vala-0.26: CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

Debian Bug report logs - #775913
vala-0.26: CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: vala-0.26: CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

Date: Wed, 21 Jan 2015 14:38:21 +0100

Source: vala-0.26
Version: 0.26.1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Control: fixed -1 0.26.2-1

Hi,

the following vulnerability was published for vala-0.26.

CVE-2014-8154[0]:
Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8154
[1] https://git.gnome.org/browse/vala/commit/?id=3092537db65887e24a3d3e87a27caf9c5295e4f7 
[2] https://bugzilla.gnome.org/show_bug.cgi?id=678663
[3] https://bugzilla.novell.com/show_bug.cgi?id=913071
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1181404

Regards,
Salvatore

Message #12 received at 775913@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 775913@bugs.debian.org, laney@debian.org, andreas@fatal.se

Subject: Re: vala-0.26: CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

Date: Thu, 12 Feb 2015 16:41:47 +0100

On Wed, Jan 21, 2015 at 02:38:21PM +0100, Salvatore Bonaccorso wrote:
> Source: vala-0.26
> Version: 0.26.1-1
> Severity: grave
> Tags: security upstream patch fixed-upstream
> Control: fixed -1 0.26.2-1
> 
> Hi,
> 
> the following vulnerability was published for vala-0.26.
> 
> CVE-2014-8154[0]:
> Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

What's the status?

Cheers,
        Moritz

Message #17 received at 775913@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 775913@bugs.debian.org, laney@debian.org

Subject: Re: vala-0.26: CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

Date: Sun, 15 Feb 2015 13:24:52 +0100

Hello Moritz Muehlenhoff.

I'm pretty sure this is not the answer you're wishing to hear but I
though it's better to give you some reply then not answer at all...

On Thu, Feb 12, 2015 at 04:41:47PM +0100, Moritz Muehlenhoff wrote:
[...]
> > Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()
> 
> What's the status?

TTBOMK:
Fixed in 0.26.2 currently available from experimental. Will likely be
available (first in unstable+testing then) in backports archive after
the Jessie release. There's a lack of people finding it useful to redo
the upstream bugfix releases badly just because of debian policies or
whatever the issue is with getting them into testing during freeze.

Given that experimental in many cases are already (rightly so) filled
with packages of upstream development releases and we have nowhere to
put upstream bugfix releases in Debian now, I've been considering
setting up my own repository where I can share updated packages with
those interested.... (that would also solve the issue that backports
isn't really suitable since you then explicitly will have to point out
each and every package you want a fixed version of.)
Unfortunately this hasn't yet surfaced high enough on my already
busy schedule (and would be better to see a proper distribution channel
set up within debian if that's possible at all).

Regards,
Andreas Henriksson

Message #22 received at 775913@bugs.debian.org (full text, mbox, reply):

From: Emilio Pozuelo Monfort <pochu@debian.org>

To: Andreas Henriksson <andreas@fatal.se>, 775913@bugs.debian.org

Subject: Re: [Pkg-vala-maintainers] Bug#775913: vala-0.26: CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

Date: Mon, 16 Feb 2015 09:58:09 +0100

On 15/02/15 13:24, Andreas Henriksson wrote:
> Hello Moritz Muehlenhoff.
> 
> I'm pretty sure this is not the answer you're wishing to hear but I
> though it's better to give you some reply then not answer at all...
> 
> On Thu, Feb 12, 2015 at 04:41:47PM +0100, Moritz Muehlenhoff wrote:
> [...]
>>> Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()
>>
>> What's the status?
> 
> TTBOMK:
> Fixed in 0.26.2 currently available from experimental. Will likely be
> available (first in unstable+testing then) in backports archive after
> the Jessie release. There's a lack of people finding it useful to redo
> the upstream bugfix releases badly just because of debian policies or
> whatever the issue is with getting them into testing during freeze.

"Redoing" here means adding this patch:

https://git.gnome.org/browse/vala/commit/?h=0.26&id=22126ebad3b2133db39bcf301c29c8b78b440f1a

I'll see if I can do it sometime this week, if nobody beats me to it.

If any NMU-ers read this, feel free to upload without prior notice. Just
remember to send a debdiff of what you upload :)

Cheers,
Emilio

Message #27 received at 775913@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Emilio Pozuelo Monfort <pochu@debian.org>

Cc: 775913@bugs.debian.org

Subject: Re: [Pkg-vala-maintainers] Bug#775913: vala-0.26: CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

Date: Mon, 16 Feb 2015 10:53:16 +0100

On Mon, Feb 16, 2015 at 09:58:09AM +0100, Emilio Pozuelo Monfort wrote:
[...]
> "Redoing" here means adding this patch:
> 
> https://git.gnome.org/browse/vala/commit/?h=0.26&id=22126ebad3b2133db39bcf301c29c8b78b440f1a
[...]

And when the next bug report gets in we add another one, and then the next
one, ..... which could all have been avoided if we just shipped already
available bugfixes at once instead of waiting for bug reports to trickle in.

But ofcourse feel free to NMU!

Regards,
Andreas Henriksson

Message #32 received at 775913@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 775913@bugs.debian.org

Subject: vala-0.26: diff for NMU version 0.26.1-1.1

Date: Fri, 6 Mar 2015 17:02:52 +0100

[Message part 1 (text/plain, inline)]

Control: tags 775913 + pending

Dear maintainer,

I've prepared an NMU for vala-0.26 (versioned as 0.26.1-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer -  https://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Element Of Crime: No god anymore

[vala-0.26-0.26.1-1.1-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 775913@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: gregor herrmann <gregoa@debian.org>, 775913@bugs.debian.org

Subject: Re: Bug#775913: vala-0.26: diff for NMU version 0.26.1-1.1

Date: Fri, 6 Mar 2015 18:21:38 +0100

Hi Gregor,

On Fri, Mar 06, 2015 at 05:02:52PM +0100, gregor herrmann wrote:
> Control: tags 775913 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for vala-0.26 (versioned as 0.26.1-1.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.

Thanks a lot for preparing that update! Note (but cannot check right
now again), that it looks that any binary build with the buggy
bindings package that use Gst.MapInfo() function are affected as well.
See https://bugzilla.redhat.com/show_bug.cgi?id=1177840, so possibly
shotwell. sources.debian.net might reveal others[*] :(

 [*] possibly rygel as well

Regards,
Salvatore

Message #44 received at 775913-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 775913-close@bugs.debian.org

Subject: Bug#775913: fixed in vala-0.26 0.26.1-1.1

Date: Sun, 08 Mar 2015 16:21:03 +0000

Source: vala-0.26
Source-Version: 0.26.1-1.1

We believe that the bug you reported is fixed in the latest version of
vala-0.26, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775913@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated vala-0.26 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Mar 2015 16:58:06 +0100
Source: vala-0.26
Binary: valac valac-0.26 valac-0.26-vapi vala-0.26-doc libvala-0.26-0 libvala-0.26-dev valac-0.26-dbg libvala-0.26-0-dbg
Architecture: source all amd64
Version: 0.26.1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of Vala packages <pkg-vala-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description:
 libvala-0.26-0 - C# like language for the GObject system - library
 libvala-0.26-0-dbg - C# like language for the GObject system - library symbols
 libvala-0.26-dev - C# like language for the GObject system - development headers
 vala-0.26-doc - C# like language for the GObject system - documentation
 valac      - C# like language for the GObject system
 valac-0.26 - C# like language for the GObject system
 valac-0.26-dbg - C# like language for the GObject system - debug symbols
 valac-0.26-vapi - C# like language for the GObject system - vapi files
Closes: 775913
Changes:
 vala-0.26 (0.26.1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix "CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings
     at Gst.MapInfo()": add patch mapinfo.date-array-length.patch,
     taken from upstream git:
     https://git.gnome.org/browse/vala/commit/?id=22126ebad3b2133db39bcf301c29c8b78b440f1a
     (Closes: #775913)
Checksums-Sha1:
 5c2107b70f8a3974e39d75bc5e32b9465669f649 2825 vala-0.26_0.26.1-1.1.dsc
 8ae9e0649dc27eab3d64e80addc7e8f57afbe09d 24056 vala-0.26_0.26.1-1.1.debian.tar.xz
 afda298215c3cdd19f11d746f8cf67bcd4011f4d 146332 valac_0.26.1-1.1_all.deb
 2f863efb72b2759fa1bd1a93936fc6d84ed8c9b6 813914 valac-0.26-vapi_0.26.1-1.1_all.deb
 5e29ea2683d64f6bacaec9aaadf3bc177588bdc4 153472 vala-0.26-doc_0.26.1-1.1_all.deb
Checksums-Sha256:
 c731322e9ce269444b49e961742e9d8f8e00fac7a6892bce1d33fcd8890012b1 2825 vala-0.26_0.26.1-1.1.dsc
 ece03d323b4613b2aff0e6e0c3957f036e1c31aa66961ece32aff054897b72f5 24056 vala-0.26_0.26.1-1.1.debian.tar.xz
 5dcbd338d101776e9082ca6c0adf30b5f0e3e7207d4b0102aaa80a97b6d2436e 146332 valac_0.26.1-1.1_all.deb
 9d1b98e3c16e0e7e0bbc520fbc105f51c59de3776b80b71aa55f2b0183960d92 813914 valac-0.26-vapi_0.26.1-1.1_all.deb
 af14f1dc04e56f6ac007e11517ac5adee801fbdcba088dd565b77c487676ea5e 153472 vala-0.26-doc_0.26.1-1.1_all.deb
Files:
 9acdc177e6e7e8c2638bfebda3aa6d15 2825 devel optional vala-0.26_0.26.1-1.1.dsc
 ff528ec6223f24122db03f0ec574a451 24056 devel optional vala-0.26_0.26.1-1.1.debian.tar.xz
 dbb6807250d7cec856ca1bb5ab11f7ac 146332 devel optional valac_0.26.1-1.1_all.deb
 34c56ab7b84515a76275f1ffd11f74fc 813914 devel optional valac-0.26-vapi_0.26.1-1.1_all.deb
 35915749ed4468c54b2c17ac6ad9421c 153472 doc optional vala-0.26-doc_0.26.1-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJU+c+GXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGLf0QAJ8P311mtaekbAOWUmX6sVSN
q1z4MNaJi0cGZ+IeywxuPA+3KXgpbxKTApqZH7JaUJEP8L+aTvtQbAty3oS72/cu
++J5UnQYxBJmMdgJ84M2E3O7rTORfM7ptPgdtzFPtmjyX9C8U4Mee3AhgisguoeY
Qbd5BP+6Q7Z1xctsPLTN8+071weAprS/wwD4/Iir/xHU41aLtVBy5eAiTIynFJQt
0BEsARVPHumlnk+9dE5WUXhNhbtXJd2gFXgZJWerY50cD2AXh4v6+WrpdiR13TJ/
jqA6zELN+RCgGfNeDQpha/eFoiAr0p7th+FgmLXD6YmFsqFCAV6rdxF3rF/gTfOY
4FEoeNrz1FfCOCGIzEDymhFqjUyJjGdp8uhlxUIJTXUVcr07+bHtAzpfL5Tw/lot
ycPextGoJcUUfOST9Y/fRr5fNDv0cF+Fs1F6Mj9R9KnoQmFCxPiIFU5L7QxESy7M
niKHp3NXoxxspM0Q/6jJoWUlp9zk/tUpPwpMbwB5SJ1/MtIkjuTxlCy7zCHQXtcz
eT4DaXUZawIorvNyokvUqgVOkEE7pnbd1aqT/AZndGTyGnY3i1TkDTXuXPNsA5+y
EJ4a9I5o9uiPDGOaxQVOukE2rOUnaFKKyUQ1C8oXveQFQ2bUYnwVld2ldpj7zgYP
xEfDu7hfGg/X2zRLh/bN
=tDRX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.