Debian Bug report logs -
#864704
libsndfile: CVE-2017-6892
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 13 Jun 2017 04:36:01 UTC
Severity: important
Tags: patch, security, upstream
Found in version libsndfile/1.0.25-9.1
Fixed in version libsndfile/1.0.28-1
Done: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Erik de Castro Lopo <erikd@mega-nerd.com>
:
Bug#864704
; Package src:libsndfile
.
(Tue, 13 Jun 2017 04:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Erik de Castro Lopo <erikd@mega-nerd.com>
.
(Tue, 13 Jun 2017 04:36:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Version: 1.0.25-9.1
Severity: important
Tags: upstream security patch
Hi,
the following vulnerability was published for libsndfile.
CVE-2017-6892[0]:
| In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()"
| function (aiff.c) can be exploited to cause an out-of-bounds read
| memory access via a specially crafted AIFF file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6892
[1] https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748
Regards,
Salvatore
Reply sent
to IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
:
You have taken responsibility.
(Tue, 20 Jun 2017 13:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 20 Jun 2017 13:51:05 GMT) (full text, mbox, link).
Message #10 received at 864704-close@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Source-Version: 1.0.28-1
We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864704@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 20 Jun 2017 15:03:55 +0200
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs
Architecture: source
Version: 1.0.28-1
Distribution: unstable
Urgency: medium
Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Description:
libsndfile1 - Library for reading/writing audio files
libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
sndfile-programs - Sample programs that use libsndfile
Closes: 864704
Changes:
libsndfile (1.0.28-1) unstable; urgency=medium
.
* New upstream version 1.0.28
.
* d/patches/
* Removed patches applied upstream
* Refreshed patches
* Backported patch for fixing CVE-2017-6892
(Closes: #864704)
* Fixed more typos
* d/control: single line per Depends
* Switched packaging to shorthand dh
* Build automatic debug packages
* Dropped setting of DEB_*_GNU_TYPE and friends
* Raised debhelper compat to 10
* Dropped B-D on dh-autoreconf
* B-D on autotools-dev
* Use DEP5 for d/copyright
* Bumped standards version to 4.0.0
*
Checksums-Sha1:
94a8c055a1e8849c1670949ad7c742c3b2213581 2195 libsndfile_1.0.28-1.dsc
85aa967e19f6b9bf975601d79669025e5f8bc77d 1202833 libsndfile_1.0.28.orig.tar.gz
cf1997042fddf338f296bb47a1cb30b25dc42209 12288 libsndfile_1.0.28-1.debian.tar.xz
3706975134120554d18f0a53347ff963453322cf 6971 libsndfile_1.0.28-1_amd64.buildinfo
Checksums-Sha256:
2add75d023ec908ae94396e2a2e0ac83f0ad9e6ddb5b238419c91c5e91b22981 2195 libsndfile_1.0.28-1.dsc
1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9 1202833 libsndfile_1.0.28.orig.tar.gz
64cc02577add5f93352ffbd52f65e0b134cfe322b0c95f096e0b6a4f337b9a22 12288 libsndfile_1.0.28-1.debian.tar.xz
3c5e7d1493617536dc45eb906ee4875d9d04348a1f9e31bc91c398685028f82a 6971 libsndfile_1.0.28-1_amd64.buildinfo
Files:
b2b808eb68aea9fb3b79c69d49d79561 2195 devel optional libsndfile_1.0.28-1.dsc
646b5f98ce89ac60cdb060fcd398247c 1202833 devel optional libsndfile_1.0.28.orig.tar.gz
786f9a2fb9d1f6190bddd6ce5c99b1ca 12288 devel optional libsndfile_1.0.28-1.debian.tar.xz
c390acc1b0df39ba1d9f897921b5f1e5 6971 devel optional libsndfile_1.0.28-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAllJHsgACgkQtlAZxH96
Nviopw/+P5iWwfQXiNY9/poolA8/27gF2F3XC2H5j4XNZa4BOx9jllXycrEkvrQ+
haL6dKbFsGR/iWqA1v/G+7aXv/r6gybBnxdG/kpNzP8lNXXsjZOocDHbqaSoL4ku
HUrEiLaynTQTJKVk11/rS+4MH2rG5FsX4Jep+l3V3jgucgZYfbYiw0v7kt5kxUTp
7dNTa/olylEEmtHM7oM4Kd2cvqweWFSeQ1oE1t9s36wdidQ4gHQ+Of85jIRElR13
Oymyq8yzAGQ1lrsuvH5wSt6G7bziGIEyqr8nk+BQRCKgYhnCn2JcykeR7thD0i3/
5bLJX46U93S7brxCHT1ymKzwgM/LWhHTSa2dJBUnGNf++vbU1iV3YbeO43qFJX8z
t974cid8ifgwqZuSmCI18jE36lt8COdRur/ARPsMEszcwy8PkTbJJ+tGEu+mIpE8
ff9yi/d2JZ9BoW5h07c5ktf3L7Gnj2gZTuVHpFZv7gsirULQSJZKqL10y4JAK98z
fd9BOdO9/Khb7CTXugeQSVXeF648IZvOf4TWQ6D7pt2UVRykkbufPTGqSOn6p8zV
jOHB6NYUN+9ZNgwSADwzRpdoumBZSKf+JM1psRURZfxsuEIs3wxKkeo9NpKkZJK7
ub17JefzREMDLwjoWIWn/F1lmUbfhs3vtUXCKU0gVRGYWRA1lzA=
=Kvjq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 15 Aug 2017 07:25:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:54:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.