Candidate: CVE-2017-11333
PublicDate: 2017-07-31 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11333
 http://seclists.org/fulldisclosure/2017/Jul/82
 https://ubuntu.com/security/notices/USN-3569-1
Description:
 The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis
 1.3.5 allows remote attackers to cause a denial of service (OOM) via a
 crafted wav file.
Ubuntu-Description:
Notes:
 mdeslaur> same fix as CVE-2017-14633
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870341
 https://sourceforge.net/p/sox/bugs/296/
 https://gitlab.xiph.org/xiph/vorbis/issues/2332
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [5.5 MEDIUM]

Patches_libvorbis:
 upstream: https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
upstream_libvorbis: needs-triage
precise/esm_libvorbis: DNE
trusty_libvorbis: released (1.3.2-1.3ubuntu1.1)
trusty/esm_libvorbis: DNE (trusty was released [1.3.2-1.3ubuntu1.1])
vivid/ubuntu-core_libvorbis: DNE
xenial_libvorbis: released (1.3.5-3ubuntu0.1)
esm-infra/xenial_libvorbis: released (1.3.5-3ubuntu0.1)
zesty_libvorbis: ignored (reached end-of-life)
artful_libvorbis: released (1.3.5-4ubuntu0.1)
bionic_libvorbis: not-affected (1.3.5-4.1)
devel_libvorbis: not-affected (1.3.5-4.1)