Debian Bug report logs -
#662705
taglib: multiple vulnerabilities in taglib
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Mon, 5 Mar 2012 21:51:02 UTC
Severity: serious
Tags: security
Fixed in version taglib/1.7.1-1
Done: Modestas Vainius <modax@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Modestas Vainius <modax@debian.org>:
Bug#662705; Package src:taglib.
(Mon, 05 Mar 2012 21:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to Modestas Vainius <modax@debian.org>.
(Mon, 05 Mar 2012 21:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: taglib
Severity: serious
Hi,
multiple vulnerabilities were found in taglib 1.7 (not sure about
Squeeze status). Two of theme were already allocated CVEs (CVE-2012-1107
and CVE-2012-1108_ and two should have them allocated soon.
More details can be found on the oss-sec thread at
http://www.openwall.com/lists/oss-security/2012/03/04/2 and in the
taglib mail at
http://mail.kde.org/pipermail/taglib-devel/2012-March/002186.html
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Modestas Vainius <modax@debian.org>:
Bug#662705; Package src:taglib.
(Tue, 03 Apr 2012 15:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modax@debian.org>.
(Tue, 03 Apr 2012 15:03:03 GMT) (full text, mbox, link).
Message #10 received at 662705@bugs.debian.org (full text, mbox, reply):
On Mon, Mar 05, 2012 at 10:46:11PM +0100, Yves-Alexis Perez wrote:
> Source: taglib
> Severity: serious
>
> Hi,
>
> multiple vulnerabilities were found in taglib 1.7 (not sure about
> Squeeze status). Two of theme were already allocated CVEs (CVE-2012-1107
> and CVE-2012-1108_ and two should have them allocated soon.
>
> More details can be found on the oss-sec thread at
> http://www.openwall.com/lists/oss-security/2012/03/04/2 and in the
> taglib mail at
> http://mail.kde.org/pipermail/taglib-devel/2012-March/002186.html
One additional issue, CVE-2012-1584:
Patch is here:
https://github.com/taglib/taglib/commit/dcdf4fd954e3213c355746fa15b7480461972308
Cheers,
Moritz
Added tag(s) security.
Request was from gregor herrmann <gregoa@debian.org>
to control@bugs.debian.org.
(Wed, 04 Apr 2012 18:39:03 GMT) (full text, mbox, link).
Reply sent
to Modestas Vainius <modax@debian.org>:
You have taken responsibility.
(Sun, 15 Apr 2012 16:21:24 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Sun, 15 Apr 2012 16:21:24 GMT) (full text, mbox, link).
Message #17 received at 662705-close@bugs.debian.org (full text, mbox, reply):
Source: taglib
Source-Version: 1.7.1-1
We believe that the bug you reported is fixed in the latest version of
taglib, which is due to be installed in the Debian FTP archive:
libtag1-dev_1.7.1-1_amd64.deb
to main/t/taglib/libtag1-dev_1.7.1-1_amd64.deb
libtag1-doc_1.7.1-1_all.deb
to main/t/taglib/libtag1-doc_1.7.1-1_all.deb
libtag1-rusxmms_1.7.1-1_amd64.deb
to main/t/taglib/libtag1-rusxmms_1.7.1-1_amd64.deb
libtag1-vanilla_1.7.1-1_amd64.deb
to main/t/taglib/libtag1-vanilla_1.7.1-1_amd64.deb
libtag1c2a_1.7.1-1_amd64.deb
to main/t/taglib/libtag1c2a_1.7.1-1_amd64.deb
libtagc0-dev_1.7.1-1_amd64.deb
to main/t/taglib/libtagc0-dev_1.7.1-1_amd64.deb
libtagc0_1.7.1-1_amd64.deb
to main/t/taglib/libtagc0_1.7.1-1_amd64.deb
taglib_1.7.1-1.debian.tar.gz
to main/t/taglib/taglib_1.7.1-1.debian.tar.gz
taglib_1.7.1-1.dsc
to main/t/taglib/taglib_1.7.1-1.dsc
taglib_1.7.1.orig.tar.gz
to main/t/taglib/taglib_1.7.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 662705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Modestas Vainius <modax@debian.org> (supplier of updated taglib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 15 Apr 2012 19:08:51 +0300
Source: taglib
Binary: libtag1c2a libtag1-vanilla libtag1-rusxmms libtag1-dev libtag1-doc libtagc0 libtagc0-dev
Architecture: source amd64 all
Version: 1.7.1-1
Distribution: unstable
Urgency: high
Maintainer: Modestas Vainius <modax@debian.org>
Changed-By: Modestas Vainius <modax@debian.org>
Description:
libtag1-dev - audio meta-data library - development files
libtag1-doc - audio meta-data library - API documentation
libtag1-rusxmms - audio meta-data library - RusXMMS flavour
libtag1-vanilla - audio meta-data library - vanilla flavour
libtag1c2a - audio meta-data library
libtagc0 - audio meta-data library - C bindings
libtagc0-dev - audio meta-data library - development files for C bindings
Closes: 662705
Changes:
taglib (1.7.1-1) unstable; urgency=high
.
* New upstream release:
- fixes security vulnerabilities: CVE-2012-1107, CVE-2012-1108
and CVE-2012-1584. (Closes: #662705)
* Bump Standards-Version to 3.9.3: no changes needed.
* Drop upstream_doxygen_out_of_source.diff, merged upstream.
* Drop backport_protection_against_broken_wma_files.diff, merged upstream.
* Update symbol file.
* Urgency=high due to security fixes.
Checksums-Sha1:
455c4b65333f4febab655b6660613b52995951a5 1617 taglib_1.7.1-1.dsc
bafe0958eb884981cade83d45c18ee34165479b8 535319 taglib_1.7.1.orig.tar.gz
53f5eb86ca7d76a8f431aa4348a2a848ef64b984 26454 taglib_1.7.1-1.debian.tar.gz
3772697f9bbdc38a429b99723fd39c64f61506d4 8990 libtag1c2a_1.7.1-1_amd64.deb
a06371679622cefd8a7ac40ee497f200c96adc4a 244058 libtag1-vanilla_1.7.1-1_amd64.deb
690ee43460e58dd5086af0fc1dcc051b0a5b1a5f 246734 libtag1-rusxmms_1.7.1-1_amd64.deb
6a3948e0738a75a913508090093906a483eb248b 80660 libtag1-dev_1.7.1-1_amd64.deb
80b273e57b232b786236e060088646c770b2d0ad 5574924 libtag1-doc_1.7.1-1_all.deb
2a7315182f06e833bbe0b807613df36210292c0c 14882 libtagc0_1.7.1-1_amd64.deb
8f30caa9dd952f1e0700753989088423332f9264 12036 libtagc0-dev_1.7.1-1_amd64.deb
Checksums-Sha256:
76ea1a42ba39a226d952854c662e4bac138478abd40f20e5962b69776e668657 1617 taglib_1.7.1-1.dsc
52de470997b604b7b2983f7bcf604ca8d2ce0194fbe16f2ce1aff42e53fb87d9 535319 taglib_1.7.1.orig.tar.gz
e4964a57002ff37482e84b738edf0dd206f211b87c0084491bde2b18fdeff2ed 26454 taglib_1.7.1-1.debian.tar.gz
6a21bd77fadb7567aa6bd6f990c1813e73468654577088900c024628820792af 8990 libtag1c2a_1.7.1-1_amd64.deb
e3e59657219f3e98f29c870c276a1463aeab9c7fee0cdcc5f587f64e779a4bc8 244058 libtag1-vanilla_1.7.1-1_amd64.deb
39731f8cdb67a4ae24ab186022a2b1a915ec0ec54207b612ccc1abc393f9881f 246734 libtag1-rusxmms_1.7.1-1_amd64.deb
d8e4622dc844719a1be420cfbdf40dffa6e85b282185e49a2a91aacd985e084d 80660 libtag1-dev_1.7.1-1_amd64.deb
0c78c68b12cf76b988449efa518c5ab67970ec0fd847cea180fefe1dac681f34 5574924 libtag1-doc_1.7.1-1_all.deb
0d3067cb244a4e3928f6782baa32401d062952a8b0d4760e9a50d98370e649de 14882 libtagc0_1.7.1-1_amd64.deb
f6af5e293c8375013a562c55fdb89daece449874ba7d8d30c06302581c7aa1ba 12036 libtagc0-dev_1.7.1-1_amd64.deb
Files:
85d847ac7ad50bf2aae05098e92895b7 1617 libs optional taglib_1.7.1-1.dsc
aa0f7e2d9700bbb78c5f990ed2f5d9b6 535319 libs optional taglib_1.7.1.orig.tar.gz
bdf6d84b967dd470a185f1d2cb69e557 26454 libs optional taglib_1.7.1-1.debian.tar.gz
e4465627f03c935649de9db6221b1db7 8990 libs optional libtag1c2a_1.7.1-1_amd64.deb
3c9a728bea88ee52412aae0b4a197bac 244058 libs optional libtag1-vanilla_1.7.1-1_amd64.deb
04c780d21a930e720cf99bca7bc4e751 246734 libs optional libtag1-rusxmms_1.7.1-1_amd64.deb
66e7b2ff98c1fffa2dc24881e2c5ab5a 80660 libdevel optional libtag1-dev_1.7.1-1_amd64.deb
f4ce94e90b02230c169694653a472d7d 5574924 doc optional libtag1-doc_1.7.1-1_all.deb
df9c414f84ad2410c98cb9ab95590478 14882 libs optional libtagc0_1.7.1-1_amd64.deb
3168992db5bd7df4649f070ce7aa4edd 12036 libdevel optional libtagc0-dev_1.7.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+K8+YACgkQHO9JRnPq4hTxbgCgvULWp1O/gvyuHX0gUDI55J3G
T1YAnRh4ukLMfqYXTXJi+GxCljm4rJZa
=OC4G
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Modestas Vainius <modax@debian.org>:
Bug#662705; Package src:taglib.
(Sun, 08 Jul 2012 22:15:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modax@debian.org>.
(Sun, 08 Jul 2012 22:15:09 GMT) (full text, mbox, link).
Message #22 received at 662705@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/662705/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Modestas Vainius <modax@debian.org>:
Bug#662705; Package src:taglib.
(Mon, 09 Jul 2012 00:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modax@debian.org>.
(Mon, 09 Jul 2012 00:12:06 GMT) (full text, mbox, link).
Message #27 received at 662705@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/662705/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 07:30:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:09:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon