Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-43361: GitHub - xiph/vorbis-tools: Command-line tools for creating and playing Ogg Vorbis files.

Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local attacker to execute arbitrary code and cause a denial of service during the conversion of wav files to ogg files.

CVE
#vulnerability#google#linux#debian#dos#git#buffer_overflow#rpm

WHAT’S HERE:

This source distribution includes the vorbis-tools and nothing else. The audio codec libraries for use with Ogg bitstreams are contained in other modules: vorbis, speex and flac.

DIRECTORIES:

debian/ debian packaging stuff include/ header files shared between the tools intl/ GNU gettext library from gettext-0.10.40 (for i18n support) ogg123/ an ogg vorbis command line audio player oggenc/ the ogg vorbis encoder oggdec/ a simple, portable command line decoder (to wav and raw) ogginfo/ provides information (tags, bitrate, length, etc.) about an ogg vorbis file po/ translations for non-English languages share/ code shared between the tools vcut/ cuts an ogg vorbis file into two parts at a particular point vorbiscomment/ edits the comments in an ogg vorbis file win32/ Win32 build stuff

DEPENDENCIES:

All of the tools require libogg and libvorbis to be installed (along with the header files). Additionally, ogg123 requires libao, libcurl, and a POSIX-compatible thread library. Ogg123 can optionally compiled to use libFLAC, and libspeex. Oggenc can be optionally compiled with libFLAC, and libkate. The libraries libogg, libvorbis, and libao are all available at https://xiph.org/vorbis/

The libcurl library is packaged with most Linux distributions. The source code can also be downloaded from: http://curl.haxx.se/libcurl/

FLAC is available at: https://xiph.org/flac/

Speex is available at: https://www.speex.org/

libkate is available at: http://libkate.googlecode.com/

CONTACT:

The Ogg Vorbis homepage is located at 'https://xiph.org/vorbis/’. Up to date technical documents, contact information, source code and pre-built utilities may be found there.

Developer information is available from http://www.xiph.org/. Check there for bug reporting information, mailing lists and other resources.

BUILDING FROM SUBVERSION (see the file HACKING for details):

./autogen.sh make

and as root if desired :

make install

This will install the tools into /usr/local/bin and manpages into /usr/local/man.

BUILDING FROM TARBALL DISTRIBUTIONS:

./configure make

and as root if desired :

make install

BUILDING RPMS:

RPMs may be built by:

after autogen.sh or configure

make dist rpm -ta vorbis-tools-<version>.tar.gz

KNOWN BUGS:

#1321 First noticed in non-English versions of the application, ogg123 has a major bug when it comes to status messages in the shell: any output bigger than the console’s width will break and start spamming that message infinitely until the console is resized.

Different attempts to fix this bug have ended up causing bigger problems, leading to the conclusion that it simply can’t be fixed without a large re-write of the application, which will not happen any time soon. If you come across this issue, please augment your terminal window size.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907