Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

soundtouch: CVE-2017-9259

Related Vulnerabilities: CVE-2017-9259   CVE-2017-9258   CVE-2017-9260  

Source

Debian Bug report logs - #870856
soundtouch: CVE-2017-9259

version graph

Package: src:soundtouch; Maintainer for src:soundtouch is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 5 Aug 2017 19:48:08 UTC

Severity: important

Tags: security, upstream

Found in versions soundtouch/1.8.0-1, soundtouch/1.9.2-2

Fixed in version soundtouch/1.9.2-3

Done: James Cowgill <jcowgill@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#870856; Package src:soundtouch. (Sat, 05 Aug 2017 19:48:11 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sat, 05 Aug 2017 19:48:11 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: soundtouch: CVE-2017-9259
Date: Sat, 05 Aug 2017 21:46:20 +0200
Source: soundtouch
Version: 1.9.2-2
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for soundtouch.

CVE-2017-9259[0]:
| The TDStretch::acceptNewOverlapLength function in
| source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote
| attackers to cause a denial of service (memory allocation error and
| application crash) via a crafted wav file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9259
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9259

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Added tag(s) pending. Request was from Gabor Karsay <gabor.karsay@gmx.at> to control@bugs.debian.org. (Thu, 30 Nov 2017 14:15:08 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#870856. (Thu, 30 Nov 2017 14:15:12 GMT) (full text, mbox, link).

Message #10 received at 870856-submitter@bugs.debian.org (full text, mbox, reply):

From: Gabor Karsay <gabor.karsay@gmx.at>
To: 870856-submitter@bugs.debian.org
Subject: Bug#870856 marked as pending
Date: Thu, 30 Nov 2017 14:13:30 +0000
tag 870856 pending
thanks

Hello,

Bug #870856 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/soundtouch.git/commit/?id=9491870

---
commit 949187068dea2d5070d5beb15c1479e888e0ebdd
Author: Gabor Karsay <gabor.karsay@gmx.at>
Date:   Thu Nov 30 15:02:58 2017 +0100

    Update changelog for review

diff --git a/debian/changelog b/debian/changelog
index afdd19f..dfdf96b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+soundtouch (1.9.2-3) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch to fix
+    - CVE-2017-9258 (Closes: #870854)
+    - CVE-2017-9259 (Closes: #870856)
+    - CVE-2017-9260 (Closes: #870857)
+
+ -- Gabor Karsay <gabor.karsay@gmx.at>  Thu, 30 Nov 2017 14:59:52 +0100
+
 soundtouch (1.9.2-2) unstable; urgency=medium
 
   * Upload to unstable.

Marked as found in versions soundtouch/1.8.0-1. Request was from James Cowgill <jcowgill@debian.org> to control@bugs.debian.org. (Wed, 27 Dec 2017 13:21:06 GMT) (full text, mbox, link).

Reply sent to James Cowgill <jcowgill@debian.org>:
You have taken responsibility. (Wed, 27 Dec 2017 17:06:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 27 Dec 2017 17:06:06 GMT) (full text, mbox, link).

Message #17 received at 870856-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>
To: 870856-close@bugs.debian.org
Subject: Bug#870856: fixed in soundtouch 1.9.2-3
Date: Wed, 27 Dec 2017 17:03:51 +0000
Source: soundtouch
Source-Version: 1.9.2-3

We believe that the bug you reported is fixed in the latest version of
soundtouch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 870856@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated soundtouch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 Dec 2017 16:31:50 +0000
Source: soundtouch
Binary: libsoundtouch4 libsoundtouch-dev soundstretch
Architecture: source
Version: 1.9.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libsoundtouch-dev - Development files for the sound stretching library
 libsoundtouch4 - Sound stretching library
 soundstretch - Stretches and pitch-shifts sound independently
Closes: 870854 870856 870857
Changes:
 soundtouch (1.9.2-3) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Gabor Karsay ]
   * Add patch to fix
     - CVE-2017-9258 (Closes: #870854)
     - CVE-2017-9259 (Closes: #870856)
     - CVE-2017-9260 (Closes: #870857)
 .
   [ James Cowgill ]
   * Use secure URLs where possible
   * debian/changelog:
     - Trim trailing whitespace in d/changelog.
   * debian/compat:
     - Use debhelper compat 11.
   * debian/control:
     - Drop manual debug packages.
     - Fix spelling mistake in soundstretch package description.
     - Bump standards version to 4.1.2.
     - Set Rules-Requires-Root: no.
     - Use canonical Vcs-* URLs.
Checksums-Sha1:
 8b81a1b6091613dac4608a231fd95ecba0a6af13 2141 soundtouch_1.9.2-3.dsc
 e882c55a555ffdd3c7d170c51724b9006ec9eb11 8720 soundtouch_1.9.2-3.debian.tar.xz
 1d65abfe7bf83d2122a044feccdfdf29faf4e685 5349 soundtouch_1.9.2-3_source.buildinfo
Checksums-Sha256:
 262a7227ac77d6eb55b1715aeae668144a1b6221ff0cd7726d14443706310afc 2141 soundtouch_1.9.2-3.dsc
 1b0103463df1bac5d86adc401970047727f1a98c6a026477715bb0f167d07691 8720 soundtouch_1.9.2-3.debian.tar.xz
 2f4c5b2c87a25be6e44891099dc4bf9606773eaa4e9634b3275320d619a8ca10 5349 soundtouch_1.9.2-3_source.buildinfo
Files:
 ad6805646d446dd59bffc583e2d4cb67 2141 libs optional soundtouch_1.9.2-3.dsc
 856bca864ee62e13e5c5a5728a8afb28 8720 libs optional soundtouch_1.9.2-3.debian.tar.xz
 19f2afbfb5cdc8ab6a8d0b01726e28ae 5349 libs optional soundtouch_1.9.2-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlpD0PAUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe/CHxAArElCncUx7coW0faJhHPigbDm4RPs
Jn6y2jKgd7cRXADE1xItdG7oCR4i/xNG8mQlV2C5fQXpe9ZKmvaHP5wSx1a2liEp
PapmVJH3kALi3tHUmHhBtsY15TCqkKabWY8ScLOzRh/oeq8Xk3W6xeHbBCJ6b+cQ
bdvvDF3FALuZsGSvWM7MurEj0Yjo+aBgRgN6aumD5UfrDxXNmO2nnW2HPW+/TDKq
V8TyT7ak+Bn49m02dMHc0pevY34MQkVQR4ZGj5yfQhsxzAOOHgcnSAoAL8hOl4Qp
b25G0FhJ6Sx4AYqnVyI2+aSsCn0lMJCGgGRKSaCo83JEpUXtFIy8gaLM3wkYAWLZ
0NLXD2QAgYEmStYHYQvTntE8DdSxYr9ybnvKm1Rm7rSR+2gOS+bi9FnknjR/Wgs9
aY3WjZ51I+iDdbstEcXDBcNRzxsluGyv06wEEBesrxtBffr4/5+oiZb9M6BDal/W
JanvYRcZ/mTfNfNgFxvPw62CcHDByMGONiw2zcwUzqY5i+N/d/1u319K8DHW20G6
ikUfNqxEIivgAyGcgCoojvOG84S+ctqi2BYcl+FryPBdGZ37yeu35XOldu5Lrg3P
EY+bW3KcZ7/evLKdPo2pijOR3OLmd0xO9wLPJJgQeK7zcxwFJZMy+tVXtRurjzvl
R49N7Z99sOZxDss=
=OCYL
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 30 Jan 2018 07:28:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:01:51 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started