wildmidi: CVE-2017-1000418

Debian Bug report logs - #886503
wildmidi: CVE-2017-1000418

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wildmidi: CVE-2017-1000418

Date: Sat, 06 Jan 2018 23:32:12 +0100

Source: wildmidi
Version: 0.4.0-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/Mindwerks/wildmidi/issues/178

Hi,

the following vulnerability was published for wildmidi.

CVE-2017-1000418[0]:
| The WildMidi_Open function in WildMIDI since commit
| d8a466829c67cacbb1700beded25c448d99514e5 allows remote attackers to
| cause a denial of service (heap-based buffer overflow and application
| crash) or possibly have unspecified other impact via a crafted file.

Note the CVE description looks wrong regarding "since commit" because
that's just the preceding commit to the fixing commit, AFAICS.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000418
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000418
[1] https://github.com/Mindwerks/wildmidi/issues/178
[2] https://github.com/Mindwerks/wildmidi/commit/814f31d8eceda8401eb812fc2e94ed143fdad0ab

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 886503-close@bugs.debian.org (full text, mbox, reply):

From: Bret Curtis <psi29a@gmail.com>

To: 886503-close@bugs.debian.org

Subject: Bug#886503: fixed in wildmidi 0.4.2-1

Date: Sun, 07 Jan 2018 00:22:36 +0000

Source: wildmidi
Source-Version: 0.4.2-1

We believe that the bug you reported is fixed in the latest version of
wildmidi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 886503@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bret Curtis <psi29a@gmail.com> (supplier of updated wildmidi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 Jan 2018 00:45:44 +0100
Source: wildmidi
Binary: wildmidi libwildmidi2 libwildmidi-dev libwildmidi-config
Architecture: source
Version: 0.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Bret Curtis <psi29a@gmail.com>
Changed-By: Bret Curtis <psi29a@gmail.com>
Description:
 libwildmidi-config - software MIDI player configuration
 libwildmidi-dev - software MIDI player library headers
 libwildmidi2 - software MIDI player library
 wildmidi   - software MIDI player
Closes: 871616 886503
Changes:
 wildmidi (0.4.2-1) unstable; urgency=medium
 .
   [ Bret Curtis ]
   * New upstream release.
     - Fix CVE-2017-11661, CVE-2017-11662, CVE-2017-11663. (Closes: #871616)
     - Fix CVE-2017-1000418. (Closes: #886503)
   * Declare compliance with Debian Policy 4.1.3.
 .
   [ Markus Koschany ]
   * Switch to compat level 11.
Checksums-Sha1:
 caf70bc7adefb4240550eb5c4d4e60995db68d3c 2314 wildmidi_0.4.2-1.dsc
 afbd2e65b78392562aaa31152ed7770ca72513c2 192441 wildmidi_0.4.2.orig.tar.gz
 6185ef6919e9de9b034a656c7d173fadc1045774 6632 wildmidi_0.4.2-1.debian.tar.xz
 7b61c6d1432ac1f0d63cd7a45cba2a90555fcd3b 7878 wildmidi_0.4.2-1_amd64.buildinfo
Checksums-Sha256:
 ed8ea572dbdeea2bee79e85947313ae4f9df53a76af8a757216951f5793077cc 2314 wildmidi_0.4.2-1.dsc
 551d43cb6de6019885f933a20b6f3205a92814f50da8b0d8bceac002b9a8109d 192441 wildmidi_0.4.2.orig.tar.gz
 e8e82887ebd4178c26be0048535745f1a713f9c6d1bbe5603fe265645f8d2241 6632 wildmidi_0.4.2-1.debian.tar.xz
 c6a8e43fe33415bc7ee29ff1d17fcbaf7a12ae624d24397b1b2d846b327185ae 7878 wildmidi_0.4.2-1_amd64.buildinfo
Files:
 4d780eacff6abd80e03b88f7b2dfac4b 2314 sound optional wildmidi_0.4.2-1.dsc
 55cf5292def592a496457038de2ed6f5 192441 sound optional wildmidi_0.4.2.orig.tar.gz
 089f61ac6d2a4e801275378e346c5b71 6632 sound optional wildmidi_0.4.2-1.debian.tar.xz
 274c9ecec9f925f545ff1a71a5eb1ab0 7878 sound optional wildmidi_0.4.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlpRY0dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hku9YP/3jJPRMqdR8+pfTHvBlJZba8FasLDibazL7K
Sa+Mot4vQLIR+82vIddlEozZfcYwDWiIwpGNdg+qoGB1/0aOZn+Vx1djUccle8nJ
rsbT0bsz6BxYPTVn39E5arL8eDfkXJhoVCMrEHc7w+r73d7yctDhW93310squvZU
CmylwHc2BtJ3orRrJcp7VLXEuo3m+ERrwVc/iAivnXY5aNmJYwZrjVyGZ2PX6doE
aa7WVqIeddDdjVghcXVcWFDKF4GBtSzMAL+56jFKyh5UAvLfZKUAWCJpj6AEiBbI
+WW8WR4m8TbAclFDqgPbGHHRbR0KezJrxjKOm+sKTd+bl9+DPagdAopvBImeusCf
OnwSxGnfQynikI/ht9F/vyp/dPohjAkP2gBCPO7mBVgnCwXLaOc7/VAl8H5VoxbW
UiJA3fBiZIfZhSmaUePePKRPbElILdaeKSJ9iki05kDAB1RUw3SiO+5qwfV/sOQm
MbpARsWo8/ulslT0OysPz8FxiVf7duzB5FOpaq/cd8V79HBpJfXkirTWNty0l6Ma
OwRxnWrULbAsvo93E7PmuKlc85JnG2rYcjD+Z7hTN8gjF3dTO4Gxpvu9Jyd4M3d6
4jAQtcTgRLwces4PqDFWG4KaWEdPvajpkWN1IXMtc1Tc0Ci+HDYBax4sOShLy4d5
EKk2JqiD
=d/V5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.