Debian Bug report logs -
#922372
libsndfile: CVE-2019-3832: incomplete fix for CVE-2018-19758 still allow to read beyond buffer limits
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#922372; Package src:libsndfile.
(Fri, 15 Feb 2019 07:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Fri, 15 Feb 2019 07:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Version: 1.0.28-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/erikd/libsndfile/issues/456
Hi,
The following vulnerability was published for libsndfile.
CVE-2019-3832[0]:
incomplete fix for CVE-2018-19758
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-3832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3832
[1] https://github.com/erikd/libsndfile/issues/456
[2] https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Fri, 08 Mar 2019 02:48:09 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#922372.
(Fri, 08 Mar 2019 18:57:05 GMT) (full text, mbox, link).
Message #10 received at 922372-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #922372 in libsndfile reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/libsndfile/commit/a6902a2a2b91d93b1f9667763a2d58c39db63758
------------------------------------------------------------------------
Backported fix for out-of-bound reading (CVE-2019-3832)
Closes: #922372
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/922372
Added tag(s) pending.
Request was from IOhannes zmölnig <noreply@salsa.debian.org>
to 922372-submitter@bugs.debian.org.
(Fri, 08 Mar 2019 18:57:06 GMT) (full text, mbox, link).
Reply sent
to IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>:
You have taken responsibility.
(Fri, 08 Mar 2019 20:39:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 08 Mar 2019 20:39:07 GMT) (full text, mbox, link).
Message #17 received at 922372-close@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Source-Version: 1.0.28-6
We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 922372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 08 Mar 2019 20:35:07 +0100
Source: libsndfile
Architecture: source
Version: 1.0.28-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Closes: 922372
Changes:
libsndfile (1.0.28-6) unstable; urgency=medium
.
* Backported fix for out-of-bound reading (CVE-2019-3832) (Closes: #922372)
Checksums-Sha1:
8acede486d6aee889aec91447bbba4b61f10952a 2195 libsndfile_1.0.28-6.dsc
c43e98dbfde8d64e97cdb190c4c054eeb1a5de91 16332 libsndfile_1.0.28-6.debian.tar.xz
f6cfacb606ab5a1fa7bcb6effeca68131b490490 6848 libsndfile_1.0.28-6_amd64.buildinfo
Checksums-Sha256:
91d5bd81cb4e8ebc01e54ec7398f47aa0ff78330640c599c046ad019b240ee45 2195 libsndfile_1.0.28-6.dsc
25ae11e5742ef808cf9e74dbfb905323b9aa31941f35847e939380818c98e5cc 16332 libsndfile_1.0.28-6.debian.tar.xz
431a2da22ea7882859ad72cc41bd423e91b67859bbcdd09e0750558ea6b6dc94 6848 libsndfile_1.0.28-6_amd64.buildinfo
Files:
40e6dfaddb002f851411a87d9e28732f 2195 devel optional libsndfile_1.0.28-6.dsc
80298beb16d7c9ea0c4b9f90d9c8db54 16332 devel optional libsndfile_1.0.28-6.debian.tar.xz
f3d8f34897a107cdd9ce29717fe4a69a 6848 devel optional libsndfile_1.0.28-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlyCxWUACgkQtlAZxH96
NvhZrQ/8Cm4ha2CWTiw6b5lyLehOENFg1G2U/mx9fx+7kia9kmjwBqs5VqjrG4RN
XP6xX66z+v1uz9qaxcRx+DlwV6M0Eikzaur9QqyFVvzTaSpuJdgelF9JPx2TAe/K
N8+qLBEE6Om88vcJeiwfL1t0p/mpKrwCUMiJa50d36YUaQn966iQgawqjth4hecE
276iAxFC5UuPloLjyIjouhbtb15irg5eLl0/oM2QamyoiTyRBh82llF9ROGW862+
/xa14iaT8OVlK0GhXoTQ1Z+JIEiB52J00a7lWBpXs8S3pCjJ3uzfQIJyl8K0iJX6
f3W1F5NzX+LCxU9HhI27/c36UEGUhjr4dQUMrCP8aCru/JEB9kB+h9Ed3wOAxa9l
HHcTX32aKigfhaR0Ifo294cm5pefQnH4J0mjuNo3ac/RhQMYW0kSKdgKP0nV0ihl
JxraI35mga7umMNLOQhWLvfjR4sSry6ntZb2vx8XORnAlYVf7WUr48BnPA28HZ4+
uBb3618LMHZ9tyGhjELYfih4gYMADM/7aGWDdflPbv0Fkpm7lhI83EURZualQSKC
zlcuiUBsv41qIp1LEaVtGfEzian0XWQtgV4dzEn/sqLllnnMz0nWHJaPq1JcyzNa
2BHt7u3vW+QGKEHS+AkK63YdlbjFWF+Dvn1YVXncQnErjCXKGHY=
=wdSj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 18 Apr 2019 07:31:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:12:20 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon