Debian Bug report logs -
#904907
aubio: CVE-2018-14522: SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Paul Brossier <piem@debian.org>
:
Bug#904907
; Package src:aubio
.
(Sun, 29 Jul 2018 11:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Paul Brossier <piem@debian.org>
.
(Sun, 29 Jul 2018 11:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: aubio
Version: 0.4.5-1.1
Severity: important
Tags: security upstream
Forwarded: https://github.com/aubio/aubio/issues/188
Hi,
The following vulnerability was published for aubio, and demostrable
by an ASAN build of aubio.
CVE-2018-14522[0]:
| An issue was discovered in aubio 0.4.6. A SEGV signal can occur in
| aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14522
[1] https://github.com/aubio/aubio/issues/188
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Mon, 06 Aug 2018 17:15:05 GMT) (full text, mbox, link).
Reply sent
to Paul Brossier <piem@debian.org>
:
You have taken responsibility.
(Mon, 10 Sep 2018 15:51:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 10 Sep 2018 15:51:16 GMT) (full text, mbox, link).
Message #12 received at 904907-close@bugs.debian.org (full text, mbox, reply):
Source: aubio
Source-Version: 0.4.6-1
We believe that the bug you reported is fixed in the latest version of
aubio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904907@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Brossier <piem@debian.org> (supplier of updated aubio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 10 Sep 2018 16:20:59 +0200
Source: aubio
Binary: libaubio-dev libaubio5 aubio-tools libaubio-doc python-aubio python3-aubio
Architecture: source
Version: 0.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Paul Brossier <piem@debian.org>
Changed-By: Paul Brossier <piem@debian.org>
Description:
aubio-tools - library for audio segmentation -- utilities
libaubio-dev - library for audio and music analysis, synthesis, and effects
libaubio-doc - library for audio segmentation -- documentation
libaubio5 - library for audio segmentation
python-aubio - Python interface for aubio, a library for audio segmentation
python3-aubio - Python interface for aubio, a library for audio segmentation
Closes: 883355 884232 884237 888336 904906 904907 904908
Changes:
aubio (0.4.6-1) unstable; urgency=medium
.
* New upstream version 0.4.6
* Acknowledge NMU (thanks to Sebastian Ramacher, closes: #888336)
* debian/watch: use https
* debian/copyright: fix file path
* debian/control:
- remove duplicate Section from aubio-tools
- capitalize Python in short descriptions
- remove obsolete X-Python fields
- bump Standards-Version to 4.2.1
- move Vcs-Git and Browser to salsa.d.o
* debian/rules:
- add a comment to enable bindnow hardening
- add -Wl,--as-needed to LDFLAGS
- clean waf_gensyms and python/tests/sounds
* debian/patches:
- add upstream patches to fix security issues
- add avoid_deprecated to omit av_register_all() where deprecated
* CVE-2017-17054 div by zero, thx to my123px (closes: #883355)
* CVE-2017-17554 null pointer dereference, thx to IvanCql (closes: #884237)
* CVE-2017-17555 denial of service, thx to IvanCql (closes: #884232)
* CVE-2018-14521 SEGV in aubiomfcc, thx to fCorleone (closes: #904908)
* CVE-2018-14522 SEGV in aubionotes, thx to fCorleone (closes: #904907)
* CVE-2018-14523 global buffer overflow, thx to fCorleone (closes: #904906)
Checksums-Sha1:
1b8717b836572008818ba41358fb3f4f7255119f 2905 aubio_0.4.6-1.dsc
3bcaf23d11936d3ff215307fb5fc3f0c3f7a70de 363016 aubio_0.4.6.orig.tar.bz2
b40c085a943cc029d523f7e0b1220e7191eecf2b 963 aubio_0.4.6.orig.tar.bz2.asc
3dc3d222957fc8c372be60cddef7dd206727e632 38908 aubio_0.4.6-1.debian.tar.xz
b03941f9543423586ea1d780e1c13f6e11fa6804 14017 aubio_0.4.6-1_i386.buildinfo
Checksums-Sha256:
fdf4499dd0f6e54eed6695d88865a722abb70e139c741a1ca42beccce3722b22 2905 aubio_0.4.6-1.dsc
bdc73be1f007218d3ea6d2a503b38a217815a0e2ccc4ed441f6e850ed5d47cfb 363016 aubio_0.4.6.orig.tar.bz2
b4c72db879bea78296d6f735adb8239a79b19c5ce95bc97b29b37f7bbd1af1f0 963 aubio_0.4.6.orig.tar.bz2.asc
3ef9a6a3c154173d94a4b8fd2ee28c6740f568c2cd89dcb5d5a48bc67e7ca5d1 38908 aubio_0.4.6-1.debian.tar.xz
b4d51d388c6f8364af05e8a5d0e35a4b4edca46677369efe0a77a079f52d14f1 14017 aubio_0.4.6-1_i386.buildinfo
Files:
b47e50a2f737a368a2fa8984537304f0 2905 sound optional aubio_0.4.6-1.dsc
78d326e5e44d19b0d21a5abf834bae20 363016 sound optional aubio_0.4.6.orig.tar.bz2
4908e555352a760b799174a3f5683915 963 sound optional aubio_0.4.6.orig.tar.bz2.asc
8de807d100965e90475d6d0893136640 38908 sound optional aubio_0.4.6-1.debian.tar.xz
6be9baaefdb456801c31fe7d26dbed23 14017 sound optional aubio_0.4.6-1_i386.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKkBAEBCgCOFiEEuIpQctSRWuz4GiQ0akmxlyir3ZIFAluWkDVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEI4
OEE1MDcyRDQ5MTVBRUNGODFBMjQzNDZBNDlCMTk3MjhBQkREOTIQHHBpZW1AZGVi
aWFuLm9yZwAKCRBqSbGXKKvdkm3uD/0aMKE/4IUVGIv9icg092M2iu8tbi2+lZyH
qs8uTwI5PBRXxxZWNop0/re0r9BvFz4znQ4d4Npkm1UZN82PatfwsRQbgcnQ909K
hTA5Ykiubkj/VIP8O04UdhSK76hB/0GwB3I+DUtJ987YAkJmahqC9NXYNFVDOnZB
wmybeOvgDHkwZGfHSnpPqUOysHEaXbEt14KnacuRjPOy1nCrFHlA+vl/CQ1gqy3D
4MAW8sD94wOQffIfWPH0BkjObtJKu1Q4h4sqxrIchC531XF+tlCD9Qlc37md5u/1
3zyux+4alzPz3nFeNadboCrSRNE3XD100oAboKpPcnmf7+WJBUpJVfS53ogremBB
U8wstqd1BDp8nkbJvCxTypa21OedeJXHqaBlXGy1oWsegX7xnjOOGG7qJfl+UuiQ
kjKd3+qCj9Z3h+d6VMNl1JEaVZ3TS25owsCmDqbYw7xZM+zodhT7Ea5W/EvJGsiC
n+vWMyTB4Iv53h/y0MD9VTaX7X8i8hJOQmartHedLSI/Y0nNThCXu9ajAfZSfcWK
Wvt9nw134rXWy5en6/lKB3oJXcbep1xhXETBymoasEJ605Hpf72Ok5mOSyEChnxj
ufYEsHUM5GfwyFvYp05lf4lAQq120m1xDYIEqlWkVn8rqxU/61//wiMOeUxkWf8W
L4NwDF7B9w==
=F2DT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 18 Oct 2018 07:25:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:34:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.