Debian Bug report logs -
#575743
CVE-2009-3388
Reported by: Giuseppe Iuculano <iuculano@debian.org>
Date: Sun, 28 Mar 2010 21:18:01 UTC
Severity: serious
Tags: patch, security
Fixed in version liboggplay/0.2.1~git20091227-1.1
Done: Alexander Reichle-Schmehl <tolimar@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, John Francesco Ferlito <johnf@inodes.org>:
Bug#575743; Package liboggplay.
(Sun, 28 Mar 2010 21:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, John Francesco Ferlito <johnf@inodes.org>.
(Sun, 28 Mar 2010 21:18:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: liboggplay
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for liboggplay.
CVE-2009-3388[0]:
| liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before
| 2.0.1 might allow context-dependent attackers to cause a denial of
| service (application crash) or execute arbitrary code via unspecified
| vectors, related to "memory safety issues."
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3388
http://security-tracker.debian.org/tracker/CVE-2009-3388
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkuvxsEACgkQNxpp46476aqREACfYnCft1W9BXzwONB9Z7fWzr9E
NTAAn18tdjdb7f9EHuL8OBo8wSSIAFiC
=e2C8
-----END PGP SIGNATURE-----
Added tag(s) patch.
Request was from Alexander Reichle-Schmehl <tolimar@debian.org>
to control@bugs.debian.org.
(Tue, 13 Apr 2010 13:57:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, John Francesco Ferlito <johnf@inodes.org>:
Bug#575743; Package liboggplay.
(Tue, 13 Apr 2010 14:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Reichle-Schmehl <tolimar@debian.org>:
Extra info received and forwarded to list. Copy sent to John Francesco Ferlito <johnf@inodes.org>.
(Tue, 13 Apr 2010 14:03:08 GMT) (full text, mbox, link).
Message #12 received at 575743@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 575743 + patch
thanks
Dear maintainer,
I've prepared an NMU for liboggplay (versioned as 0.2.1~git20091227-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards.
[liboggplay-0.2.1~git20091227-1.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, John Francesco Ferlito <johnf@inodes.org>:
Bug#575743; Package liboggplay.
(Tue, 13 Apr 2010 14:15:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Reichle-Schmehl <tolimar@debian.org>:
Extra info received and forwarded to list. Copy sent to John Francesco Ferlito <johnf@inodes.org>.
(Tue, 13 Apr 2010 14:15:10 GMT) (full text, mbox, link).
Message #17 received at 575743@bugs.debian.org (full text, mbox, reply):
Hi!
Alexander Reichle-Schmehl schrieb:
> I've prepared an NMU for liboggplay (versioned as 0.2.1~git20091227-1.1) and
> uploaded it to DELAYED/5.
Uhm... Apparently I did not :( Sorry, forgot the -e for dput. Hope
that's okay with you...
Best regards,
Alexander
Information forwarded
to debian-bugs-dist@lists.debian.org, John Francesco Ferlito <johnf@inodes.org>:
Bug#575743; Package liboggplay.
(Thu, 15 Apr 2010 02:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Reichle-Schmehl <tolimar@debian.org>:
Extra info received and forwarded to list. Copy sent to John Francesco Ferlito <johnf@inodes.org>.
(Thu, 15 Apr 2010 02:21:03 GMT) (full text, mbox, link).
Message #22 received at 575743@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi!
* Alexander Reichle-Schmehl <tolimar@debian.org> [100413 15:55]:
> I've prepared an NMU [..]
Attached is an updated patch which also adds a version to the
build-depends on quilt to avoid automatic rejection by ftp-master.
Best Regards,
Alexander
[liboggplay-0.2.1~git20091227-1.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility.
(Thu, 15 Apr 2010 03:36:03 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Thu, 15 Apr 2010 03:36:03 GMT) (full text, mbox, link).
Message #27 received at 575743-close@bugs.debian.org (full text, mbox, reply):
Source: liboggplay
Source-Version: 0.2.1~git20091227-1.1
We believe that the bug you reported is fixed in the latest version of
liboggplay, which is due to be installed in the Debian FTP archive:
liboggplay1-dbg_0.2.1~git20091227-1.1_amd64.deb
to main/libo/liboggplay/liboggplay1-dbg_0.2.1~git20091227-1.1_amd64.deb
liboggplay1-dev_0.2.1~git20091227-1.1_amd64.deb
to main/libo/liboggplay/liboggplay1-dev_0.2.1~git20091227-1.1_amd64.deb
liboggplay1_0.2.1~git20091227-1.1_amd64.deb
to main/libo/liboggplay/liboggplay1_0.2.1~git20091227-1.1_amd64.deb
liboggplay_0.2.1~git20091227-1.1.diff.gz
to main/libo/liboggplay/liboggplay_0.2.1~git20091227-1.1.diff.gz
liboggplay_0.2.1~git20091227-1.1.dsc
to main/libo/liboggplay/liboggplay_0.2.1~git20091227-1.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 575743@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl <tolimar@debian.org> (supplier of updated liboggplay package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 15 Apr 2010 04:11:22 +0200
Source: liboggplay
Binary: liboggplay1 liboggplay1-dev liboggplay1-dbg
Architecture: source amd64
Version: 0.2.1~git20091227-1.1
Distribution: unstable
Urgency: high
Maintainer: John Francesco Ferlito <johnf@inodes.org>
Changed-By: Alexander Reichle-Schmehl <tolimar@debian.org>
Description:
liboggplay1 - A library for playing OGG multimedia
liboggplay1-dbg - A library for playing OGG multimedia (debugging symbols)
liboggplay1-dev - A library for playing OGG multimedia (development files)
Closes: 575743
Changes:
liboggplay (0.2.1~git20091227-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2009-3388 with patch from Matthew Gregan in
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/14dd26404792
(Closes: #575743)
* Urgency set to high for security related RC bug fix
* Add version (>= 0.46-7~) to build-depen on quilt to avoid ftp-master
auto-reject
Checksums-Sha1:
4cd4ade96cffe68454de4f062eb2058a27f21f89 1229 liboggplay_0.2.1~git20091227-1.1.dsc
4ffbd181934dfbec890d35ef49f68f30ef4f93d6 4201 liboggplay_0.2.1~git20091227-1.1.diff.gz
1660b0c04f74b16eaf145db747cb6242fb693624 33132 liboggplay1_0.2.1~git20091227-1.1_amd64.deb
c2eb4e44c03be8e8283551de2a7fc2bb19362350 41650 liboggplay1-dev_0.2.1~git20091227-1.1_amd64.deb
3f4db56c607259413f0d52ecefbe3e92ba4ea025 62710 liboggplay1-dbg_0.2.1~git20091227-1.1_amd64.deb
Checksums-Sha256:
217c7bc007c9687e1d1793c3c9e36be15d3e4ceffd8d357815e19096845daddc 1229 liboggplay_0.2.1~git20091227-1.1.dsc
f6d0def6844d0a1c5b03c152ca343814db4bbb46668a7b4a4564451b2934101e 4201 liboggplay_0.2.1~git20091227-1.1.diff.gz
a51b32ea654d8893ada2c9e90e58a2a79dcc9bdac34460384b1987136862f3ea 33132 liboggplay1_0.2.1~git20091227-1.1_amd64.deb
eb8bd1bc0b3e5e84521e5ada8f4b2b419dc767eef26158349a40c73fcd514e6a 41650 liboggplay1-dev_0.2.1~git20091227-1.1_amd64.deb
87b9bdb69277130bfc3ce2b14fe2982e2be16f706fc1c2f3786a3f7075521d7f 62710 liboggplay1-dbg_0.2.1~git20091227-1.1_amd64.deb
Files:
1bfe879f222be804c7b4c783e93ebaf0 1229 libs extra liboggplay_0.2.1~git20091227-1.1.dsc
0a91b3c693a02b2d0251ebd7358be3d4 4201 libs extra liboggplay_0.2.1~git20091227-1.1.diff.gz
68722742d7214dc924bcfb3110aaba30 33132 libs extra liboggplay1_0.2.1~git20091227-1.1_amd64.deb
ed3805677d067f44c0c17286ad42b943 41650 libdevel extra liboggplay1-dev_0.2.1~git20091227-1.1_amd64.deb
26c96681790d6bb66d8e9306fe9b61c9 62710 debug extra liboggplay1-dbg_0.2.1~git20091227-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvGdngACgkQBxd04ADYzRZ4OQCfZw6+QAR2GcVW/r2TPQ2ipI94
YIEAoJ34vXfpwBYwUIq5Bx4lDeDvxpdZ
=FpHs
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 20 May 2010 07:36:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:06:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon