Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-420-1 libmatroska

Debian Security Advisory

DLA-420-1 libmatroska -- LTS security update

Date Reported:

18 Feb 2016

Affected Packages:

libmatroska

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-9765.

More information:

It was discovered that there was a invalid memory address issue in libmatroska, an extensible open standard audio/video container format.

When reading a block group or a simple block that uses EBML lacing the frame sizes indicated in the lacing weren't checked against the available number of bytes. If the indicated frame size was bigger than the whole block's size the parser would read beyond the end of the buffer resulting in a heap information leak.

For Debian 6 Squeeze, this issue has been fixed in libmatroska version 0.8.1-1.1+deb6u1.