Debian Bug report logs -
#893132
libvorbisidec: CVE-2018-5147: out-of-bounds memory write
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 16 Mar 2018 18:33:04 UTC
Severity: grave
Tags: patch, security, upstream
Found in version libvorbisidec/1.0.2+svn18153-0.2
Fixed in versions libvorbisidec/1.2.1+git20180316-1, libvorbisidec/1.0.2+svn18153-1+deb9u1, libvorbisidec/1.0.2+svn18153-1~deb8u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#893132; Package src:libvorbisidec.
(Fri, 16 Mar 2018 18:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>.
(Fri, 16 Mar 2018 18:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvorbisidec
Version: 1.0.2+svn18153-0.2
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for libvorbisidec.
CVE-2018-5147[0]:
out-of-bounds memory write
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5147
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
Regards,
Salvatore
Reply sent
to Julien Cristau <jcristau@debian.org>:
You have taken responsibility.
(Fri, 16 Mar 2018 20:57:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 16 Mar 2018 20:57:08 GMT) (full text, mbox, link).
Message #10 received at 893132-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbisidec
Source-Version: 1.2.1+git20180316-1
We believe that the bug you reported is fixed in the latest version of
libvorbisidec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated libvorbisidec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 16 Mar 2018 21:00:36 +0100
Source: libvorbisidec
Binary: libvorbisidec-dev libvorbisidec1
Architecture: source
Version: 1.2.1+git20180316-1
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
libvorbisidec-dev - Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files)
libvorbisidec1 - Integer-only Ogg Vorbis decoder, AKA "tremor"
Closes: 893132
Changes:
libvorbisidec (1.2.1+git20180316-1) unstable; urgency=high
.
* QA upload.
* Update from upstream git.
* Includes fix for CVE-2018-5147 (closes: #893132).
Checksums-Sha1:
e0fd0abbc2195a84831dc121c94b71a01a768836 1959 libvorbisidec_1.2.1+git20180316-1.dsc
0650fb3b5387d769384fc55428c369c3290e64d5 147673 libvorbisidec_1.2.1+git20180316.orig.tar.gz
df8100f99b94ad0f6e20d3f6b562d647ca2cbab5 5733 libvorbisidec_1.2.1+git20180316-1.diff.gz
Checksums-Sha256:
4807cfb1380dc740089f96d3030b644c9a09d4070435ad4f0fdf8be4dacd7572 1959 libvorbisidec_1.2.1+git20180316-1.dsc
491b88661544f55b17154407420b5d78d2ac35d12786ee030d0925eb6aec03da 147673 libvorbisidec_1.2.1+git20180316.orig.tar.gz
a7041c6685ac38795f7cdfc41f7688443b959d04b9bd08236d836aa75501592e 5733 libvorbisidec_1.2.1+git20180316-1.diff.gz
Files:
a630e3d9a2b404b582345da9d4acfb65 1959 libs extra libvorbisidec_1.2.1+git20180316-1.dsc
477c0b353fb9f9287b5133f19b1fd0c2 147673 libs extra libvorbisidec_1.2.1+git20180316.orig.tar.gz
6116d60c3dc769f2d8b7cb906107b8c5 5733 libs extra libvorbisidec_1.2.1+git20180316-1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAlqsKGAACgkQnbAjVVb4
z61y+w//SPDHzvKBKTA4lcyI+Ha4sf5sgtE6YvmAXjgCEZjFYCrGTntgJT7+79o0
RI9uY5OliVNROCsNK+7M28fwKc6EB4qi4ovaAOQ4ERcON+OOiXhSP3/u6IlCTGo0
DlBtpcvBvTz5UPUtj3Rc+HBHDyyxmlOogo62JDeiRDU1RIg2hW49DNt/MTmY3tbL
eqSEy04k2IQVsaZIm55qAkadTg3xTLEGCUqdqC8DUIS1lhlXZ5mxPLyUvMLUXCyd
mqTfGZHXEDCCBs1rteyar0dEJRWKYaLDQTkhc57eQdtLKEVNlaGe2CqRg0kKfQrl
yujK/YDxVnc3v7A4nb09m+lGyjYug8p03Pm9DkK+6d+Jdd0q0KCuABik5cagCgg7
TQD67ynaMJvvg5N5o2H7augASlRm6u9HaQb8SLWPg9arYEL67z8LuWqWpKAKL27Z
zMGRG4gYdK+6azmKjVfxt0pM3FwKyuWAPKgDwBcqCas9M/T5jlLieG9cJaNzV9RR
hX3YkKr9IoNOwPC6wAHZfw9m2hTQjlj8Kq9XUQTdNQ1gugaONXaJBFoJuLLg10WR
63BTxSuetIzt0yP0wiq11gVE9qzfgQYOrIBWUMOATQhGB2tLdeTqD+szKINozB9A
MpmM6c0+ioHsdjpXhEkYaP9scQ5y7eMFe3O2vubIgskN1wNTx9U=
=1tXT
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 17 Mar 2018 21:45:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Mar 2018 21:45:15 GMT) (full text, mbox, link).
Message #15 received at 893132-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbisidec
Source-Version: 1.0.2+svn18153-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
libvorbisidec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvorbisidec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Mar 2018 21:00:34 +0100
Source: libvorbisidec
Binary: libvorbisidec-dev libvorbisidec1
Architecture: source
Version: 1.0.2+svn18153-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 893132
Description:
libvorbisidec-dev - Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files)
libvorbisidec1 - Integer-only Ogg Vorbis decoder, AKA "tremor"
Changes:
libvorbisidec (1.0.2+svn18153-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Prevent out-of-bounds write in codebook decoding (CVE-2018-5147)
(Closes: #893132)
Checksums-Sha1:
8a37a9da1b2f3accc1232c4210b97e8350fa8bf1 2178 libvorbisidec_1.0.2+svn18153-1+deb9u1.dsc
4a76cde3464f9489b058e9a33a2030f0d94b5980 6200 libvorbisidec_1.0.2+svn18153-1+deb9u1.diff.gz
Checksums-Sha256:
cd6aacaa49906b670205b1dd5ead312fd18fe95ace60f7a8037dd8f9538cef38 2178 libvorbisidec_1.0.2+svn18153-1+deb9u1.dsc
9546b0b71df8a07e0680a7d713c5a969e862ee715f61045804ce2b46fd52267e 6200 libvorbisidec_1.0.2+svn18153-1+deb9u1.diff.gz
Files:
29657243bfc545c4238d48eca8c5b67c 2178 libs extra libvorbisidec_1.0.2+svn18153-1+deb9u1.dsc
29b2b0cd76669fa75d0cbce3320dad0d 6200 libs extra libvorbisidec_1.0.2+svn18153-1+deb9u1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsIy5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E6McP/2tY6RURYvJ7My3XE/ealH80MksFRTTH
iPrX6QVK/6r7ALpmkPsLSHt5hVhPVaV6xtlPgtDwzDJdZ2PindBiVVKbz4NpKdVF
Z71JxnNqMCJJnLYj8nZ0JH2kP9Q9Gg0f600EqQVzuf5mG1dGqIBhjyJkpAZA4cPa
AnXZ5OLbqonhuQ1e54peTwS/tWLLLixQpyiRNzoyEadew0GxVYVHFZ0hMYjUCXI5
YixaE6ql28IgEJTtM6zh0ejIFgfNKx9BBOmez6gebGasOMFF2nI2aSgnn8e1E9c1
rC/uKh8Rexo4DrXrdMu+JXjzpEOYqlEB4Hl3scT3OjESdZjoYI+x5xDOQPfLEuNS
fsCp/9GgKJsaezuPrJRWv19b6olPhHJVZlC98bbvGVwA3oH44BGwgwNr7hiwAqvT
S73V+bl5ACBakaDheJE8wFUgyJYXPNYHzvW1yvgYlHi+ZZsSdE52IIL9torL4ltH
KJXBUOKwJRJQXtMsL/9NtUK0PrJI4xp9WquMrE40KBC/l6BnD1YRPmlHx28AMEHa
Kmj2+OPpmXxdtRJP0vMblZ/KXkuoYU1HtJvmvhPRrsbDJHBEZ3FXQSUXd9NlkIZO
kBwHdeY4PFh64H5e1A+7NW68Ptjz500Yl0M7wrpgMgK+tsQSqXZsHER+7CnMrWVS
h4REqj46SjkA
=7gTl
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 17 Mar 2018 21:48:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Mar 2018 21:48:13 GMT) (full text, mbox, link).
Message #20 received at 893132-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbisidec
Source-Version: 1.0.2+svn18153-1~deb8u2
We believe that the bug you reported is fixed in the latest version of
libvorbisidec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvorbisidec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Mar 2018 20:53:05 +0100
Source: libvorbisidec
Binary: libvorbisidec-dev libvorbisidec1
Architecture: source
Version: 1.0.2+svn18153-1~deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 893132
Description:
libvorbisidec-dev - Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files)
libvorbisidec1 - Integer-only Ogg Vorbis decoder, AKA "tremor"
Changes:
libvorbisidec (1.0.2+svn18153-1~deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Prevent out-of-bounds write in codebook decoding (CVE-2018-5147)
(Closes: #893132)
Checksums-Sha1:
0517002428b9ef48478f73e1e08c23171dae332a 2178 libvorbisidec_1.0.2+svn18153-1~deb8u2.dsc
e1f8e5281a92029a1bb325ecb247a6d9c8bf7199 149060 libvorbisidec_1.0.2+svn18153.orig.tar.gz
58dc0b581545007184b70dda956efc47d244959c 6235 libvorbisidec_1.0.2+svn18153-1~deb8u2.diff.gz
Checksums-Sha256:
b451cdf36212ffc08813b6e22e138c64cf8089d862099275c6e72aaee9afc0d1 2178 libvorbisidec_1.0.2+svn18153-1~deb8u2.dsc
4dc8c224289da3479fc10ce4e49ffbb85c790eb2fe55ef480934a265ee0a6782 149060 libvorbisidec_1.0.2+svn18153.orig.tar.gz
1a66861aa4f05b12831cc4a9c629915f69d96eefbbe2dd4279c106f552860cbb 6235 libvorbisidec_1.0.2+svn18153-1~deb8u2.diff.gz
Files:
82e065654ecd84b0999270bb98ffbfca 2178 libs extra libvorbisidec_1.0.2+svn18153-1~deb8u2.dsc
4190859414c5d6760e316b5cf00fe7c5 149060 libs extra libvorbisidec_1.0.2+svn18153.orig.tar.gz
6191de785fec795ae39822b597e4eae6 6235 libs extra libvorbisidec_1.0.2+svn18153-1~deb8u2.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsIXVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ekf4QAI7j7vthE2R/wmnPJRFK/wxOXLfsJvZS
EhJD0AuQWWqd8TWycm9L38uE7Cck4dyfNL7r+zDrfVI0gORVAv0ZBV0LK9T+iBV8
4J+hI09WgNgTCnQlr+zpt88KE+LXWx5TTXsIzC+3G83z0mo6Am1iqWQVbQ4vS5Vg
+MfmgREGNOSeppvPAFFq/RtVGdFpJEMIpYQI6nc7NSwjzncJugdHpfCYDZj97UXv
TCdmk6R71FqGNL2A3Dzxtoavo51rR5pjSJltaAcbHcpLxRzDBLxC1rAS0OKBkKUa
8B+a6keBcRYCjbS548unSHUloamdK1Rglxz/33kujjqE1jZmrT4z7aFJ31vibmHW
9os2plFNfarfwsUCSaNK80qqJHpQfCljl5V758jSi+NM9NsIdHnQM9euYeqPFGUQ
mIflZvX6+SC5ZpYunkf2/B+ZW2ILRl+G7CxgXazn2344ntw1tL5hbP0Ot4KtFMBQ
Kuh+ib2raTcSmbJ/Xj3iAck3VoM5syuFUlR4scOFVzPAKuVlAnex1wm/mXCfB2bw
hDIWoh4PrRvjBzy6XUhzbP08yS8Wv0eZItlG32FyH6wnVJx0H0AEZLHYdbawnjbo
smamGC7IUXvqvHIg/1OTogP//YtlX4fHs+0JvjFbBM1V0eAlrmTIahVTh8PFtCwJ
MtQPPljHKnl/
=wM/s
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:28:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:27:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon