638 (denial of service)
A flaw in oggenc allows attackers to cause a denial of service
(divide-by-zero error and crash) via a WAV file with the number of
channels set to zero.
- CVE-2014-9639 (denial of service)
Integer overflow in oggenc allows attackers to cause a denial of service
(crash) via a crafted number of channels in a WAV file, which triggers
an out-of-bounds memory access.
- CVE-2014-9640 (denial of service)
A flaw in oggenc/oggenc.c allows attackers to cause a denial of service
(out-of-bounds read) via a crafted raw file.
An attacker is able to use a specially crafted file that is leading to
application crash resulting in denial of service when processed by oggenc.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security