libsndfile: CVE-2017-8365

Debian Bug report logs - #862202
libsndfile: CVE-2017-8365

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libsndfile: CVE-2017-8365

Date: Tue, 09 May 2017 20:43:41 +0200

Source: libsndfile
Version: 1.0.27-2
Severity: important
Tags: upstream security patch
Forwarded: https://github.com/erikd/libsndfile/issues/230 

Hi,

the following vulnerability was published for libsndfile.

CVE-2017-8365[0]:
| The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote
| attackers to cause a denial of service (buffer over-read and
| application crash) via a crafted audio file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8365
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8365
[1] https://github.com/erikd/libsndfile/issues/230

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 862202-close@bugs.debian.org (full text, mbox, reply):

From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>

To: 862202-close@bugs.debian.org

Subject: Bug#862202: fixed in libsndfile 1.0.27-3

Date: Sun, 28 May 2017 21:18:39 +0000

Source: libsndfile
Source-Version: 1.0.27-3

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862202@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 28 May 2017 22:52:39 +0200
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs libsndfile1-dbg sndfile-programs-dbg
Architecture: source
Version: 1.0.27-3
Distribution: unstable
Urgency: medium
Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Description:
 libsndfile1 - Library for reading/writing audio files
 libsndfile1-dbg - debugging symbols for libsndfile
 libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
 sndfile-programs - Sample programs that use libsndfile
 sndfile-programs-dbg - debugging symbols for sndfile-programs
Closes: 860255 862202 862203 862204 862205
Changes:
 libsndfile (1.0.27-3) unstable; urgency=medium
 .
   * Mentioned CVEs fixed by fix_bufferoverflows.patch
     (CVE-2017-7741, CVE-2017-7586, CVE-2017-7585)
   * Backported patch for error handling of malicious/broken FLAC files
     (CVE-2017-7742, CVE-2017-7741, CVE-2017-7585)
     (Closes: #860255)
   * Backported patch to fix buffer read overflow in FLAC code
     (CVE-2017-8362)
     (Closes: #862204)
   * Backported patches to fix memory leaks in FLAC code
     (CVE-2017-8363)
     (Closes: #862203)
   * Backported patch to fix buffer overruns in FLAC-code
     (CVE-2017-8365, CVE-2017-8363, CVE-2017-8361)
     (Closes: #862205, #862203, #862202)
 .
   * Added Vcs-* stanzas to d/control
Checksums-Sha1:
 1ba035530bd1d8fef1423eca479edf5db8ef2628 2325 libsndfile_1.0.27-3.dsc
 3e8f3576bce8dc565b1db811dd7a2861ec6b2b4e 14944 libsndfile_1.0.27-3.debian.tar.xz
 3a03ed8d076e305d02e4da85ce5c61d04f41b7da 6992 libsndfile_1.0.27-3_amd64.buildinfo
Checksums-Sha256:
 2aad1627be9e40b1d46351cf66e8be1c98c9c0c997a4e29560d7bb17b47700e5 2325 libsndfile_1.0.27-3.dsc
 f0dfb219d920423161d3ecbe5c576cbc7fe0a8169335b9efcad4528ca7e8e463 14944 libsndfile_1.0.27-3.debian.tar.xz
 f81d2a2c606108ba1243740cd8735964a411c6a2a1d74baf527a660108702cb6 6992 libsndfile_1.0.27-3_amd64.buildinfo
Files:
 008c5fc1524f3105802fb7f241e989a9 2325 devel optional libsndfile_1.0.27-3.dsc
 910e06b21b2dc8607df249118c05f98f 14944 devel optional libsndfile_1.0.27-3.debian.tar.xz
 ba4e818c2469241f6410594e5ddd9838 6992 devel optional libsndfile_1.0.27-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlkrOv8ACgkQtlAZxH96
Nvj7+w//Xz+KQYXOLZcJf2t1BtpdTyeqjtOu0huX+QQLRLGcLXDu+uiokLnKGfvG
L8iGXb3Pmh0nUgSvw5/1I0XvqgPdgPHpJbEWaVmeqJhz0aAyXaXb5ylXp85P+OM+
oo5vxkTqEwmMhM0FT1LhppM0gZJMPu8FOwEu8b7T7+yfrkFMTgR0z/RQqYUHbYW0
jowy/atUNTp25lnb2G0NhjuSvWxF5lw7QhWQyRo2PvXYl0MgOYkbYuJYx0VxJGhK
f7BO1j88CCZFeXc2yG3o7HX5Prairz7hPtd7UNheZF4n9iP8GxhjJOLlf5d1oYZ2
3XqnFP1po0tvNX9ndaYQa/Imp3rWR3lGoyOFtuIDAzfbHsf6fYyD4jD8+jS80PJN
cwLiEUtcCe091jdHuqSvRAkHNSo1Pa6zopvZzYmTXU2b9MbefsDKt/WfZ3xIlBoy
BofEiBuQ081/lWgDH+fv/vOgHFNy+BnpuPaE2FVG82LC11sgFwt40GJiB1LkhgI0
mjUUoG+qcAIxU5ZjpnBddahk5bkgc2QRnjKeT0rKOATJS5lPLtob3y5jQlEbJnQ3
phz2+zrSAfP7+LPuBp9BBVQMzc5Be0SqlzUTlHEhbxzYUgGnR9DsIXnZ8ancamhC
mC5dl6LBd/ii9Uzh/xhZxPc7AQXQvClC5F0pyIyr7bZ3YgeYvAc=
=up1C
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.