Debian Bug report logs -
#893130
libvorbis: CVE-2018-5146: out-of-bounds memory write
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 16 Mar 2018 18:30:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version libvorbis/1.3.4-2
Fixed in versions libvorbis/1.3.4-2+deb8u1, libvorbis/1.3.5-4+deb9u2, libvorbis/1.3.5-4.2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#893130; Package src:libvorbis.
(Fri, 16 Mar 2018 18:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Fri, 16 Mar 2018 18:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Version: 1.3.4-2
Severity: grave
Tags: patch security upstream
Control: fixed -1 1.3.4-2+deb8u1
Control: fixed -1 1.3.5-4+deb9u2
Hi,
the following vulnerability was published for libvorbis.
CVE-2018-5146[0]:
out-of-bounds memory write
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
[2] https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
Regards,
Salvatore
Marked as fixed in versions libvorbis/1.3.4-2+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 16 Mar 2018 18:30:05 GMT) (full text, mbox, link).
Marked as fixed in versions libvorbis/1.3.5-4+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 16 Mar 2018 18:30:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#893130; Package src:libvorbis.
(Sat, 17 Mar 2018 07:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Sat, 17 Mar 2018 07:51:03 GMT) (full text, mbox, link).
Message #14 received at 893130@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 893130 + pending
Dear maintainer,
I've prepared an NMU for libvorbis (versioned as 1.3.5-4.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[libvorbis-1.3.5-4.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 893130-submit@bugs.debian.org.
(Sat, 17 Mar 2018 07:51:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 17 Mar 2018 09:51:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Mar 2018 09:51:15 GMT) (full text, mbox, link).
Message #21 received at 893130-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Source-Version: 1.3.5-4.2
We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893130@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvorbis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Mar 2018 22:26:37 +0100
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev libvorbis-dbg
Architecture: source
Version: 1.3.5-4.2
Distribution: unstable
Urgency: medium
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 893130
Description:
libvorbis-dbg - debug files for Vorbis General Audio Compression Codec
libvorbis-dev - development files for Vorbis General Audio Compression Codec
libvorbis0a - decoder library for Vorbis General Audio Compression Codec
libvorbisenc2 - encoder library for Vorbis General Audio Compression Codec
libvorbisfile3 - high-level API for Vorbis General Audio Compression Codec
Changes:
libvorbis (1.3.5-4.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Prevent out-of-bounds write in codebook decoding (CVE-2018-5146)
(Closes: #893130)
Checksums-Sha1:
41b367c93ae3acdf783f10d7afe5e1b9a55ef994 2546 libvorbis_1.3.5-4.2.dsc
a5e9d1232426c9379ffec0b80620e80129c3a318 12340 libvorbis_1.3.5-4.2.debian.tar.xz
Checksums-Sha256:
074430404ed9851708fa99c6028c6419c2eae6d57299e623b443d6079f8b3d87 2546 libvorbis_1.3.5-4.2.dsc
22d0f18332c7f5fb06b8366e1653d18165284c07152a3af7872b70cde3a7fdfc 12340 libvorbis_1.3.5-4.2.debian.tar.xz
Files:
9412a65284d7f5b936b94abf6f46ee27 2546 libs optional libvorbis_1.3.5-4.2.dsc
ca8a01e8ca40e87b85d8ea23c4e5483f 12340 libs optional libvorbis_1.3.5-4.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsyNRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ETukQAIKSzWobwCdLto42itHscgPIvqv3GqPd
gAfi2b7wErTim6vbHJmAZYxRFPvEsBMce/fqTfD11hW5yp8U5ZtCjWOSH3I+42iI
CM2IxU5z4it5s3nFga/eu5CnFCHf0J3Jem5ahJgA9IHQx+DWmxJcOpG2mNvg39UP
8CECTTsI+LhU4uKscOV5CilxO6zgQ53kmsVtAIYx1qImnoO2psu6q4/Jqz5cP7V4
0t5sQS2RUC4x5R8HEzkFFl5vVW3B7jH/qrke3ANVY51rOf8GnJNT0Fc3sC3jGrcQ
X9cKg4IwBkFTvNrEFSOoHr6CbkiauruYnWJLo8b534pVzDKVmoVXtFMPhF4m5+h9
x8JnX9uuyDvGx+AVTB+vHtLm+K2ocL4H0Y8ekSibr7OSW1epWZnZCYcky4+ZvVMw
8SFSf7Lh5SpbFu8nAP7Zpl8qF+Z5GDUoBzjqkuPONiOYVbqNHb7p2RTufNngk/Qj
YVvB7x5CQGUffuwji9frr3crceMiFG8c46NbqQYc77PITZHwzR6djI/CM6MFVvWk
EFpQ1+R6RGWoVXqEsxlzKOXfCxXqOWptt4Kpo2M2G1THpT7csWnONWgoQdLSlkqZ
yFkQD4YzZ6VDgnNYkhIx6kvoNwyG1iLpHE8bkOk14q+ua1uZkErAt4aQaWy62s+a
P972knBHC/h4
=mYM9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:27:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:44:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon