Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

aubio: CVE-2017-17554

Related Vulnerabilities: CVE-2017-17554   CVE-2017-17054   CVE-2017-17555   CVE-2018-14521   CVE-2018-14522   CVE-2018-14523  

Source

Debian Bug report logs - #884237
aubio: CVE-2017-17554

version graph

Package: src:aubio; Maintainer for src:aubio is Paul Brossier <piem@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 12 Dec 2017 20:33:05 UTC

Severity: important

Tags: security, upstream

Found in version aubio/0.4.5-1

Fixed in version aubio/0.4.6-1

Done: Paul Brossier <piem@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Brossier <piem@debian.org>:
Bug#884237; Package src:aubio. (Tue, 12 Dec 2017 20:33:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Brossier <piem@debian.org>. (Tue, 12 Dec 2017 20:33:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: aubio: CVE-2017-17554
Date: Tue, 12 Dec 2017 21:31:08 +0100
Source: aubio
Version: 0.4.5-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for aubio.

CVE-2017-17554[0]:
| A NULL pointer dereference (DoS) Vulnerability was found in the
| function aubio_source_avcodec_readframe in io/source_avcodec.c of aubio
| 0.4.6, which may lead to DoS when playing a crafted audio file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17554
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17554

Please adjust the affected versions in the BTS as needed, only 0.4.5-1
has been verfied before filling this bug.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Paul Brossier <piem@debian.org>:
Bug#884237; Package src:aubio. (Wed, 13 Dec 2017 16:09:02 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Brossier <piem@piem.org>:
Extra info received and forwarded to list. Copy sent to Paul Brossier <piem@debian.org>. (Wed, 13 Dec 2017 16:09:02 GMT) (full text, mbox, link).

Message #10 received at 884237@bugs.debian.org (full text, mbox, reply):

From: Paul Brossier <piem@piem.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 884237@bugs.debian.org
Subject: Re: Bug#884237: aubio: CVE-2017-17554
Date: Wed, 13 Dec 2017 10:26:07 -0500
Hello Salvatore,

thank you for the report. I am preparing a patch for this and will
submit an updated package asap.

See also https://github.com/aubio/aubio/issues/137

best, piem

On 12/12/2017 03:31 PM, Salvatore Bonaccorso wrote:
> Source: aubio
> Version: 0.4.5-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for aubio.
> 
> CVE-2017-17554[0]:
> | A NULL pointer dereference (DoS) Vulnerability was found in the
> | function aubio_source_avcodec_readframe in io/source_avcodec.c of aubio
> | 0.4.6, which may lead to DoS when playing a crafted audio file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-17554
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17554
> 
> Please adjust the affected versions in the BTS as needed, only 0.4.5-1
> has been verfied before filling this bug.
> 
> Regards,
> Salvatore
>

Information forwarded to debian-bugs-dist@lists.debian.org, Paul Brossier <piem@debian.org>:
Bug#884237; Package src:aubio. (Thu, 14 Dec 2017 09:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Paul Brossier <piem@debian.org>. (Thu, 14 Dec 2017 09:27:03 GMT) (full text, mbox, link).

Message #15 received at 884237@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Paul Brossier <piem@piem.org>
Cc: 884237@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#884237: aubio: CVE-2017-17554
Date: Thu, 14 Dec 2017 10:23:54 +0100
Hi Paul!

On Wed, Dec 13, 2017 at 10:26:07AM -0500, Paul Brossier wrote:
> Hello Salvatore,
> 
> thank you for the report. I am preparing a patch for this and will
> submit an updated package asap.
> 
> See also https://github.com/aubio/aubio/issues/137

Thank you!

I think all of thiese now found aubio issues would not warrant a DSA,
but once fixed in unstable, it would be great to see fixes down as
well stretch and jessie via a point release?

Thanks for your work!

Regards,
Salvatore

Reply sent to Paul Brossier <piem@debian.org>:
You have taken responsibility. (Mon, 10 Sep 2018 15:51:12 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 10 Sep 2018 15:51:12 GMT) (full text, mbox, link).

Message #20 received at 884237-close@bugs.debian.org (full text, mbox, reply):

From: Paul Brossier <piem@debian.org>
To: 884237-close@bugs.debian.org
Subject: Bug#884237: fixed in aubio 0.4.6-1
Date: Mon, 10 Sep 2018 15:49:03 +0000
Source: aubio
Source-Version: 0.4.6-1

We believe that the bug you reported is fixed in the latest version of
aubio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Brossier <piem@debian.org> (supplier of updated aubio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 10 Sep 2018 16:20:59 +0200
Source: aubio
Binary: libaubio-dev libaubio5 aubio-tools libaubio-doc python-aubio python3-aubio
Architecture: source
Version: 0.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Paul Brossier <piem@debian.org>
Changed-By: Paul Brossier <piem@debian.org>
Description:
 aubio-tools - library for audio segmentation -- utilities
 libaubio-dev - library for audio and music analysis, synthesis, and effects
 libaubio-doc - library for audio segmentation -- documentation
 libaubio5  - library for audio segmentation
 python-aubio - Python interface for aubio, a library for audio segmentation
 python3-aubio - Python interface for aubio, a library for audio segmentation
Closes: 883355 884232 884237 888336 904906 904907 904908
Changes:
 aubio (0.4.6-1) unstable; urgency=medium
 .
   * New upstream version 0.4.6
   * Acknowledge NMU (thanks to Sebastian Ramacher, closes: #888336)
   * debian/watch: use https
   * debian/copyright: fix file path
   * debian/control:
     - remove duplicate Section from aubio-tools
     - capitalize Python in short descriptions
     - remove obsolete X-Python fields
     - bump Standards-Version to 4.2.1
     - move Vcs-Git and Browser to salsa.d.o
   * debian/rules:
     - add a comment to enable bindnow hardening
     - add -Wl,--as-needed to LDFLAGS
     - clean waf_gensyms and python/tests/sounds
   * debian/patches:
     - add upstream patches to fix security issues
     - add avoid_deprecated to omit av_register_all() where deprecated
   * CVE-2017-17054 div by zero, thx to my123px (closes: #883355)
   * CVE-2017-17554 null pointer dereference, thx to IvanCql (closes: #884237)
   * CVE-2017-17555 denial of service, thx to IvanCql (closes: #884232)
   * CVE-2018-14521 SEGV in aubiomfcc, thx to fCorleone (closes: #904908)
   * CVE-2018-14522 SEGV in aubionotes, thx to fCorleone (closes: #904907)
   * CVE-2018-14523 global buffer overflow, thx to fCorleone (closes: #904906)
Checksums-Sha1:
 1b8717b836572008818ba41358fb3f4f7255119f 2905 aubio_0.4.6-1.dsc
 3bcaf23d11936d3ff215307fb5fc3f0c3f7a70de 363016 aubio_0.4.6.orig.tar.bz2
 b40c085a943cc029d523f7e0b1220e7191eecf2b 963 aubio_0.4.6.orig.tar.bz2.asc
 3dc3d222957fc8c372be60cddef7dd206727e632 38908 aubio_0.4.6-1.debian.tar.xz
 b03941f9543423586ea1d780e1c13f6e11fa6804 14017 aubio_0.4.6-1_i386.buildinfo
Checksums-Sha256:
 fdf4499dd0f6e54eed6695d88865a722abb70e139c741a1ca42beccce3722b22 2905 aubio_0.4.6-1.dsc
 bdc73be1f007218d3ea6d2a503b38a217815a0e2ccc4ed441f6e850ed5d47cfb 363016 aubio_0.4.6.orig.tar.bz2
 b4c72db879bea78296d6f735adb8239a79b19c5ce95bc97b29b37f7bbd1af1f0 963 aubio_0.4.6.orig.tar.bz2.asc
 3ef9a6a3c154173d94a4b8fd2ee28c6740f568c2cd89dcb5d5a48bc67e7ca5d1 38908 aubio_0.4.6-1.debian.tar.xz
 b4d51d388c6f8364af05e8a5d0e35a4b4edca46677369efe0a77a079f52d14f1 14017 aubio_0.4.6-1_i386.buildinfo
Files:
 b47e50a2f737a368a2fa8984537304f0 2905 sound optional aubio_0.4.6-1.dsc
 78d326e5e44d19b0d21a5abf834bae20 363016 sound optional aubio_0.4.6.orig.tar.bz2
 4908e555352a760b799174a3f5683915 963 sound optional aubio_0.4.6.orig.tar.bz2.asc
 8de807d100965e90475d6d0893136640 38908 sound optional aubio_0.4.6-1.debian.tar.xz
 6be9baaefdb456801c31fe7d26dbed23 14017 sound optional aubio_0.4.6-1_i386.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKkBAEBCgCOFiEEuIpQctSRWuz4GiQ0akmxlyir3ZIFAluWkDVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEI4
OEE1MDcyRDQ5MTVBRUNGODFBMjQzNDZBNDlCMTk3MjhBQkREOTIQHHBpZW1AZGVi
aWFuLm9yZwAKCRBqSbGXKKvdkm3uD/0aMKE/4IUVGIv9icg092M2iu8tbi2+lZyH
qs8uTwI5PBRXxxZWNop0/re0r9BvFz4znQ4d4Npkm1UZN82PatfwsRQbgcnQ909K
hTA5Ykiubkj/VIP8O04UdhSK76hB/0GwB3I+DUtJ987YAkJmahqC9NXYNFVDOnZB
wmybeOvgDHkwZGfHSnpPqUOysHEaXbEt14KnacuRjPOy1nCrFHlA+vl/CQ1gqy3D
4MAW8sD94wOQffIfWPH0BkjObtJKu1Q4h4sqxrIchC531XF+tlCD9Qlc37md5u/1
3zyux+4alzPz3nFeNadboCrSRNE3XD100oAboKpPcnmf7+WJBUpJVfS53ogremBB
U8wstqd1BDp8nkbJvCxTypa21OedeJXHqaBlXGy1oWsegX7xnjOOGG7qJfl+UuiQ
kjKd3+qCj9Z3h+d6VMNl1JEaVZ3TS25owsCmDqbYw7xZM+zodhT7Ea5W/EvJGsiC
n+vWMyTB4Iv53h/y0MD9VTaX7X8i8hJOQmartHedLSI/Y0nNThCXu9ajAfZSfcWK
Wvt9nw134rXWy5en6/lKB3oJXcbep1xhXETBymoasEJ605Hpf72Ok5mOSyEChnxj
ufYEsHUM5GfwyFvYp05lf4lAQq120m1xDYIEqlWkVn8rqxU/61//wiMOeUxkWf8W
L4NwDF7B9w==
=F2DT
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 18 Oct 2018 07:27:41 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:05:40 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started