libvorbis multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= The libvorbis package contains a general purpose audio and music encoding format. This is useful for creating (encoding) and playing (decoding) sound in an open (patent free) format. Affected version: ===== 1.3.5 Vulnerability Description: ========================== 1. the vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(OOM) via a crafted wav file. I found this bug when I test Sound eXchange(SoX) 14.4.2 which used the libvorbis library. ./sox libvorbis_1.3.5_OOM.wav out.ogg /var/log/syslog info: Jul 13 19:58:05 ubuntu kernel: [] Out of memory: Kill process 44203 (sox) score 364 or sacrifice child Jul 13 19:58:05 ubuntu kernel: [] Killed process 44203 (sox) total-vm:1831804kB, anon-rss:599932kB, file-rss:40kB
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment