Debian Bug report logs -
#903847
taglib: CVE-2018-11439: heap-based buffer over-read via a crafted audio file
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Modestas Vainius <modax@debian.org>:
Bug#903847; Package src:taglib.
(Sun, 15 Jul 2018 19:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Modestas Vainius <modax@debian.org>.
(Sun, 15 Jul 2018 19:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: taglib
Version: 1.11.1+dfsg.1-0.1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/taglib/taglib/issues/868
Hi,
The following vulnerability was published for taglib.
CVE-2018-11439[0]:
| The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in
| TagLib 1.11.1 allows remote attackers to cause information disclosure
| (heap-based buffer over-read) via a crafted audio file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11439
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11439
[1] https://github.com/taglib/taglib/issues/868
[2] https://github.com/taglib/taglib/pull/869
[3] https://github.com/sgayou/taglib/commit/272648ccfcccae30e002ccf34a22e075dd477278
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 11 Oct 2018 20:03:10 GMT) (full text, mbox, link).
Reply sent
to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility.
(Tue, 19 Feb 2019 23:27:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 19 Feb 2019 23:27:03 GMT) (full text, mbox, link).
Message #12 received at 903847-close@bugs.debian.org (full text, mbox, reply):
Source: taglib
Source-Version: 1.11.1+dfsg.1-0.3
We believe that the bug you reported is fixed in the latest version of
taglib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 903847@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated taglib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 19 Feb 2019 23:24:40 +0100
Source: taglib
Binary: libtag1-dev libtag1-doc libtag1v5 libtag1v5-vanilla libtag1v5-vanilla-dbgsym libtagc0 libtagc0-dbgsym libtagc0-dev
Architecture: source amd64 all
Version: 1.11.1+dfsg.1-0.3
Distribution: unstable
Urgency: medium
Maintainer: Modestas Vainius <modax@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
libtag1-dev - audio meta-data library - development files
libtag1-doc - audio meta-data library - API documentation
libtag1v5 - audio meta-data library
libtag1v5-vanilla - audio meta-data library - vanilla flavour
libtagc0 - audio meta-data library - C bindings
libtagc0-dev - audio meta-data library - development files for C bindings
Closes: 903847
Changes:
taglib (1.11.1+dfsg.1-0.3) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2018-11439 (Closes: #903847)
Checksums-Sha1:
1d13f2a86520150ec420db68dec7638c78c6f584 2283 taglib_1.11.1+dfsg.1-0.3.dsc
c09bde9e86a6e7766f099067f6c336f8390a3381 34332 taglib_1.11.1+dfsg.1-0.3.debian.tar.xz
aadab43427c83c9e7763743feac379b1ae4100a1 95440 libtag1-dev_1.11.1+dfsg.1-0.3_amd64.deb
e29d7bc69a2125e076ab7867dc9cbe90922a2069 9103304 libtag1-doc_1.11.1+dfsg.1-0.3_all.deb
6b42de66381162b84f7109dffb93a905a3af5fcb 2723040 libtag1v5-vanilla-dbgsym_1.11.1+dfsg.1-0.3_amd64.deb
253f739c2db9fb15f4e35a0e6fc42b1e8ac0b671 294304 libtag1v5-vanilla_1.11.1+dfsg.1-0.3_amd64.deb
6df067900fe1694802d1ea598b799ac585e69f37 23696 libtag1v5_1.11.1+dfsg.1-0.3_amd64.deb
81ca9bef4a88215a03d3a61a0686defd3f1731d7 43808 libtagc0-dbgsym_1.11.1+dfsg.1-0.3_amd64.deb
484177c1e0342cfb730b42c4b58f656e4a66f039 26356 libtagc0-dev_1.11.1+dfsg.1-0.3_amd64.deb
d7cc5f6fc446fc70683401fd039ef2c1418a66c0 28844 libtagc0_1.11.1+dfsg.1-0.3_amd64.deb
f7e5dcd6c00a277ec17dbf770a9b4dae29bbfd67 10825 taglib_1.11.1+dfsg.1-0.3_amd64.buildinfo
Checksums-Sha256:
431401762f5d35e14bcc7ae3689cfbe6fb3fc4e5bcd5a9586dc4034e924d3b15 2283 taglib_1.11.1+dfsg.1-0.3.dsc
5f1e680a230fbeb2cc75165d795032fcfbbad0e416b6a49d1382a9ea33a76cf2 34332 taglib_1.11.1+dfsg.1-0.3.debian.tar.xz
b57bbb69e2ee1599df01651100275ed71330b60655ff2190a970cfb4a9768082 95440 libtag1-dev_1.11.1+dfsg.1-0.3_amd64.deb
1419808e055cf00634c0f7226d36ede510fad79cf43fff00d38aa63b99a0e45e 9103304 libtag1-doc_1.11.1+dfsg.1-0.3_all.deb
af7d8053aa7f3253870aa960e8458543a16e1cda4b55e2a22e6c1a2c64fdc694 2723040 libtag1v5-vanilla-dbgsym_1.11.1+dfsg.1-0.3_amd64.deb
2cf03256786f232323c882cc7853dcd5179c9306819feaf22b9079c1398e5181 294304 libtag1v5-vanilla_1.11.1+dfsg.1-0.3_amd64.deb
4ed09f8e76d19e59e487e4784ce192e58b7ff4414d7b05233f0c3002718596e7 23696 libtag1v5_1.11.1+dfsg.1-0.3_amd64.deb
9750e58dac198d22c2edc02346594646a5ea704d246f450da6a8e8d76ce5da7e 43808 libtagc0-dbgsym_1.11.1+dfsg.1-0.3_amd64.deb
3f9ea1cf0d055c1573a85e3efd32e3ac50182bb2fe3638698f1ac1c50d3ff1bc 26356 libtagc0-dev_1.11.1+dfsg.1-0.3_amd64.deb
ae26c0bf94536002044bf50a21a6d2039c87bb76f4f743eaa99f2684d0ad4d62 28844 libtagc0_1.11.1+dfsg.1-0.3_amd64.deb
6de2f70392a46d3762d733e69330583f255815b20d6f5c68041304d5f79050de 10825 taglib_1.11.1+dfsg.1-0.3_amd64.buildinfo
Files:
bee378f455431ec967cb982efb330990 2283 libs optional taglib_1.11.1+dfsg.1-0.3.dsc
ba9ac349a84100ba2359dda6a3868a85 34332 libs optional taglib_1.11.1+dfsg.1-0.3.debian.tar.xz
f1005b18920fe1b7baa36d560e51114a 95440 libdevel optional libtag1-dev_1.11.1+dfsg.1-0.3_amd64.deb
1f326397f41356308d5524d7cef7a2d2 9103304 doc optional libtag1-doc_1.11.1+dfsg.1-0.3_all.deb
439f816a33941fef6dd91f0bedddd8b3 2723040 debug optional libtag1v5-vanilla-dbgsym_1.11.1+dfsg.1-0.3_amd64.deb
2eb800ac32670af03dc15cc91006305f 294304 libs optional libtag1v5-vanilla_1.11.1+dfsg.1-0.3_amd64.deb
05103ac5e1e31b72125675fb7f51180f 23696 libs optional libtag1v5_1.11.1+dfsg.1-0.3_amd64.deb
3d34cab5f6c800b148fd597d557806a5 43808 debug optional libtagc0-dbgsym_1.11.1+dfsg.1-0.3_amd64.deb
411af7d9a5698fa7b7dfbd1e3eea5a4f 26356 libdevel optional libtagc0-dev_1.11.1+dfsg.1-0.3_amd64.deb
458354700cd604eab458871d3d50fd4f 28844 libs optional libtagc0_1.11.1+dfsg.1-0.3_amd64.deb
49260324844852dab50f723ccf6c9a84 10825 libs optional taglib_1.11.1+dfsg.1-0.3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlxsiuUACgkQEMKTtsN8
TjbZdhAAn2GPm3p0TzGi9yBtLiu9i7+fXsZ+TUYdmTSutdmcQa0mRnhuyQae0vEv
62gpNqb+BWgfzuxZULnofrfYP/iObDXq9YHjsy1/7xPVSMmdb/LC0zbNb0OTS0Of
2BChFavmSXwB/9FDRQwHNj0NuR3npXWylgfe9Af4HO/TVkwaKY47ya6rPOajc/d9
BlomEC//aXyxbRub8QBmgu92xaz2b9h+Tr8d8P+GHglzgxq3sJSkisloMtE5xQYB
a9s/LDQ+OSbwlgq3M17RS6B494lafPGzBKBWkmZwoW+j7Kz7+5C9h89s3F6YiWrM
dqoez8zBx2toQ80p/e/y7yZvA4+UUeN1iVlbzvyxVs3RtYmRVERdZ1YQu2SHHSX0
y1HOSPu2Z0uXyMttxUCTSbevp/ArgcKR6EsCrHUO/Q+kAefBN9i4L93qHCQBQx74
vlVVvCSZKFrAh4fIvLtNBeiYpkA/xJay1cTJgyi2+HaBhegutoRXE4bUK8Uuf5EI
4/iYKp+K8nRaV0BlR6UnYZJpWjNW3KmpAKroBg5EbdWla1Kvt1VbiGQuTpXZ/Dlw
JxrOvjUpL1phvZYowHCyMzkuX6f4rjMT+SiBoorZ0jwvPHWRJSHtqXwtLuJYzFhk
FQb/vAyTfKEs47wcSabun43bo6meoO/c7XjXpQsurTLVAUX9iy8=
=WHq1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 30 Mar 2019 07:28:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:41:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon