| Name | CVE-2018-1000050 |
| Description | Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer Overflow vulnerability in All vorbis decoding paths. that can result in memory corruption, denial of service, comprised execution of host program. This attack appear to be exploitable via Victim must open a specially crafted Ogg Vorbis file. This vulnerability appears to have been fixed in 1.13. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libstb (PTS) | buster | 0.0~git20180212.15.e6afb9c-1 | fixed |
| buster (security) | 0.0~git20180212.15.e6afb9c-1+deb10u1 | fixed |
| bullseye | 0.0~git20200713.b42009b+ds-1 | fixed |
| bookworm | 0.0~git20220908.8b5f1f3+ds-1 | fixed |
| trixie | 0.0~git20230129.5736b15+ds-1 | fixed |
| sid | 0.0~git20230129.5736b15+ds-1.2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| libstb | source | (unstable) | (not affected) | | | |
Notes
- libstb <not-affected> (Fixed before initial upload to Debian)
https://github.com/nothings/stb/commit/dfff6f5e7cd412876fe6282f157c1928b99d1de9
Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio