libsndfile: CVE-2017-6892

Debian Bug report logs - #864704
libsndfile: CVE-2017-6892

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libsndfile: CVE-2017-6892

Date: Tue, 13 Jun 2017 06:32:50 +0200

Source: libsndfile
Version: 1.0.25-9.1
Severity: important
Tags: upstream security patch

Hi,

the following vulnerability was published for libsndfile.

CVE-2017-6892[0]:
| In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()"
| function (aiff.c) can be exploited to cause an out-of-bounds read
| memory access via a specially crafted AIFF file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6892
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6892
[1] https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748

Regards,
Salvatore

Message #10 received at 864704-close@bugs.debian.org (full text, mbox, reply):

From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>

To: 864704-close@bugs.debian.org

Subject: Bug#864704: fixed in libsndfile 1.0.28-1

Date: Tue, 20 Jun 2017 13:46:50 +0000

Source: libsndfile
Source-Version: 1.0.28-1

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864704@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 20 Jun 2017 15:03:55 +0200
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs
Architecture: source
Version: 1.0.28-1
Distribution: unstable
Urgency: medium
Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Description:
 libsndfile1 - Library for reading/writing audio files
 libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
 sndfile-programs - Sample programs that use libsndfile
Closes: 864704
Changes:
 libsndfile (1.0.28-1) unstable; urgency=medium
 .
   * New upstream version 1.0.28
 .
   * d/patches/
     * Removed patches applied upstream
     * Refreshed patches
     * Backported patch for fixing CVE-2017-6892
       (Closes: #864704)
     * Fixed more typos
   * d/control: single line per Depends
   * Switched packaging to shorthand dh
     * Build automatic debug packages
     * Dropped setting of DEB_*_GNU_TYPE and friends
   * Raised debhelper compat to 10
     * Dropped B-D on dh-autoreconf
     * B-D on autotools-dev
   * Use DEP5 for d/copyright
   * Bumped standards version to 4.0.0
   *
Checksums-Sha1:
 94a8c055a1e8849c1670949ad7c742c3b2213581 2195 libsndfile_1.0.28-1.dsc
 85aa967e19f6b9bf975601d79669025e5f8bc77d 1202833 libsndfile_1.0.28.orig.tar.gz
 cf1997042fddf338f296bb47a1cb30b25dc42209 12288 libsndfile_1.0.28-1.debian.tar.xz
 3706975134120554d18f0a53347ff963453322cf 6971 libsndfile_1.0.28-1_amd64.buildinfo
Checksums-Sha256:
 2add75d023ec908ae94396e2a2e0ac83f0ad9e6ddb5b238419c91c5e91b22981 2195 libsndfile_1.0.28-1.dsc
 1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9 1202833 libsndfile_1.0.28.orig.tar.gz
 64cc02577add5f93352ffbd52f65e0b134cfe322b0c95f096e0b6a4f337b9a22 12288 libsndfile_1.0.28-1.debian.tar.xz
 3c5e7d1493617536dc45eb906ee4875d9d04348a1f9e31bc91c398685028f82a 6971 libsndfile_1.0.28-1_amd64.buildinfo
Files:
 b2b808eb68aea9fb3b79c69d49d79561 2195 devel optional libsndfile_1.0.28-1.dsc
 646b5f98ce89ac60cdb060fcd398247c 1202833 devel optional libsndfile_1.0.28.orig.tar.gz
 786f9a2fb9d1f6190bddd6ce5c99b1ca 12288 devel optional libsndfile_1.0.28-1.debian.tar.xz
 c390acc1b0df39ba1d9f897921b5f1e5 6971 devel optional libsndfile_1.0.28-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAllJHsgACgkQtlAZxH96
Nviopw/+P5iWwfQXiNY9/poolA8/27gF2F3XC2H5j4XNZa4BOx9jllXycrEkvrQ+
haL6dKbFsGR/iWqA1v/G+7aXv/r6gybBnxdG/kpNzP8lNXXsjZOocDHbqaSoL4ku
HUrEiLaynTQTJKVk11/rS+4MH2rG5FsX4Jep+l3V3jgucgZYfbYiw0v7kt5kxUTp
7dNTa/olylEEmtHM7oM4Kd2cvqweWFSeQ1oE1t9s36wdidQ4gHQ+Of85jIRElR13
Oymyq8yzAGQ1lrsuvH5wSt6G7bziGIEyqr8nk+BQRCKgYhnCn2JcykeR7thD0i3/
5bLJX46U93S7brxCHT1ymKzwgM/LWhHTSa2dJBUnGNf++vbU1iV3YbeO43qFJX8z
t974cid8ifgwqZuSmCI18jE36lt8COdRur/ARPsMEszcwy8PkTbJJ+tGEu+mIpE8
ff9yi/d2JZ9BoW5h07c5ktf3L7Gnj2gZTuVHpFZv7gsirULQSJZKqL10y4JAK98z
fd9BOdO9/Khb7CTXugeQSVXeF648IZvOf4TWQ6D7pt2UVRykkbufPTGqSOn6p8zV
jOHB6NYUN+9ZNgwSADwzRpdoumBZSKf+JM1psRURZfxsuEIs3wxKkeo9NpKkZJK7
ub17JefzREMDLwjoWIWn/F1lmUbfhs3vtUXCKU0gVRGYWRA1lzA=
=Kvjq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.