Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libass: CVE-2020-26682: Signed integer overflow

Related Vulnerabilities: CVE-2020-26682  

Source

Debian Bug report logs - #975108
libass: CVE-2020-26682: Signed integer overflow

version graph

Package: libass9; Maintainer for libass9 is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for libass9 is src:libass (PTS, buildd, popcon).

Reported by: Ian <nobrowser@gmail.com>

Date: Thu, 19 Nov 2020 05:45:08 UTC

Severity: normal

Tags: fixed-upstream, security, upstream

Found in version libass/1:0.14.0-2

Fixed in version libass/1:0.15.0-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Forwarded to https://github.com/libass/libass/issues/431

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, nobrowser@gmail.com, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#975108; Package libass9. (Thu, 19 Nov 2020 05:45:10 GMT) (full text, mbox, link).

Acknowledgement sent to Ian <nobrowser@gmail.com>:
New Bug report received and forwarded. Copy sent to nobrowser@gmail.com, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Thu, 19 Nov 2020 05:45:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ian <nobrowser@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libass9: Signed integer overflow (undefined behavior)
Date: Wed, 18 Nov 2020 21:44:34 -0800
Package: libass9
Version: 1:0.14.0-2
Severity: normal

Dear Maintainer,

please see upstream issue:

https://github.com/libass/libass/issues/431

This is fixed in version 0.15.* (and thus in Debian testing and unstable)
but I feel it still bears reporting because of possible security implications.

-- System Information:
Debian Release: 10.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-12-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libass9 depends on:
ii  libc6           2.28-10
ii  libfontconfig1  2.13.1-2
ii  libfreetype6    2.9.1-3+deb10u2
ii  libfribidi0     1.0.5-3.1+deb10u1
ii  libharfbuzz0b   2.3.1-1

libass9 recommends no packages.

libass9 suggests no packages.

-- no debconf information

Marked as fixed in versions libass/1:0.15.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 19 Nov 2020 06:12:15 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 19 Nov 2020 06:12:15 GMT) (full text, mbox, link).

Notification sent to Ian <nobrowser@gmail.com>:
Bug acknowledged by developer. (Thu, 19 Nov 2020 06:12:16 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream, upstream, and security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 19 Nov 2020 06:12:16 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/libass/libass/issues/431'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 19 Nov 2020 06:12:17 GMT) (full text, mbox, link).

Message sent on to Ian <nobrowser@gmail.com>:
Bug#975108. (Thu, 19 Nov 2020 06:12:20 GMT) (full text, mbox, link).

Message #18 received at 975108-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 975108-submitter@bugs.debian.org, team@security.debian.org
Subject: closing 975108, tagging 975108 ...
Date: Thu, 19 Nov 2020 07:10:51 +0100
close 975108 1:0.15.0-1
tags 975108 + upstream fixed-upstream security
forwarded 975108 https://github.com/libass/libass/issues/431
thanks

Changed Bug title to 'libass: CVE-2020-26682: Signed integer overflow' from 'libass9: Signed integer overflow (undefined behavior)'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 20 Nov 2020 05:30:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Nov 20 10:37:23 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started