Debian Bug report logs -
#977764
flac: CVE-2020-0499
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 20 Dec 2020 13:06:04 UTC
Severity: important
Tags: security, upstream
Found in version flac/1.3.3-1
Fixed in version flac/1.3.3-2
Done: Fabian Greffrath <fabian@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#977764; Package src:flac.
(Sun, 20 Dec 2020 13:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Sun, 20 Dec 2020 13:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: flac
Version: 1.3.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for flac.
CVE-2020-0499[0]:
| In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a
| possible out of bounds read due to a heap buffer overflow. This could
| lead to remote information disclosure with no additional execution
| privileges needed. User interaction is needed for
| exploitation.Product: AndroidVersions: Android-11Android ID:
| A-156076070
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-0499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499
[1] https://github.com/xiph/flac/commit/2e7931c27eb15e387da440a37f12437e35b22dd4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Fabian Greffrath <fabian@debian.org>:
You have taken responsibility.
(Mon, 21 Dec 2020 16:09:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 21 Dec 2020 16:09:07 GMT) (full text, mbox, link).
Message #10 received at 977764-close@bugs.debian.org (full text, mbox, reply):
Source: flac
Source-Version: 1.3.3-2
Done: Fabian Greffrath <fabian@debian.org>
We believe that the bug you reported is fixed in the latest version of
flac, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 977764@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated flac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 21 Dec 2020 16:39:34 +0100
Source: flac
Architecture: source
Version: 1.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Closes: 977764
Changes:
flac (1.3.3-2) unstable; urgency=medium
.
[ Debian Janitor ]
* Use secure URI in Homepage field.
.
[ Fabian Greffrath ]
* libFLAC/bitreader.c: Fix out-of-bounds read (CVE-2020-0499),
Closes: #977764.
Checksums-Sha1:
f95d09d2d722ced253071b08cace14dea227868b 2266 flac_1.3.3-2.dsc
cf5c09f7fae3ac1a970d94d882764e560473e545 17428 flac_1.3.3-2.debian.tar.xz
37b3bee9e571be12495dc1dd729ae25fa7376f55 8479 flac_1.3.3-2_amd64.buildinfo
Checksums-Sha256:
8e35a77757b44441f8cdf5d5542feb174befa3c0d1c1294ddb7b0be5b38a757e 2266 flac_1.3.3-2.dsc
78abfda22350056535c501082e17f6e1eb58205ae8a69062b66f7814b945a7f4 17428 flac_1.3.3-2.debian.tar.xz
57ca32e0d3c3a66c8edd2c1cc1a1717b64eb7b33128429b6cbe26ca1bd027bac 8479 flac_1.3.3-2_amd64.buildinfo
Files:
bd7d4b930f709db77769eddf0fb91afb 2266 sound optional flac_1.3.3-2.dsc
28ceafe6d627b86b65f431c45b461a5d 17428 sound optional flac_1.3.3-2.debian.tar.xz
13a4411510a8db83b1ed4ce095e2d5d2 8479 sound optional flac_1.3.3-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAl/gwssSHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnf6W0P/A0Nqa6jWZ3aZhTMWoSJG7RQS+oLHI4E
ctnj4EH6TfnlQUWA3NdFLkkLuwLoqWDcizXVmR9uSOFD0T3U3x8RDJEuRH7HAEkj
SW4AP8Q2aqp15MbraoTPoRTIZEnN7wA98wWgV0AMX4NWQy8S1/M+XZG6m4b2s/5N
6qvJcDz9SG2x5IIO5KxwNsgjnhur5mVFdOEWXRVkirKnaon6/vzys0DC1IKX1maT
CCLta1zUswqAGr6NVijcEuaxZQwlhO+U4qlTOdfUJFyPtKjfaTVWfatVrp0nCqLM
YDIyf6YCxe2RBhPRxYkVDJdZPpN9OYP3fswJuQcFh6TlmAGmqVu2OOMLTZdH/Kya
UYoTqj8TDe0uvcoeBadIE1Ixq2x9dcmj2Huul3P/VpwYqNXEDn90k2V6GCxUbB8x
xmKOP214Rw6MKR8ASdW2joFVxEGlzn+SjqRXcD2d7rFiOz0Arn/vxrE0OUUoitIK
epgY5hhqWzbYBnR3CG+6GA8aw5SGCz1wBFig+79zAcYOyEYNUcQchHPlT52+AxIz
JS1rxvwyXvazwTlQTDbois+DVq/4CBsAqJLUAy/4fvqRNyQ9kwKRobzwwhCYz1BS
Uf8cLYuSvkyJXK7RaP4XZuzfv5f92FNDCaTOoSAIn5jMd0HmBSsjkLKW5J1LkBVS
1F1hK2Q2OvfM
=qKOd
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 9 12:00:51 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon