brotli: CVE-2016-1624 CVE-2016-1968

Debian Bug report logs - #817233
brotli: CVE-2016-1624 CVE-2016-1968

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2016-1968

Date: Wed, 09 Mar 2016 08:50:48 +0100

Source: brotli
Severity: grave
Tags: security

Firefox fixed a buffer overflow in brotli:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/

Please get in touch with upstream whether this also needs to be fixed
in the brotli source package in Debian.

Cheers,
        Moritz

Message #12 received at 817233@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 817233@bugs.debian.org

Subject: Re: Bug#817233: CVE-2016-1968

Date: Thu, 10 Mar 2016 07:32:02 +0100

Hi Thomas, hi Moritz,

On Wed, Mar 09, 2016 at 08:50:48AM +0100, Moritz Muehlenhoff wrote:
> Source: brotli
> Severity: grave
> Tags: security
> 
> Firefox fixed a buffer overflow in brotli:
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/
> 
> Please get in touch with upstream whether this also needs to be fixed
> in the brotli source package in Debian.

JFTR, there was one one side, CVE-2016-1968 associated as well with
the Iceweasel/Firefox update, on the other hand CVE-2016-1624 which
was associated with the brotli update in chromium.

Regards,
Salvatore

Message #17 received at 817233@bugs.debian.org (full text, mbox, reply):

From: Tomasz Buchert <tomasz@buchert.pl>

To: Salvatore Bonaccorso <carnil@debian.org>, 817233@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: ODP: Bug#817233: CVE-2016-1968

Date: Thu, 10 Mar 2016 18:09:08 +0700

[Message part 1 (text/plain, inline)]

Hi guys,
I'm out of town and cannot work on this. NMUs welcome. :D

Tomasz


Wysłane z telefonu Samsung

Salvatore Bonaccorso <carnil@debian.org> pisze:

null

[Message part 2 (text/html, inline)]

Message #22 received at 817233@bugs.debian.org (full text, mbox, reply):

From: Raúl Benencia <rul@kalgan.cc>

To: 817233@bugs.debian.org

Subject: brotli: diff for NMU version 0.3.0+dfsg-2.1

Date: Mon, 14 Mar 2016 09:10:53 -0700

[Message part 1 (text/plain, inline)]

Control: tags 817233 + patch
Control: tags 817233 + pending

Hi Tomasz,

Attached is a patch with an NMU diff I've prepared for brotli. You can also
find the binary package in the following URL:

  http://mentors.debian.net/package/brotli

Alternatively, one can download the package with dget using this command:

  dget -x http://mentors.debian.net/debian/pool/main/b/brotli/brotli_0.3.0+dfsg-2.1.dsc

Cheers,
Rul

[brotli-0.3.0+dfsg-2.1-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 817233-close@bugs.debian.org (full text, mbox, reply):

From: Tomasz Buchert <tomasz@debian.org>

To: 817233-close@bugs.debian.org

Subject: Bug#817233: fixed in brotli 0.3.0+dfsg-3

Date: Sun, 27 Mar 2016 07:34:06 +0000

Source: brotli
Source-Version: 0.3.0+dfsg-3

We believe that the bug you reported is fixed in the latest version of
brotli, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 817233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tomasz Buchert <tomasz@debian.org> (supplier of updated brotli package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 27 Mar 2016 09:00:55 +0200
Source: brotli
Binary: python-brotli python3-brotli brotli
Architecture: source
Version: 0.3.0+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Tomasz Buchert <tomasz@debian.org>
Changed-By: Tomasz Buchert <tomasz@debian.org>
Description:
 brotli     - lossless compression algorithm and format (command line utility)
 python-brotli - lossless compression algorithm and format (Python 2 version)
 python3-brotli - lossless compression algorithm and format (Python 3 version)
Closes: 817233
Changes:
 brotli (0.3.0+dfsg-3) unstable; urgency=medium
 .
   [ Raúl Benencia ]
   * Fixes for CVE-2016-1968 and CVE-2016-1624 (Closes: #817233)
 .
   [ Tomasz Buchert ]
   * Bump Standards-Version to 3.9.7 (no changes needed)
Checksums-Sha1:
 98182b913cdaf2745ff174f6a2d8feb168cf38fb 1705 brotli_0.3.0+dfsg-3.dsc
 fa767e6561d6c5b44dc2146756c7aa7aad2bae7f 3264 brotli_0.3.0+dfsg-3.debian.tar.xz
Checksums-Sha256:
 7589c62dfd955c42aa4d913736157b092ed1b887c3e60359829285cdf7b0bb63 1705 brotli_0.3.0+dfsg-3.dsc
 05842bbd21da488bb1ec6b6d10ac80dc00c4cb19860386efbdbdeb8646dbfd59 3264 brotli_0.3.0+dfsg-3.debian.tar.xz
Files:
 40ffcc0044562a310051d13c55e837b7 1705 python optional brotli_0.3.0+dfsg-3.dsc
 aaaf05aecbac078c442eb221f2eb47bf 3264 python optional brotli_0.3.0+dfsg-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJW94igAAoJEILCCkopy7/VHIwH/28JEQbdXZplpJ5qYG/N1y7t
lJGJf9CDje6Ya2D5ldv31tuT9kvxTlRTM+d8Zy/3lwLzN4a5nS2TfYq1ZpaOMG7N
X1W9AiIUnO7AFrAurOwx7IHGrw8QBDxzvvHujx2SPhw+7jqkml4/WbO4JiRpNC7a
4y3cr4Nz9aYlF8faZYJnT/0CTKlyX6r6B9k+NnDM0iSRpl8WGetWfoNkl5pXosXw
EmJYrX5dp99P0cBxZvtuD2hatXYtSJvbgjk/0d5vg6Ew6nNcI2iCnDZ1PH2ypQNh
PIUUXGRyAI21+XGhE3zXZIBm5hpyJarwaeopZDScKoISTgKu9yTS9Rq6iRt3+lc=
=pvIe
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.