Debian Bug report logs -
#884735
libsndfile: CVE-2017-17456 CVE-2017-17457
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#884735
; Package src:libsndfile
.
(Mon, 18 Dec 2017 21:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Mon, 18 Dec 2017 21:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Version: 1.0.28-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/erikd/libsndfile/issues/344
Hi,
the following vulnerabilities were published for libsndfile.
CVE-2017-17456[0]:
| The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead
| to a remote DoS attack (SEGV on unknown address 0x000000000000), a
| different vulnerability than CVE-2017-14245.
CVE-2017-17457[1]:
| The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead
| to a remote DoS attack (SEGV on unknown address 0x000000000000), a
| different vulnerability than CVE-2017-14246.
Note, as mentioned in the CVE assingments, that are different from
CVE-2017-14245 and CVE-2017-14246, crash poc files are attaced to
upstream bug report and demostrable with e.g. an ASAN build of
libsndfile.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17456
[1] https://security-tracker.debian.org/tracker/CVE-2017-17457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17457
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Mon, 24 Dec 2018 17:42:10 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#884735.
(Tue, 12 Feb 2019 15:03:07 GMT) (full text, mbox, link).
Message #10 received at 884735-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #884735 in libsndfile reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/libsndfile/commit/f03a33e30a4c3c010f7f2d17331f943a8a4abfac
------------------------------------------------------------------------
Add patch to fix buffer overflows in alaw/ulaw code (CVE-2018-19661, CVE-2018-19662, CVE-2017-17456 and CVE-2017-17457).
Closes: #884735
Thanks: Hugo Lefeuvre <hle@owl.eu.com>
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/884735
Added tag(s) pending.
Request was from IOhannes zmölnig <noreply@salsa.debian.org>
to 884735-submitter@bugs.debian.org
.
(Tue, 12 Feb 2019 15:03:08 GMT) (full text, mbox, link).
Reply sent
to IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
:
You have taken responsibility.
(Tue, 12 Feb 2019 15:39:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 12 Feb 2019 15:39:05 GMT) (full text, mbox, link).
Message #17 received at 884735-close@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Source-Version: 1.0.28-5
We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884735@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 12 Feb 2019 15:59:58 +0100
Source: libsndfile
Architecture: source
Version: 1.0.28-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Closes: 876783 884735 917416
Changes:
libsndfile (1.0.28-5) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/control: Set Vcs-* to salsa.debian.org
* d/changelog: Remove trailing whitespaces
.
[ Felipe Sateler ]
* Change maintainer address to debian-multimedia@lists.debian.org
.
[ IOhannes m zmölnig (Debian/GNU) ]
* Normalize patches with 'gbp pq'
* Add patch to fix buffer overflows in alaw/ulaw code
(CVE-2018-19661, CVE-2018-19662, CVE-2017-17456 and CVE-2017-17457).
Thanks to Hugo Lefeuvre <hle@owl.eu.com> (Closes: #884735)
* Patch to fix division by zero (CVE-2017-14634)
Thanks to Fabian Greffrath <fabian@greffrath.com> (Closes: #876783)
* Patch to fix heap read overflow (CVE-2018-19758)
Thanks to Erik de Castro Lopo <erikd@mega-nerd.com> (Closes: #917416)
* Patch to ensure that maxnum channels is not exceeded.
Thanks to Brett T. Warden <brett.t.warden@intel.com>
* Declare that "root" is not required to build this package
* Removed whitespace at end of d/changelog
* Bumped dh compat to 12
* Bump standards version to 4.3.0
Checksums-Sha1:
4d5f1c81b5d55d14520c2945093d94eacff22bae 2195 libsndfile_1.0.28-5.dsc
caf1b1b16264c42efc00043c6e24d88772a658d3 16088 libsndfile_1.0.28-5.debian.tar.xz
c6631b5c8685da32e78da60cd4b6b28fab477b68 6704 libsndfile_1.0.28-5_amd64.buildinfo
Checksums-Sha256:
0065a33489ef2bc79e94c805a150369c096163776f567724918bf89da2916eda 2195 libsndfile_1.0.28-5.dsc
d58f7448e1d45457c8593b72c550a4c48d4aa094f930c2a5149c7bb82bc93291 16088 libsndfile_1.0.28-5.debian.tar.xz
db0fdf23a8db0a2e8651669881e864d0c6e67160edac0c05bddca845be161f5e 6704 libsndfile_1.0.28-5_amd64.buildinfo
Files:
09028a82ce0166635d3bc780ca4be327 2195 devel optional libsndfile_1.0.28-5.dsc
b0e2293bad7a72173d19ac5f9dffb051 16088 devel optional libsndfile_1.0.28-5.debian.tar.xz
76f1f665f8362236e2043755c565926c 6704 devel optional libsndfile_1.0.28-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlxi4JcACgkQtlAZxH96
NvghiQ//b52qFtYrEGNSvTi00imiqY6XTCqBR6GBZN6Sto7jWtY/RJEE+xJOhBhU
EnJo+xiG0fbda9iEV5EMy1pvZGr2YUfkGBcr4xTNCf+F4rQRgSuVNvKwzuxEfM1M
Tixp/sVH9DW4pOy6BPOmdbAjtf6ALOog5Hh6DdSdKNWD6vJqM0q6jHJmOQZHgE5O
2AqvFbYxLjNPMjX9C173DRZ9OvKzI6C5Df7R9RbAFiSWk/hv2yk76Y2U0QyN/43G
7gckO947zAjwf+lRjOu8IQ5s3U/Q91K1ghYuPn/Lpat57z7xl2JMZ1PHLYApHMt+
f3RvX9Lnye2QsZf+Huz7GN6jgxsBUiJicQyzVm0jkGbnPqKjbuaogRlefAt9oJ87
lms77grSTrjgRFH4s9lXN0FCfMmw5pMCJ64fQAnPI6Cct8W279INTVC2jFm48d8X
KXpY8yfMwjEi4VJnd8ApnacER7buXOyFHvQj82iYmSvNzQcekRPs/JdkDjoyNmNi
1j78Jv8LyQIzse6VkPSh8bfgQe2z+l6QV3x9opir0y1x45IvC8xr/ga23MZD0R0c
xpeclKxeau1zadLkqFc1+piNPDIu4YMULOE77BTe+Uqzc/XCDPvIsB724+nS/X5t
MTi18jHamdikrTnJ7KTuVK0Yd3r4cwI7/19cUPcSnlFOsry7cvQ=
=OMcG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 18 Apr 2019 07:28:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:19:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.