vorbis-tools appears to include vulnerable speex code as explained in [1]
[1] http://www.ocert.org/advisories/ocert-2008-2.html