Debian Bug report logs -
#669196
libvorbisidec: multiple longstanding unfixed security issues in libvorbis
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Wed, 18 Apr 2012 03:21:01 UTC
Severity: grave
Tags: patch
Found in version 1.0.2+svn16259-2
Fixed in version 1.0.2+svn18153-0.2
Done: Luk Claes <luk@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#669196; Package libvorbisidec.
(Wed, 18 Apr 2012 03:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
(Wed, 18 Apr 2012 03:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: libvorbisidec
severity: grave
version: 1.0.2+svn16259-2
tag: security
libvorbisidec shares a large majority of its code with libvorbis.
There have been quite a few security issues fixed in libvorbis over
the past few years that have subsequently gone unfixed here. These
include:
CVE-2007-3106
CVE-2007-4029
CVE-2007-4065
CVE-2007-4066
CVE-2008-1419
CVE-2008-1420
CVE-2008-1423
CVE-2008-2009
CVE-2009-2663
CVE-2009-3379
CVE-2012-0444
I have only checked the 2009 and 2012 issues so far, but since all
issued after the 1.0 release, it is very likely that most are valid.
Anyway, these issues should be fixed or the package should be removed.
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#669196; Package libvorbisidec.
(Sat, 23 Jun 2012 16:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
(Sat, 23 Jun 2012 16:09:03 GMT) (full text, mbox, link).
Message #10 received at 669196@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 669196 + patch
tags 669196 + pending
thanks
Dear maintainer,
I've prepared an NMU for libvorbisidec (versioned as 1.0.2+svn18153-0.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.
Cheers
Luk
[libvorbisidec-1.0.2+svn18153-0.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Sat, 23 Jun 2012 16:09:11 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Sat, 23 Jun 2012 16:09:11 GMT) (full text, mbox, link).
Reply sent
to Luk Claes <luk@debian.org>:
You have taken responsibility.
(Mon, 25 Jun 2012 16:46:18 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer.
(Mon, 25 Jun 2012 16:46:18 GMT) (full text, mbox, link).
Message #19 received at 669196-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbisidec
Source-Version: 1.0.2+svn18153-0.1
We believe that the bug you reported is fixed in the latest version of
libvorbisidec, which is due to be installed in the Debian FTP archive:
libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
to main/libv/libvorbisidec/libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
to main/libv/libvorbisidec/libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
libvorbisidec_1.0.2+svn18153-0.1.diff.gz
to main/libv/libvorbisidec/libvorbisidec_1.0.2+svn18153-0.1.diff.gz
libvorbisidec_1.0.2+svn18153-0.1.dsc
to main/libv/libvorbisidec/libvorbisidec_1.0.2+svn18153-0.1.dsc
libvorbisidec_1.0.2+svn18153.orig.tar.gz
to main/libv/libvorbisidec/libvorbisidec_1.0.2+svn18153.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 669196@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated libvorbisidec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 23 Jun 2012 16:51:00 +0200
Source: libvorbisidec
Binary: libvorbisidec-dev libvorbisidec1
Architecture: source i386
Version: 1.0.2+svn18153-0.1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed-By: Luk Claes <luk@debian.org>
Description:
libvorbisidec-dev - Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files)
libvorbisidec1 - Integer-only Ogg Vorbis decoder, AKA "tremor"
Closes: 669196
Changes:
libvorbisidec (1.0.2+svn18153-0.1) unstable; urgency=medium
.
* Non-maintainer upload by the Security Team.
* New upstream version to fix security issues.
* CVE-2008-1419: correctly handle codebook.dim==0 case
* CVE-2008-1423: check for absurdly huge codebooks
* CVE-2008-2009: sanity check for underpopulated Huffman trees
* CVE-2009-3379: multiple vulnerabilities MFSA 2009-63
* CVE-2012-0444: fix decoding memory corruption
Closes: #669196
* Add libogg-dev dependency to avoid FTBFS.
* Don't ship .la file.
Checksums-Sha1:
51a7c3e8d8a9f09728f79d5155099a01f748cb95 1343 libvorbisidec_1.0.2+svn18153-0.1.dsc
e1f8e5281a92029a1bb325ecb247a6d9c8bf7199 149060 libvorbisidec_1.0.2+svn18153.orig.tar.gz
eafa7d16b51ea2e6883487ebeec7a8f97713966d 5465 libvorbisidec_1.0.2+svn18153-0.1.diff.gz
455898f67321dfbb71d7c1bdd37726bdb29d6616 116296 libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
9d6ef49f6b48b8a6c562faf34c19e1b07cf22f71 84400 libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
Checksums-Sha256:
b09629aa10ac820645bea4f7feb6da94f2f0f7eca8547f80ab337059b0a653f3 1343 libvorbisidec_1.0.2+svn18153-0.1.dsc
4dc8c224289da3479fc10ce4e49ffbb85c790eb2fe55ef480934a265ee0a6782 149060 libvorbisidec_1.0.2+svn18153.orig.tar.gz
d8b2bdad174f5b8236c2a8345b657d350cea586a8f7523e2e4c0cf768be039e4 5465 libvorbisidec_1.0.2+svn18153-0.1.diff.gz
35e0f03c34a7239c47c74cfb018ec7c1bf6b159abdaa5dd14079e682a521866b 116296 libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
4761cf066fedfc04d63f58af21114ff3cfaf9da854e03c1032b8eedc73a76414 84400 libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
Files:
ff1aef0eab0c2837920c167775a28d41 1343 libs extra libvorbisidec_1.0.2+svn18153-0.1.dsc
4190859414c5d6760e316b5cf00fe7c5 149060 libs extra libvorbisidec_1.0.2+svn18153.orig.tar.gz
25e11d3c90bc9a50d79944a68234bcb8 5465 libs extra libvorbisidec_1.0.2+svn18153-0.1.diff.gz
f64b9179344fac293be4f2403d904302 116296 libdevel extra libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
c68dc83e2febc085f3c499cbb03f44da 84400 libs extra libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/l6XEACgkQ5UTeB5t8Mo2X7QCeLvfeP4pTSDf25LXiLXy844it
lwoAn3ovau9ADDKo0uV69imFtcQhi6W5
=Qtwx
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#669196; Package libvorbisidec.
(Mon, 25 Jun 2012 20:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
(Mon, 25 Jun 2012 20:45:10 GMT) (full text, mbox, link).
Message #24 received at 669196@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libvorbisidec
Version: 1.0.2+svn18153-0.1
Severity: normal
Tags: patch pending
Dear maintainer,
I've prepared an NMU for libvorbisidec (versioned as 1.0.2+svn18153-0.2) and
uploaded it.
Cheers
Luk
[libvorbisidec-1.0.2+svn18153-0.2-nmu.diff (text/x-diff, attachment)]
No longer marked as found in versions 1.0.2+svn18153-0.1.
Request was from Tim Retout <diocles@debian.org>
to control@bugs.debian.org.
(Thu, 05 Jul 2012 18:24:08 GMT) (full text, mbox, link).
Marked as fixed in versions 1.0.2+svn18153-0.2.
Request was from Tim Retout <diocles@debian.org>
to control@bugs.debian.org.
(Thu, 05 Jul 2012 18:24:09 GMT) (full text, mbox, link).
No longer marked as fixed in versions libvorbisidec/1.0.2+svn18153-0.1.
Request was from Tim Retout <diocles@debian.org>
to control@bugs.debian.org.
(Thu, 05 Jul 2012 18:24:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#669196; Package libvorbisidec.
(Thu, 17 Jan 2013 17:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
(Thu, 17 Jan 2013 17:36:03 GMT) (full text, mbox, link).
Message #35 received at 669196@bugs.debian.org (full text, mbox, reply):
Package: libvorbisidec
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/669196/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#669196; Package libvorbisidec.
(Thu, 17 Jan 2013 18:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list.
(Thu, 17 Jan 2013 18:24:03 GMT) (full text, mbox, link).
Message #40 received at 669196@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 01/17/2013 06:42 AM, Jonathan Wiltshire wrote:
> Package: libvorbisidec
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
i regret to say that the (many) fixes for libvorbisidec might not be
appropriate for stable, since they were "resolved" by a jump to the new
upstream version, which itself appears to have stability problems in
some contexts that i haven't had time to nail down.
You've inspired me to file an RFH bug (#698378) about the package,
though, i don't know if that counts as progress :/
--dkg
[signature.asc (application/pgp-signature, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 08:31:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:59:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon