libquicktime: CVE-2016-2399

Debian Bug report logs - #855099
libquicktime: CVE-2016-2399

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libquicktime: CVE-2016-2399

Date: Tue, 14 Feb 2017 05:54:11 +0100

Source: libquicktime
Version: 2:1.2.4-7
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libquicktime.

CVE-2016-2399[0]:
| Integer overflow in the quicktime_read_pascal function in libquicktime
| 1.2.4 and earlier allows remote attackers to cause a denial of service
| or possibly have other unspecified impact via a crafted hdlr MP4 atom.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-2399

Regards,
Salvatore

Message #10 received at 855099-submitter@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <balint@balintreczey.hu>

To: 855099-submitter@bugs.debian.org

Subject: Bug#855099 marked as pending

Date: Mon, 27 Feb 2017 22:54:39 +0000

tag 855099 pending
thanks

Hello,

Bug #855099 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/libquicktime.git/commit/?id=a4a7f0b

---
commit a4a7f0bbd44071c973dfa946dced4fceb34c0ee1
Author: Balint Reczey <balint@balintreczey.hu>
Date:   Mon Feb 27 23:15:35 2017 +0100

    Update changelog

diff --git a/debian/changelog b/debian/changelog
index 7d92de2..9a25361 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libquicktime (2:1.2.4-10) unstable; urgency=medium
+
+  * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
+    (Closes: #855099)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Mon, 27 Feb 2017 23:15:30 +0100
+
 libquicktime (2:1.2.4-9) unstable; urgency=medium
 
   * Team upload.

Message #15 received at 855099-close@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <balint@balintreczey.hu>

To: 855099-close@bugs.debian.org

Subject: Bug#855099: fixed in libquicktime 2:1.2.4-10

Date: Mon, 27 Feb 2017 23:03:37 +0000

Source: libquicktime
Source-Version: 2:1.2.4-10

We believe that the bug you reported is fixed in the latest version of
libquicktime, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 855099@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Balint Reczey <balint@balintreczey.hu> (supplier of updated libquicktime package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 Feb 2017 23:15:30 +0100
Source: libquicktime
Binary: libquicktime2 libquicktime-dev libquicktime-doc quicktime-utils quicktime-x11utils
Architecture: source
Version: 2:1.2.4-10
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Balint Reczey <balint@balintreczey.hu>
Description:
 libquicktime-dev - library for reading and writing Quicktime files (development)
 libquicktime-doc - library for reading and writing Quicktime files (documentation)
 libquicktime2 - library for reading and writing Quicktime files
 quicktime-utils - library for reading and writing Quicktime files (utilities)
 quicktime-x11utils - library for reading and writing Quicktime files (x11 utilities)
Closes: 855099
Changes:
 libquicktime (2:1.2.4-10) unstable; urgency=medium
 .
   * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
     (Closes: #855099)
Checksums-Sha1:
 1409f04a43b715c9bd910bf328b701c81886378c 2686 libquicktime_1.2.4-10.dsc
 924c8f16d2655e9e636eab21c0c55615752c3a0d 21464 libquicktime_1.2.4-10.debian.tar.xz
Checksums-Sha256:
 cb6880d2518d255e42f5143b0d19ac6b389185ea77cc81364932d215d5407937 2686 libquicktime_1.2.4-10.dsc
 550cc827c675aeb37727f6daaa311b649246dc9f952e830f0796c25af1137340 21464 libquicktime_1.2.4-10.debian.tar.xz
Files:
 b12c93efefc9c6517e231d3abc05557a 2686 devel optional libquicktime_1.2.4-10.dsc
 778638b7b20c1a0f5c260d5ec1b83f5b 21464 devel optional libquicktime_1.2.4-10.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYtKwTAAoJEPZk0la0aRp9lUYP/2lHamthtVvoMU5ac+abkIca
FVZbWtgOO3wXYbez/VI9pYao0l6uC849hInr6HR+GEc2TYmO+lOZlbgFqBt9JEjX
jBzJ+7sUEBQj2dw3UfbLtOX5MPlI5nvFcLfcOb+KU0jpZcaguygHSLat6DWd/l7k
d2REzj0XTjR7PpZh7vYD6FqipVGd037IOAzRiF9KuA3KJjKGqhylXaqD17THrqbc
AiAS2ic8tegIOIfHT7PGqZnUxAByZR5z14QERu+2MvkTUaAu4MBEMPpWcUiss8/x
hUo5cyNkY/qxV68EeC0NctTwlH3m/X4oEMhJR9n0NhHD/LGpxnIahF3aqzIKGs9b
TJ894wM/6pDCmY2qofnHj19IDeV9TUpaGul9h4kMHbBB3j2AMN7vGLb2Q8sRsJc+
Uk9N38vT9HsarFUowVJqsJyYMj+W80N7JtC0b8Wn6wzib0bdXlJv/JAQvaAP7v00
oFUGS4xClSwGu/P/h0KheZcH4mWQL5VHiWV2bjuccg8cclVF7ZQmFYa0/LJ/u/Ra
5Avdd0qOp/HTwXDofkv4n6GvWo3Xp+pPiviyk6/3uu1+lhbs1sfChPe53wsJEa/o
4UAd/oct1v8SFyTpp47NpOUNxZILFQZAzD6o/17rTAXBd5fjOMBckKxll+lhTfLM
IfCF2z/+MH1GppfBLQ8y
=htay
-----END PGP SIGNATURE-----

Message #20 received at 855099-submitter@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <balint@balintreczey.hu>

To: 855099-submitter@bugs.debian.org

Subject: Bug#855099 marked as pending

Date: Wed, 01 Mar 2017 15:36:30 +0000

tag 855099 pending
thanks

Hello,

Bug #855099 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/libquicktime.git/commit/?id=465035e

---
commit 465035e0af2448bf194c7ef1bed9d55b8c4821e8
Author: Balint Reczey <balint@balintreczey.hu>
Date:   Mon Feb 27 23:54:01 2017 +0100

    Update changelog

diff --git a/debian/changelog b/debian/changelog
index 91afb8c..46d6f6c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libquicktime (2:1.2.4-3+deb7u1) wheezy-security; urgency=medium
+
+  * Team Upload
+  * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
+    (Closes: #855099)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Mon, 27 Feb 2017 23:39:00 +0100
+
 libquicktime (2:1.2.4-3) unstable; urgency=low
 
   * Team upload.

Message #27 received at 855099-close@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <balint@balintreczey.hu>

To: 855099-close@bugs.debian.org

Subject: Bug#855099: fixed in libquicktime 2:1.2.4-7+deb8u1

Date: Thu, 09 Mar 2017 23:18:00 +0000

Source: libquicktime
Source-Version: 2:1.2.4-7+deb8u1

We believe that the bug you reported is fixed in the latest version of
libquicktime, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 855099@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Balint Reczey <balint@balintreczey.hu> (supplier of updated libquicktime package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 28 Feb 2017 00:00:44 +0100
Source: libquicktime
Binary: libquicktime2 libquicktime-dev libquicktime-doc quicktime-utils quicktime-x11utils
Architecture: source all amd64
Version: 2:1.2.4-7+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Balint Reczey <balint@balintreczey.hu>
Description:
 libquicktime-dev - library for reading and writing Quicktime files (development)
 libquicktime-doc - library for reading and writing Quicktime files (documentation)
 libquicktime2 - library for reading and writing Quicktime files
 quicktime-utils - library for reading and writing Quicktime files (utilities)
 quicktime-x11utils - library for reading and writing Quicktime files (x11 utilities)
Closes: 855099
Changes:
 libquicktime (2:1.2.4-7+deb8u1) jessie-security; urgency=medium
 .
   * Team Upload
   * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
     (Closes: #855099)
Checksums-Sha1:
 a8a11d321b79133f3e3c776338a4802e1eaf41cb 2734 libquicktime_1.2.4-7+deb8u1.dsc
 7008b2dc27b9b40965bd2df42d39ff4cb8b6305e 1028626 libquicktime_1.2.4.orig.tar.gz
 6327606da5d770f89929f7fd1a8e4c5ad2a3613e 18316 libquicktime_1.2.4-7+deb8u1.debian.tar.xz
 d1c51f90f644509ad9fa5ed8e2fcd196ca9c2761 122922 libquicktime-doc_1.2.4-7+deb8u1_all.deb
 d212290347d064960c8924a40325a302d4f78575 276170 libquicktime2_1.2.4-7+deb8u1_amd64.deb
 85ec05372a1cacda291dc95c2f13ec57d58399c6 38918 libquicktime-dev_1.2.4-7+deb8u1_amd64.deb
 ea46d50f690beb1b0e3d456a8d853df7bda44a0e 32276 quicktime-utils_1.2.4-7+deb8u1_amd64.deb
 ad457565759091b50c20fe125b8f7243c3e6ce66 39774 quicktime-x11utils_1.2.4-7+deb8u1_amd64.deb
Checksums-Sha256:
 fb9d2849fc4b4335b6bfd8ca49bd0ae831ed18cebf7ee666e5d437cd200c880c 2734 libquicktime_1.2.4-7+deb8u1.dsc
 1c53359c33b31347b4d7b00d3611463fe5e942cae3ec0fefe0d2fd413fd47368 1028626 libquicktime_1.2.4.orig.tar.gz
 31490a9d1a635ba7e9a03648be34365c3a794aceb6ee2fabcd05e83cf22881d8 18316 libquicktime_1.2.4-7+deb8u1.debian.tar.xz
 2ec97244e54acc1688814c2969bd721e2be9e12c65ead20d8816c5bbdeb1b599 122922 libquicktime-doc_1.2.4-7+deb8u1_all.deb
 c13ee2ce300c68631b8a55a9f5488b47d9618ef03bc632a12445bf6c25f729cb 276170 libquicktime2_1.2.4-7+deb8u1_amd64.deb
 1082db356a3f2503c07d2a61855720fac34939f3d421678fbfce02e17daf5ab4 38918 libquicktime-dev_1.2.4-7+deb8u1_amd64.deb
 28906f945dfb278e3346dfd4c16d52640ddbc18553e0736b01ea986cde942d0a 32276 quicktime-utils_1.2.4-7+deb8u1_amd64.deb
 ab7836ee19d51730f132750202375e015b9973acfb547e7363aed219a4f323c1 39774 quicktime-x11utils_1.2.4-7+deb8u1_amd64.deb
Files:
 b49b3fd4afbe5f346de526c80486d4c2 2734 devel optional libquicktime_1.2.4-7+deb8u1.dsc
 81cfcebad9b7ee7e7cfbefc861d6d61b 1028626 devel optional libquicktime_1.2.4.orig.tar.gz
 85eb0735fa192c55bef202b800d05efd 18316 devel optional libquicktime_1.2.4-7+deb8u1.debian.tar.xz
 13d7e953778b1c7b3ba9cd1e5b02e101 122922 doc optional libquicktime-doc_1.2.4-7+deb8u1_all.deb
 b19bed5c11a8726a5a2bd87d10ad345d 276170 libs optional libquicktime2_1.2.4-7+deb8u1_amd64.deb
 c2cffc5f7a7ff191067a24ad603cdca7 38918 libdevel optional libquicktime-dev_1.2.4-7+deb8u1_amd64.deb
 ada6287e8155eb0da7ae0f3612dcb538 32276 utils extra quicktime-utils_1.2.4-7+deb8u1_amd64.deb
 dfd9ba926840ec14c91b15c1c0ae0d0e 39774 utils extra quicktime-x11utils_1.2.4-7+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYtWrCAAoJEPZk0la0aRp9Ps4P/AloQWXhp27KyhKqKgthmKxk
0G1YhkFxF7AjPjomISevYs/yftOZzG4cmOnXIO/YR/AWgZXzjy+rO7OjTQPOG8W8
zsSMytgYaSWfCqT8I4B3XS+jbU7sKigXhfQGi8w5qhY2tQO44hBxhIuQFjnbp1Tm
hK/LJtHEj4+dKq5M9F6E4HQgZUxwdrC/j4L4f13Jq/eVwcm1fR72VjKqUZkpPPKb
GV9SVEefrPFSkVp8EB+FjNoekEMZ1kaAYzwk7WXJ6uOO8/v7kJUadwXFyxmPFsim
/IqlaFzMHXTlywpEg3fDTaYYcD/k0UoPsmk3Uf1r/xSb2njDXg+KzyHbFeoQ0h0V
gwfVIo7lSJZ2Pl/i/9AsjJQ9ijvJofHdivRZf8kpEvHDxXmZOO4iS5xJErCnn5Ta
U82DuBL5MBtJaeyf5JB3aaw1cXElUJ22g4c2BAQIde2eoSVQL3JS3bZ91N5BDQG1
lpPX1jXGBzWqzvJ9t7KWwy3N7ZbCykp+uywtQPnmJ5KHPlYXQF7TSwH1lbFiL9fm
fxMXPALB0kjozFhBZauXIfX1qMzHQ3jW+XnZd12cUhxyYhp8t6HVtLWOjrlT2Zn4
iMNCmT8qOydVRYYmJmETzcm4o7+zFjTdcGZBy7jdARDJySE8jgViG6MfN0wgg9o8
f4VKM7N4kAWMMZdrYo3f
=ByUy
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.