Quoting Mozilla Foundation Security Advisory 2009-63:
Georgi Guninski reported a crash in liboggz.
Advisory provides following bug list:
with only 512327 being public at the moment, which is for liboggz rebase to 0.9.9.
Looking into liboggz upstream ChangeLog, mozilla bug 515376 is mentioned as fixed in version 1.0.0:
* Mozilla #515376: Check index in dirac_parse_info()
It is not tagged as security fix in liboggz changelog, even though there's a fairly large list of security fixes mentioned in 0.9.9:
* Handle allocation failure due to out of memory throughout, for Mozilla
bug 468280. Adds new error return OGGZ_ERR_OUT_OF_MEMORY
* skeleton.c::ogg_from_fisbone(): avoid memcpy of NULL
fp->message_header_fields. Fixes ticket:408, reported by j^
* Mozilla bug 463756: return an error when a hole (ie. missing sequence
number) is detected in the headers of a track
* Remove dead code from oggz_read.c for ticket:439, reported by Coverity
* Check for NULL return value of val in cgi.c
(ticket:438, reported by Coverity)
* Add NULL return checks
(ticket:440, reported by Coverity)
* Check for integer overflows in calculations for realloc and when using
strlen returns. For Mozilla bug 480014
* Don't map all errors to OGGZ_ERR_STOP_ERR
Required for Mozilla bug 481933
Exposes detected HOLE_IN_DATA as return value from oggz_read(),
oggz_read_input(), and add documentation for extra return values
* Apply patch by Jim Blandy from Mozilla bug 480521
Avoid overflow in comment lengths
What is the plan for Fedora with this? Lots of backports or move to 1.0+ in all current versions?
Looking at this one. I think it is better to update it to latest 1.xx releases.
liboggz-1.1.1-1.fc13 has been submitted as an update for Fedora 13.
liboggz-1.1.1-1.fc12 has been submitted as an update for Fedora 12.
liboggz-1.1.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
libannodex-0.7.3-14.fc13,mod_annodex-0.2.2-13.fc13,liboggz-1.1.1-1.fc13,libfishsound-0.9.1-5.fc13,sonic-visualiser-1.7.2-1.fc13 has been submitted as an update for Fedora 13.
libannodex-0.7.3-14.fc13, mod_annodex-0.2.2-13.fc13, liboggz-1.1.1-1.fc13, libfishsound-0.9.1-5.fc13, sonic-visualiser-1.7.2-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.