Debian Bug report logs -
#817233
brotli: CVE-2016-1624 CVE-2016-1968
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 9 Mar 2016 07:54:10 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version brotli/0.3.0+dfsg-1
Fixed in version brotli/0.3.0+dfsg-3
Done: Tomasz Buchert <tomasz@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tomasz Buchert <tomasz@debian.org>
:
Bug#817233
; Package src:brotli
.
(Wed, 09 Mar 2016 07:54:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tomasz Buchert <tomasz@debian.org>
.
(Wed, 09 Mar 2016 07:54:13 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: brotli
Severity: grave
Tags: security
Firefox fixed a buffer overflow in brotli:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/
Please get in touch with upstream whether this also needs to be fixed
in the brotli source package in Debian.
Cheers,
Moritz
Marked as found in versions brotli/0.3.0+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 09 Mar 2016 17:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Tomasz Buchert <tomasz@debian.org>
:
Bug#817233
; Package src:brotli
.
(Thu, 10 Mar 2016 06:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Tomasz Buchert <tomasz@debian.org>
.
(Thu, 10 Mar 2016 06:36:04 GMT) (full text, mbox, link).
Message #12 received at 817233@bugs.debian.org (full text, mbox, reply):
Hi Thomas, hi Moritz,
On Wed, Mar 09, 2016 at 08:50:48AM +0100, Moritz Muehlenhoff wrote:
> Source: brotli
> Severity: grave
> Tags: security
>
> Firefox fixed a buffer overflow in brotli:
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/
>
> Please get in touch with upstream whether this also needs to be fixed
> in the brotli source package in Debian.
JFTR, there was one one side, CVE-2016-1968 associated as well with
the Iceweasel/Firefox update, on the other hand CVE-2016-1624 which
was associated with the brotli update in chromium.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Tomasz Buchert <tomasz@debian.org>
:
Bug#817233
; Package src:brotli
.
(Thu, 10 Mar 2016 11:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Tomasz Buchert <tomasz@buchert.pl>
:
Extra info received and forwarded to list. Copy sent to Tomasz Buchert <tomasz@debian.org>
.
(Thu, 10 Mar 2016 11:18:05 GMT) (full text, mbox, link).
Message #17 received at 817233@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi guys,
I'm out of town and cannot work on this. NMUs welcome. :D
Tomasz
Wysłane z telefonu Samsung
Salvatore Bonaccorso <carnil@debian.org> pisze:
null
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Tomasz Buchert <tomasz@debian.org>
:
Bug#817233
; Package src:brotli
.
(Mon, 14 Mar 2016 16:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Raúl Benencia <rul@kalgan.cc>
:
Extra info received and forwarded to list. Copy sent to Tomasz Buchert <tomasz@debian.org>
.
(Mon, 14 Mar 2016 16:21:06 GMT) (full text, mbox, link).
Message #22 received at 817233@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 817233 + patch
Control: tags 817233 + pending
Hi Tomasz,
Attached is a patch with an NMU diff I've prepared for brotli. You can also
find the binary package in the following URL:
http://mentors.debian.net/package/brotli
Alternatively, one can download the package with dget using this command:
dget -x http://mentors.debian.net/debian/pool/main/b/brotli/brotli_0.3.0+dfsg-2.1.dsc
Cheers,
Rul
[brotli-0.3.0+dfsg-2.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Raúl Benencia <rul@kalgan.cc>
to 817233-submit@bugs.debian.org
.
(Mon, 14 Mar 2016 16:21:07 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Raúl Benencia <rul@kalgan.cc>
to 817233-submit@bugs.debian.org
.
(Mon, 14 Mar 2016 16:21:09 GMT) (full text, mbox, link).
Changed Bug title to 'brotli: CVE-2016-1624 CVE-2016-1968' from 'CVE-2016-1968'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 20 Mar 2016 15:39:13 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 20 Mar 2016 15:39:14 GMT) (full text, mbox, link).
Reply sent
to Tomasz Buchert <tomasz@debian.org>
:
You have taken responsibility.
(Sun, 27 Mar 2016 07:39:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sun, 27 Mar 2016 07:39:08 GMT) (full text, mbox, link).
Message #35 received at 817233-close@bugs.debian.org (full text, mbox, reply):
Source: brotli
Source-Version: 0.3.0+dfsg-3
We believe that the bug you reported is fixed in the latest version of
brotli, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 817233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tomasz Buchert <tomasz@debian.org> (supplier of updated brotli package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 Mar 2016 09:00:55 +0200
Source: brotli
Binary: python-brotli python3-brotli brotli
Architecture: source
Version: 0.3.0+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Tomasz Buchert <tomasz@debian.org>
Changed-By: Tomasz Buchert <tomasz@debian.org>
Description:
brotli - lossless compression algorithm and format (command line utility)
python-brotli - lossless compression algorithm and format (Python 2 version)
python3-brotli - lossless compression algorithm and format (Python 3 version)
Closes: 817233
Changes:
brotli (0.3.0+dfsg-3) unstable; urgency=medium
.
[ Raúl Benencia ]
* Fixes for CVE-2016-1968 and CVE-2016-1624 (Closes: #817233)
.
[ Tomasz Buchert ]
* Bump Standards-Version to 3.9.7 (no changes needed)
Checksums-Sha1:
98182b913cdaf2745ff174f6a2d8feb168cf38fb 1705 brotli_0.3.0+dfsg-3.dsc
fa767e6561d6c5b44dc2146756c7aa7aad2bae7f 3264 brotli_0.3.0+dfsg-3.debian.tar.xz
Checksums-Sha256:
7589c62dfd955c42aa4d913736157b092ed1b887c3e60359829285cdf7b0bb63 1705 brotli_0.3.0+dfsg-3.dsc
05842bbd21da488bb1ec6b6d10ac80dc00c4cb19860386efbdbdeb8646dbfd59 3264 brotli_0.3.0+dfsg-3.debian.tar.xz
Files:
40ffcc0044562a310051d13c55e837b7 1705 python optional brotli_0.3.0+dfsg-3.dsc
aaaf05aecbac078c442eb221f2eb47bf 3264 python optional brotli_0.3.0+dfsg-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJW94igAAoJEILCCkopy7/VHIwH/28JEQbdXZplpJ5qYG/N1y7t
lJGJf9CDje6Ya2D5ldv31tuT9kvxTlRTM+d8Zy/3lwLzN4a5nS2TfYq1ZpaOMG7N
X1W9AiIUnO7AFrAurOwx7IHGrw8QBDxzvvHujx2SPhw+7jqkml4/WbO4JiRpNC7a
4y3cr4Nz9aYlF8faZYJnT/0CTKlyX6r6B9k+NnDM0iSRpl8WGetWfoNkl5pXosXw
EmJYrX5dp99P0cBxZvtuD2hatXYtSJvbgjk/0d5vg6Ew6nNcI2iCnDZ1PH2ypQNh
PIUUXGRyAI21+XGhE3zXZIBm5hpyJarwaeopZDScKoISTgKu9yTS9Rq6iRt3+lc=
=pvIe
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 30 Apr 2016 07:33:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:48:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.