Debian Bug report logs -
#903499
audiofile: CVE-2018-13440
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#903499
; Package src:audiofile
.
(Tue, 10 Jul 2018 19:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Tue, 10 Jul 2018 19:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: audiofile
Version: 0.3.6-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/mpruett/audiofile/issues/49
Hi,
The following vulnerability was published for audiofile. Filling this
bug to track the upstream issue at [1].
CVE-2018-13440[0]:
| The audiofile Audio File Library 0.3.6 has a NULL pointer dereference
| bug in ModuleState::setup in modules/ModuleState.cpp, which allows an
| attacker to cause a denial of service via a crafted caf file, as
| demonstrated by sfconvert.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-13440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13440
[1] https://github.com/mpruett/audiofile/issues/49
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#903499
; Package src:audiofile
.
(Sat, 30 Mar 2019 23:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sat, 30 Mar 2019 23:51:03 GMT) (full text, mbox, link).
Message #10 received at 903499@bugs.debian.org (full text, mbox, reply):
Hi,
I created https://salsa.debian.org/multimedia-team/audiofile/merge_requests/1 to address this.
Cheers,
Moritz
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#903499.
(Fri, 05 Apr 2019 14:12:02 GMT) (full text, mbox, link).
Message #13 received at 903499-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #903499 in audiofile reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/audiofile/commit/b08e179777e81663f403de3febc3465073b33ca4
------------------------------------------------------------------------
* Two security fixes from the https://github.com/wtay/audiofile fork:
CVE-2018-13440 (Closes: #903499)
CVE-2018-17095 (Closes: #913166)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/903499
Added tag(s) pending.
Request was from Sebastian Ramacher <noreply@salsa.debian.org>
to 903499-submitter@bugs.debian.org
.
(Fri, 05 Apr 2019 14:12:02 GMT) (full text, mbox, link).
Reply sent
to Sebastian Ramacher <sramacher@debian.org>
:
You have taken responsibility.
(Fri, 05 Apr 2019 14:48:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 05 Apr 2019 14:48:05 GMT) (full text, mbox, link).
Message #20 received at 903499-close@bugs.debian.org (full text, mbox, reply):
Source: audiofile
Source-Version: 0.3.6-5
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 903499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Apr 2019 16:13:16 +0200
Source: audiofile
Architecture: source
Version: 0.3.6-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 903499 913166
Changes:
audiofile (0.3.6-5) unstable; urgency=medium
.
* Team upload.
.
[ Ondřej Nový ]
* d/control: Set Vcs-* to salsa.debian.org
* d/copyright: Use https protocol in Format field
.
[ Felipe Sateler ]
* Change maintainer address to debian-multimedia@lists.debian.org
.
[ Moritz Mühlenhoff ]
* Two security fixes from the https://github.com/wtay/audiofile fork:
CVE-2018-13440 (Closes: #903499)
CVE-2018-17095 (Closes: #913166)
Checksums-Sha1:
ef475978e3624b591a2f10650b123f3a8f4cc9a8 2112 audiofile_0.3.6-5.dsc
49f87e19a0b33e812d361d885b846ab53e74a9ec 17900 audiofile_0.3.6-5.debian.tar.xz
Checksums-Sha256:
0ffcd83754f57e0effca1f09c79750aae15e67e2c68e78473febe08ad1ad36ba 2112 audiofile_0.3.6-5.dsc
7ae94516b5bfea75031c5bab1e9cccf6a25dd438f1eda40bb601b8ee85a07daa 17900 audiofile_0.3.6-5.debian.tar.xz
Files:
7b941eadc0d7c16aea100611e6faa473 2112 libs optional audiofile_0.3.6-5.dsc
71e904e00993e6e1f5f36733c66e26fc 17900 libs optional audiofile_0.3.6-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlynYvEACgkQafL8UW6n
GZNHqBAAiAIjnm+pot3qhhxX4j8oRcMuagqY2Vjcg8IrZKFcAuBIZxQY6Q9LKH//
7EHCte2J0/JiBjRDXNfpteZtQtp5CzAhFlx3KbVsDPJ5qIp0C5djgdBt/aFAeUEF
8mo6JOWmX+yMsnJsBSVr9CnFMSs1FDyunL1NpcrmaTCrDeZeCLw2KwutP/kygm7R
mWUFFy/nH66s1xaqLtX6VQkAq5G+55slABnrLhlz6u8F7nrJDlEJQcoCwhG3Ugz8
vabRD7EkRNl9cy3/he4NmUAoC7HSCck36vBgwMHcL2CFscJf7MWQQshgTCzNGzBj
6C7iEN7AitqFbLLL0RHp3qj0wWZAsBfIiOUOysU0suX7Sp3j0PCsE7hkmjf9Q4eL
h5PmtVvNvQvdab6nR7r5AcNASixAVjJJ0j4TvCkIdf6qcc4E/f1zvtxz0UFUN7Y+
8ofoOByTE0KfPDRoJGvd1A8Nz/+4I+vSUQLhVV21Tns11qS4/Yg18w84Se8/axfl
KGKaml5/2Rr81SlIDujeb6cWBZ1qrboMWv8cBIAedHb1eq8jmYvsefIRooqlAe3b
VERbWYIA4Zyielvn01+aj7LbCzszM30BvAK5WNGEuv286P2WilOXUQUGH8GeE8ql
qzeNcv7qYbPd7vNwhdfQQFuiKXxvMJQDqJf8A0I9Lp5F8Qh6NH0=
=xkbr
-----END PGP SIGNATURE-----
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>
:
You have taken responsibility.
(Sun, 14 Apr 2019 09:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 14 Apr 2019 09:36:04 GMT) (full text, mbox, link).
Message #25 received at 903499-close@bugs.debian.org (full text, mbox, reply):
Source: audiofile
Source-Version: 0.3.6-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 903499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Apr 2019 00:28:31 +0200
Source: audiofile
Binary: audiofile-tools libaudiofile-dev libaudiofile1
Architecture: source amd64
Version: 0.3.6-4+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
audiofile-tools - sfinfo and sfconvert tools
libaudiofile-dev - Open-source version of SGI's audiofile library (header files)
libaudiofile1 - Open-source version of SGI's audiofile library
Closes: 903499 913166
Changes:
audiofile (0.3.6-4+deb9u1) stretch; urgency=medium
.
* CVE-2018-13440 (Closes: #903499)
* CVE-2018-17095 (Closes: #913166)
Checksums-Sha1:
0ff1faf8805e5d7b253fdbe1e453486d506c9cfb 2171 audiofile_0.3.6-4+deb9u1.dsc
c833a3369be30122818813ed32b115a77486adaa 17832 audiofile_0.3.6-4+deb9u1.debian.tar.xz
d88aeadde60a1997b553925145e0e2576e9ec973 23910 audiofile-tools-dbgsym_0.3.6-4+deb9u1_amd64.deb
1d105abb9b23a4cdf6c91e8a6e49698f4b4d039a 35388 audiofile-tools_0.3.6-4+deb9u1_amd64.deb
6b2c29751e424a6164313d0479f5a84c3b14952e 7202 audiofile_0.3.6-4+deb9u1_amd64.buildinfo
21447db26f8c3c553ddf28cdd5dd1f2974bab334 58864 libaudiofile-dev_0.3.6-4+deb9u1_amd64.deb
bbf60fd85c4682748a3be67a886006e101bc2adb 815818 libaudiofile1-dbgsym_0.3.6-4+deb9u1_amd64.deb
93a01a6dd6ba6525d5df19e926d2a8b6bb48dbb8 113894 libaudiofile1_0.3.6-4+deb9u1_amd64.deb
Checksums-Sha256:
51fc0dfd660f094865f281a18590a23198a2f131da574a8acb1ccefb403d9f0b 2171 audiofile_0.3.6-4+deb9u1.dsc
3b7659b3f883b72bbf152e3cd0f3d895fdf6a78d391a43533f9d579c1dfaabbf 17832 audiofile_0.3.6-4+deb9u1.debian.tar.xz
1b9c25ae737cd9c2e8c191ff539ff0d7ca1966a5cc33d78c01dc641b9d487f5e 23910 audiofile-tools-dbgsym_0.3.6-4+deb9u1_amd64.deb
c124bd692a75f447583172ecf90773b5eef71b41ab4761335533c5b9837dce5d 35388 audiofile-tools_0.3.6-4+deb9u1_amd64.deb
aa5a0e0936a3c2b72eef96fdcdb29baed1ec2c0df8c9a62f6baa01dfd3503a7a 7202 audiofile_0.3.6-4+deb9u1_amd64.buildinfo
dd036de9108443dae8e4ed288502de5165185c9d79eac48be9858b671bef32ab 58864 libaudiofile-dev_0.3.6-4+deb9u1_amd64.deb
69e78543f444bb26ddb47eea2f6a017d90c0b572b68143041dc06e61a0c0aca7 815818 libaudiofile1-dbgsym_0.3.6-4+deb9u1_amd64.deb
da9a127bed210a8601674e041f5db4f13903278deb0f13e0649cedaef7e9c8d2 113894 libaudiofile1_0.3.6-4+deb9u1_amd64.deb
Files:
d81632fbf3fd6bd6a9ab53ee1cce22f2 2171 libs optional audiofile_0.3.6-4+deb9u1.dsc
5e4f9e90ddd9e6ed177e1441c2cbd730 17832 libs optional audiofile_0.3.6-4+deb9u1.debian.tar.xz
2c9c51f1cbd913d1f2d19523dfd4b4d6 23910 debug extra audiofile-tools-dbgsym_0.3.6-4+deb9u1_amd64.deb
b79363a829e26d2067fae8fc8cb6595e 35388 utils optional audiofile-tools_0.3.6-4+deb9u1_amd64.deb
8e3135841f727914df9a339cc2005a4b 7202 libs optional audiofile_0.3.6-4+deb9u1_amd64.buildinfo
bdcac6880e9cdd2e81960c03ef542d2a 58864 libdevel optional libaudiofile-dev_0.3.6-4+deb9u1_amd64.deb
720b64b11f07dd6d8c3c799c730bc3e7 815818 debug extra libaudiofile1-dbgsym_0.3.6-4+deb9u1_amd64.deb
8c803b672ec97d280ae69a1b7db3d3fc 113894 libs optional libaudiofile1_0.3.6-4+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlyvqb0ACgkQEMKTtsN8
TjaYTw/9EqqdEac3eDFXvr9x5u3vntA1QlkTKXhLNn1hhJ9rVNKwrTU/LVEWFZOZ
sQICajSzsBu/LBa1oYe6ulI9ERCkBBAaLWqWB2Q8uWOi+PJ5cgJ4T9PgNd3lVTL+
bRgj0IaUDAXiVkNPyQPuMuZyOYty6EC2diO2j9VLPElDBT/7TwzWOBQR883/4r6S
4zRkHAYJvBk+ARHnJIAL9Ko7vq5WQVhUMgHEfbKgznkXbgGSeb9idYxtoK926Ozn
2kmBa0Vpg7NOtcD6lMG93V7gKgLuK0jeqFQzzanDINzfN5qE+ZlbQiAYbYkGdi1X
MG4mZx+Q2eJ7jSvTXf0luPhd6wahq3nL5jJtv8I3kGzomuaBKIsU/R8jK6HGA2FI
MKMXfBuRVFqdq8k36OQAt2VKTB3CNZ9WDmO4ICkCYM29WPzyx+Hd1+lGg0QVLJj2
2tMJ9K5pjCbKDQSkidpjfQQLLqRX83xCvTMnU/bHNp+YAe0EsT0i90jPIa4Whv9f
zXCopp+rWkqv2fQHRjRN3R/lbPS1URRrkeGj6fRNLMtzXtyzQYGQ1B+AF7l6sQg4
XLmNk7pBZIyJmdouDs645r28qB6enyV4kUjEzIoI6+1ILMjAArVyZRLV1EKygeRP
bDyXKp1RozQoRmYiTaykzPjSfjbO9q1aaoMvNv5op2gelvkh5TA=
=82Ht
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 13 May 2019 07:29:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:41:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.