lp:ubuntu/hardy-security/libvorbis

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

13. By Marc Deslauriers on 2009-11-13

* SECURITY UPDATE: denial of service and possible code execution via
  multiple vulnerabilities
  - debian/patches/CVE-2009-3379.patch: Don't try to read past the end of
    the comment packet if the string lengths are corrupt in lib/info.c,
    check for premature EOP in lib/res0.c, implement hardening in
    lib/{codebook,floor1,info,mapping0}.c, eliminate blocklist overflow
    in lib/backends.h, don't allow codeword lengths longer than 32 bits
    in lib/codebook.c.
  - CVE-2009-3379
* SECURITY UPDATE: denial of service via underpopulated Huffman trees
  - debian/patches/upstream-r14811_huffman_sanity_checks.diff: add
    additional checking to the hufftree decoding in lib/block.c,
    examples/decoder_example.c, lib/sharedbook.c.
  - CVE-2008-2009
* SECURITY UPDATE: code execution via heap overflow in residue partition
  value (LP: #232150)
  - debian/patches/CVE-2008-1420-2.patch: add additional checks to fix
    issue, but still maintain backwards compatibility in lib/res0.c,
    lib/modes/{residue_44u,residue_44}.h, lib/backends.h.
  - CVE-2008-1420

12. By Marc Deslauriers on 2009-08-21

* SECURITY UPDATE: denial of service and possible code execution from
  crafted .ogg file (LP: #413528)
  - debian/patches/CVE-2009-2663.patch: don't allow repeated values in
    post list in lib/floor1.c and make sure maptype is valid in
    lib/res0.c.
  - CVE-2009-2663
* SECURITY UPDATE: code execution via heap overflow in residue partition
  value (LP: #232150)
  - debian/patches/CVE-2008-1420.patch: update patch to fix regression
    when reading files encoded with libvorbis 1.0beta1.
  - CVE-2008-1420

11. By Marc Deslauriers on 2008-11-26

* SECURITY UPDATE: crash or integer overflow with codebook.dim zero
  value (LP: #232150)
  - debian/patches/CVE-2008-1423+CVE-2008-1419.patch: make sure value of
    codebook.dim is not zero in lib/codebook.c
  - CVE-2008-1419
* SECURITY UPDATE: code execution via heap overflow in residue partition
  value (LP: #232150)
  - debian/patches/CVE-2008-1420.patch: verify the phrasebook is not
    specifying an impossible or inconsistent partitioning scheme in
    lib/res0.c
  - CVE-2008-1420
* SECURITY UPDATE: code execution via heap overflow in a quantvals and
  quantlist calculation (LP: #232150)
  - debian/patches/CVE-2008-1423+CVE-2008-1419.patch: add check for
    absurdly huge codebooks in lib/codebook.c
  - CVE-2008-1423

10. By Dato Simó on 2007-08-14

Bump shlibs for libvorbis0a due to new vorbis_synthesis_idheader header.
(Closes: #436083)

9. By Clint Adams on 2007-07-27

[ Adeodato Simó ]
* Use ${binary:Version} instead of ${Source-Version}.

[ Clint Adams ]
* New upstream release.
  - Remove upstream_r13198-fix_segfault_in_ov_time_seek.diff .
* Bump shlibs for libvorbisfile3 to >= 1.2.0 due to new ov_fopen
  function.

8. By Joey Hess <email address hidden> on 2006-10-24

Fix shlibs files for libvorbisenc and libvorbisfile, which were broken
by my first NMU to have dependencies for libvorbis0a. Closes: #395048

7. By Sebastian Dröge on 2006-06-30

* Sync with Debian
* No remaining Ubuntu changes but different tarballs

6. By Fabio Massimo Di Nitto on 2006-05-02

Fix error in debian/rules and as a consequence FTBFS.

5. By Matthias Klose on 2005-12-14

* New upstream version.
* Build using default g++ again. Ubuntu #12722.

4. By Matthias Klose on 2005-07-21

Build using GCC 3.4. Addresses Ubuntu 12722.