Changelog for
libvorbis0-1.3.6-150000.4.5.2.x86_64.rpm :
* Tue Jun 05 2018 tiwaiAATTsuse.de- Replace vorbis-CVE-2017-14160.patch with the upstream fix (commit 018ca26dece6), refresh vorbis-CVE-2018-10393.patch- Fix the validation of channels in mapping0_forward() (CVE-2018-10392, bsc#1091070): vorbis-CVE-2018-10392.patch
* Thu May 03 2018 tiwaiAATTsuse.de- Fix out-of-bounds access inside bark_noise_hybridmp function (CVE-2017-14160, bsc#1059812): downstream fix: vorbis-CVE-2017-14160.patch- Fix stack-basedbuffer over-read in bark_noise_hybridm (CVE-2018-10393, bsc#1091072): downstream fix: vorbis-CVE-2018-10393.patch
* Sat Mar 17 2018 tiwaiAATTsuse.de- Split libvorbis-doc subpackage to a separate spec file for reducing the dependencies
* Fri Mar 16 2018 tiwaiAATTsuse.de- Update to version 1.3.6:
* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes- Build documents with doxygen, and many tex stuff; this requires to disable parallel builds partially- Move COPYING to license directory- Drop obsoleted patches: vorbis-fix-linking.patch 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch libvorbis-CVE-2018-5146.patch
* Fri Mar 16 2018 tiwaiAATTsuse.de- Fix VUL-0: libvorbis: Out of bounds memory write while processing Vorbis audio data (CVE-2018-5146, bsc#1085687): libvorbis-CVE-2018-5146.patch
* Tue Dec 19 2017 tiwaiAATTsuse.de- Fix VUL-0: out-of-bounds array read vulnerability exists in function mapping0_forward() (CVE-2017-14633, bsc#1059811): 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch- Fix VUL-0: Remote Code Execution upon freeing uninitialized memory in function vorbis_analysis_headerout(CVE-2017-14632, bsc#1059809): 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
* Tue Nov 29 2016 aloisioAATTgmx.com- Added 32bit libvorbis-devel in baselibs.conf
* Fri Mar 06 2015 mpluskalAATTsuse.com- Cleanup spec file with spec-cleaner- Update to 1.3.5
* Tolerate single-entry codebooks.
* Fix decoder crash with invalid input.
* Fix encoder crash with non-positive sample rates.
* Fix issues in vorbisfile\'s seek bisection code.
* Spec errata.
* Reject multiple headers of the same type.
* Various build fixes and code cleanup.
* Mon Aug 18 2014 fcrozatAATTsuse.com- Fix obsoletes and provides in baselibs.conf.
* Sun Feb 23 2014 andreas.stiegerAATTgmx.de- Xiph libvorbis 1.3.4
* reduced static data size in libvorbisenc
* associated minor changes required to libvorbis and libvorbisfile
* minor build fixes and build system updates
* no functional changes over the previous 1.3.3 release- removed libvorbis-pkgconfig.patch, in upstream- updated vorbis-fix-linking.patch for context changes