Debian Bug report logs -
#857651
Multiple security issues
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 13 Mar 2017 19:03:02 UTC
Severity: grave
Tags: security
Found in version audiofile/0.3.6-1
Fixed in versions audiofile/0.3.6-4, audiofile/0.3.6-2+deb8u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#857651; Package src:audiofile.
(Mon, 13 Mar 2017 19:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Mon, 13 Mar 2017 19:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: audiofile
Severity: grave
Tags: security
Hi,
please see these security tracker entries for details, which
have all the links to the reports, github issues and patches:
https://security-tracker.debian.org/tracker/CVE-2017-6829
https://security-tracker.debian.org/tracker/CVE-2017-6831
https://security-tracker.debian.org/tracker/CVE-2017-6832
https://security-tracker.debian.org/tracker/CVE-2017-6833
https://security-tracker.debian.org/tracker/CVE-2017-6834
https://security-tracker.debian.org/tracker/CVE-2017-6835
https://security-tracker.debian.org/tracker/CVE-2017-6836
https://security-tracker.debian.org/tracker/CVE-2017-6837
https://security-tracker.debian.org/tracker/CVE-2017-6838
https://security-tracker.debian.org/tracker/CVE-2017-6839
Cheers,
Moritz
Marked as found in versions audiofile/0.3.6-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 13 Mar 2017 19:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#857651; Package src:audiofile.
(Wed, 15 Mar 2017 05:54:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Wed, 15 Mar 2017 05:54:02 GMT) (full text, mbox, link).
Message #12 received at 857651@bugs.debian.org (full text, mbox, reply):
On Mon, Mar 13, 2017 at 07:59:34PM +0100, Moritz Muehlenhoff wrote:
> Source: audiofile
> Severity: grave
> Tags: security
>
> Hi,
> please see these security tracker entries for details, which
> have all the links to the reports, github issues and patches:
>
> https://security-tracker.debian.org/tracker/CVE-2017-6829
> https://security-tracker.debian.org/tracker/CVE-2017-6831
> https://security-tracker.debian.org/tracker/CVE-2017-6832
> https://security-tracker.debian.org/tracker/CVE-2017-6833
> https://security-tracker.debian.org/tracker/CVE-2017-6834
> https://security-tracker.debian.org/tracker/CVE-2017-6835
> https://security-tracker.debian.org/tracker/CVE-2017-6836
> https://security-tracker.debian.org/tracker/CVE-2017-6837
> https://security-tracker.debian.org/tracker/CVE-2017-6838
> https://security-tracker.debian.org/tracker/CVE-2017-6839
Two more were assigned:
https://security-tracker.debian.org/tracker/CVE-2017-6827
and
https://security-tracker.debian.org/tracker/CVE-2017-6828
Regards,
Salvatore
Added tag(s) pending.
Request was from Sebastian Ramacher <sramacher@debian.org>
to control@bugs.debian.org.
(Thu, 16 Mar 2017 20:51:05 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#857651.
(Thu, 16 Mar 2017 20:51:09 GMT) (full text, mbox, link).
Message #17 received at 857651-submitter@bugs.debian.org (full text, mbox, reply):
tag 857651 pending
thanks
Hello,
Bug #857651 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://anonscm.debian.org/git/pkg-multimedia/audiofile.git/commit/?id=ff91739
---
commit ff91739ab9299170451d3b2f50a225efea9e08f5
Author: Sebastian Ramacher <sramacher@debian.org>
Date: Thu Mar 16 21:43:50 2017 +0100
Finalize changelog
diff --git a/debian/changelog b/debian/changelog
index 908a453..12a3b22 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+audiofile (0.3.6-4) unstable; urgency=high
+
+ * Team upload.
+ * debian/patches: Apply patches to fix CVE-2017-6829, CVE-2017-6831,
+ CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836,
+ CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2017-6827, CVE-2017-6828.
+ (Closes: #857651)
+
+ -- Sebastian Ramacher <sramacher@debian.org> Thu, 16 Mar 2017 21:43:45 +0100
+
audiofile (0.3.6-3) unstable; urgency=high
* Team upload.
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Thu, 16 Mar 2017 21:21:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 16 Mar 2017 21:21:09 GMT) (full text, mbox, link).
Message #22 received at 857651-close@bugs.debian.org (full text, mbox, reply):
Source: audiofile
Source-Version: 0.3.6-4
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857651@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 16 Mar 2017 21:43:45 +0100
Source: audiofile
Binary: audiofile-tools libaudiofile-dev libaudiofile1
Architecture: source
Version: 0.3.6-4
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
audiofile-tools - sfinfo and sfconvert tools
libaudiofile-dev - Open-source version of SGI's audiofile library (header files)
libaudiofile1 - Open-source version of SGI's audiofile library
Closes: 857651
Changes:
audiofile (0.3.6-4) unstable; urgency=high
.
* Team upload.
* debian/patches: Apply patches to fix CVE-2017-6829, CVE-2017-6831,
CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836,
CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2017-6827, CVE-2017-6828.
(Closes: #857651)
Checksums-Sha1:
a15def9ba7bdc87d8cba9cbe35f9ba01df2258fb 2143 audiofile_0.3.6-4.dsc
ad4e2b1b387446167f8cb62b06b346e6cf3fa312 17116 audiofile_0.3.6-4.debian.tar.xz
19214ca7fc732b2de4a270007b3c9c0134bd0671 6487 audiofile_0.3.6-4_amd64.buildinfo
Checksums-Sha256:
c84814dea9afbf83728a6d6deb3a0ad635b6d8cad1abd7169b0b5c5b68ab485d 2143 audiofile_0.3.6-4.dsc
0620675a52bdb40b775980cc1820e308df329348bb847f9a4a8361b3799fa241 17116 audiofile_0.3.6-4.debian.tar.xz
4f25b8ba02716bc3400c35ab1c2a8cd0f848a2902771c8cd826a6ae8c77d37b9 6487 audiofile_0.3.6-4_amd64.buildinfo
Files:
ade9a60daba378304a54e6bb9b248028 2143 libs optional audiofile_0.3.6-4.dsc
db385529550ccc8e385ab4a8b75ef26b 17116 libs optional audiofile_0.3.6-4.debian.tar.xz
2688bf8bda5c4cc39a9cea9ba45e6862 6487 libs optional audiofile_0.3.6-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAljK+X8ACgkQafL8UW6n
GZPrXxAAssQ3T/IyiGK5vlDOgywA5WdeUdLvZ17Dqx0QFWA4ZqupiAi/E+hvyDdK
Bi/wAQ1y+t+Khb7SukxcUgTdwOVnkD1fdUNu2sEgC4xYRyS1kcDU79G11/exRCRi
GIndunRlezHsVcIdmEcO/pqQyczCQJaZpxzbzBH/jvRegkSd+G5aRFehfWVnErS7
Z0q/51lbRpPIyWXsuJFGun8L2HNqrkdauKMWFsrg0rjGw/VrXVHwtD//PvYG19tm
XNOLAk9YnkWMFADDB/lnyyuDCtjwtYLlN5s5UnXQOXHjEpkNrrtP+v+MJ0O2pwuc
x1ajh6412tGXm8lL91y8T/vtnAuMyptsQLithrtdwtDuQMaE4ZFUOqXH8snINT3s
/HlnOIzrqEdS+oHl+vjNp0LSzHU/IADVA7anqOupb3WnHrc+PIaaRgKxsobyuZ00
h/i5hPsjzyXH1K7ze0998/KSNYHlshovs/7YIj/qmGG2hz3Q8qJBfjJ5e63Gi0dr
SFintXQjNukuvCjm1driIBkRJyCvnxpian9PgMsamStARCZXncYEkneWD9eC5sNF
CME1y5b2RlE+FHvWmeU6hoJ5YvgdeszsXw+Rn9CA4ePjWtt61mbo19hhesmI5GHs
CVGOyxCf80G3fj5kWhOkf6xnE5ZzgwRHG8DiK9P9e9Du8N+fSDU=
=DZTU
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Sebastian Ramacher <sramacher@debian.org>
to control@bugs.debian.org.
(Thu, 23 Mar 2017 08:33:06 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#857651.
(Thu, 23 Mar 2017 08:33:11 GMT) (full text, mbox, link).
Message #27 received at 857651-submitter@bugs.debian.org (full text, mbox, reply):
tag 857651 pending
thanks
Hello,
Bug #857651 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://anonscm.debian.org/git/pkg-multimedia/audiofile.git/commit/?id=242f019
---
commit 242f0192363e1c3148116d58942ad2624a311425
Author: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat Mar 18 19:28:56 2017 +0100
Import Debian changes 0.3.6-2+deb8u2
audiofile (0.3.6-2+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* Address several vulnerabilities (Closes: #857651)
- Always check the number of coefficients (CVE-2017-6827 CVE-2017-6828
CVE-2017-6832 CVE-2017-6833 CVE-2017-6835 CVE-2017-6837)
- clamp index values to fix index overflow in IMA.cpp (CVE-2017-6829)
- Check for multiplication overflow in sfconvert (CVE-2017-6830
CVE-2017-6834 CVE-2017-6836 CVE-2017-6838)
- Actually fail when error occurs in parseFormat (CVE-2017-6831)
- Check for multiplication overflow in MSADPCM decodeSample
(CVE-2017-6839)
* Fix signature of multiplyCheckOverflow. It returns a bool, not an int
* Check for division by zero in BlockCodec::runPull
diff --git a/debian/changelog b/debian/changelog
index 9f9f1f2..9819ae1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+audiofile (0.3.6-2+deb8u2) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Address several vulnerabilities (Closes: #857651)
+ - Always check the number of coefficients (CVE-2017-6827 CVE-2017-6828
+ CVE-2017-6832 CVE-2017-6833 CVE-2017-6835 CVE-2017-6837)
+ - clamp index values to fix index overflow in IMA.cpp (CVE-2017-6829)
+ - Check for multiplication overflow in sfconvert (CVE-2017-6830
+ CVE-2017-6834 CVE-2017-6836 CVE-2017-6838)
+ - Actually fail when error occurs in parseFormat (CVE-2017-6831)
+ - Check for multiplication overflow in MSADPCM decodeSample
+ (CVE-2017-6839)
+ * Fix signature of multiplyCheckOverflow. It returns a bool, not an int
+ * Check for division by zero in BlockCodec::runPull
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 18 Mar 2017 19:28:56 +0100
+
audiofile (0.3.6-2+deb8u1) jessie; urgency=high
* Team upload.
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 29 Mar 2017 19:33:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Mar 2017 19:33:13 GMT) (full text, mbox, link).
Message #32 received at 857651-close@bugs.debian.org (full text, mbox, reply):
Source: audiofile
Source-Version: 0.3.6-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857651@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Mar 2017 19:28:56 +0100
Source: audiofile
Binary: audiofile-tools libaudiofile-dev libaudiofile1 libaudiofile-dbg
Architecture: source
Version: 0.3.6-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 857651
Description:
audiofile-tools - sfinfo and sfconvert tools
libaudiofile-dbg - Open-source version of SGI's audiofile library (debug)
libaudiofile-dev - Open-source version of SGI's audiofile library (header files)
libaudiofile1 - Open-source version of SGI's audiofile library
Changes:
audiofile (0.3.6-2+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Address several vulnerabilities (Closes: #857651)
- Always check the number of coefficients (CVE-2017-6827 CVE-2017-6828
CVE-2017-6832 CVE-2017-6833 CVE-2017-6835 CVE-2017-6837)
- clamp index values to fix index overflow in IMA.cpp (CVE-2017-6829)
- Check for multiplication overflow in sfconvert (CVE-2017-6830
CVE-2017-6834 CVE-2017-6836 CVE-2017-6838)
- Actually fail when error occurs in parseFormat (CVE-2017-6831)
- Check for multiplication overflow in MSADPCM decodeSample
(CVE-2017-6839)
* Fix signature of multiplyCheckOverflow. It returns a bool, not an int
* Check for division by zero in BlockCodec::runPull
Checksums-Sha1:
9ef62372482313a1af0c8f669410d51822ee0230 2385 audiofile_0.3.6-2+deb8u2.dsc
3aba3ef724b1b5f88cfc20ab9f8ce098e6c35a0e 811733 audiofile_0.3.6.orig.tar.gz
110bf58c6c24d698eb55aa19894f77907517ac22 15512 audiofile_0.3.6-2+deb8u2.debian.tar.xz
Checksums-Sha256:
381b03e1b3f7270bcca367769b685e3e6a461cfb5a9ff2f30a72bf9e60205e6b 2385 audiofile_0.3.6-2+deb8u2.dsc
cdc60df19ab08bfe55344395739bb08f50fc15c92da3962fac334d3bff116965 811733 audiofile_0.3.6.orig.tar.gz
6f08b8d898317e92b42722f8040d1c6c42ceb717068f40b66251486656910738 15512 audiofile_0.3.6-2+deb8u2.debian.tar.xz
Files:
d5ac09ee6abc76c7f1cd46187d9d1763 2385 libs optional audiofile_0.3.6-2+deb8u2.dsc
2731d79bec0acef3d30d2fc86b0b72fd 811733 libs optional audiofile_0.3.6.orig.tar.gz
ed19806ebe18badf2256636de983482c 15512 libs optional audiofile_0.3.6-2+deb8u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljNgMxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ER1UQAINRqHyi+BqRt85Aw7FrivdNCGd3WOBG
bU92d/HauItplCS7Eqg5vDS+mtRnDGGQBqFaZO7zjyUnjKaKF8QSEz/DXpt3K49Z
B0u4Rb2UZ39mm4WCu60vSNsiD4cUtGj8aLROsz+Aeg5TTvE7ETFMVsW0ZK9V1G8J
weazOvS+BBm1axX6es5kuMum5UNzirmkJzWeHUia7MtKOwdsht1f0EDQtrnXFYtb
3veKM+84R98hlunBm0hL+ait2hfSlmwsiy6or3KxK/M4qLapH55xIArZ9OuvW2sL
pY5YTnmw1ZKCavaGmbB8MiidiliA/20k3PzpRYDupTfY2NPBrx3p5obNQu/evt9x
Db+eDXFGCTdVC/MQpNvAGinDnzmmKbHIfmkqhxwV9DZq9re358whu1crG/HP5fVu
tkbqc6sDaltD5c1TmiBkR7lniDKc3SZ7XimAAf4JBjuiqiqRI7thFIHSilpWSQ0X
Cl9LZu3lZpa0kF7Eg4DUUAQ7m1w1wNhte7IUng0GW7QArZn7UGWJ3LnD2gqysVbv
YaL8Rt2pMYr5L3uiaw5oRv/u76UOOcbzmb5C8EpKgoHD/s9ftVaiPe9OYhW09zqs
P1pVkNN0vKlkgTN8Zx459JO7TEvTNh+uzoqGMaximPnAaSbT+GE3cH5h/GTwbV2/
QHakxvDH/lI0
=8Y7S
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 May 2017 07:29:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:50:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon