hi. the current release of vorbis-tools (1.4.0) contains several (potential?) security issues (CVE-2014-9638, CVE-2014-9639, CVE-2015-6749) and at least one segfault bugfor the first three, downstream patches seem to exist (e.g. link and link)i do not know why these were not upstreamed, i.e. are not contained in xiph-tools.git (at least i didn't find the fixes there)the segfault bug is fixed in git masterso... could you *please* check and add the known fixes and afterwards create a proper release? according to CHANGES, the last one is from 2010-03-25 ...(yes, i know that opus is the fancy new stuff, but this does not mean that vorbis.* should rot away silently)tickets:https://trac.xiph.org/ticket/2009https://trac.xiph.org/ticket/2137https://trac.xiph.org/ticket/2136(note that there might be additional interesting fixes e.g. in the patches directory linked above - i did not check if these were upstreamed. the cves certainly should have higher priority though.)
$ dd if=/dev/zero bs=1 count=1 | oggenc -r - -o out.oggEncoding standard input to "out.ogg" at quality 3.001+0 records in1+0 records out1 byte (1 B) copied, 2.0883e-05 s, 47.9 kB/sDone encoding file "out.ogg" File length: 0m 00.0s Elapsed time: 0m 00.1s Rate: 0.0000 Average bitrate: inf kb/s$ oggenc ./crash_div_zero.wav ERROR: Input file "./crash_div_zero.wav" is not a supported format$ oggenc ./crash_ex.wav ERROR: Input file "./crash_ex.wav" is not a supported format
They probably moved on to bigger and more important things, like Daala and Opus.