+++ This bug was initially created as a clone of Bug #22370 +++
openSUSE has issued an advisory on January 9:
The updated packages fix security vulnerabilities:
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in info.c
when vi->channels<=0, a similar issue to Mozilla bug 550184 (CVE-2017-14632).
In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists
in the function mapping0_forward() in mapping0.c, which may lead to DoS when
operating on a crafted audio file with vorbis_analysis() (CVE-2017-14633).
Updated packages in core/updates_testing:
Tested by using sox to re-encode an mp3 file to ogg vorbis and playing it with mplayer. Confirmed with strace and lsof that both used the updated libraries.
Impressive. Thanks David for a lightening OK. Advisoried, validating.
An update for this issue has been pushed to the Mageia Updates repository.