> CVE-2009-2663[0]: > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and > | 3.5.x before 3.5.2 and other products, allows context-dependent > | attackers to cause a denial of service (memory corruption and > | application crash) or possibly execute arbitrary code via a crafted > | .ogg file.
I've applied upstream's patch[*] to the etch and lenny libvorbis releases:
http://p12n.org/tmp/cve-2009-2663/libvorbis_1.1.2.dfsg-1.4+etch1.dsc
http://p12n.org/tmp/cve-2009-2663/libvorbis_1.2.0.dfsg-3.1+lenny1.dsc
I'm prepared to upload the same patch to sid, as libvorbis 1.2.0.dfsg-6.
(I could upload a new upstream version, but I'd like to try and resolve
a dfsg situation there first.)
[*] svn diff -r16180:16182 http://svn.xiph.org/trunk/vorbis
--
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
signature.asc
Description: Digital signature
