Debian Bug report logs -
#482039
libvorbis0a: potential security patch, needs review
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Tue, 20 May 2008 12:27:02 UTC
Severity: normal
Tags: security
Found in version libvorbis/1.2.0.dfsg-3
Fixed in version libvorbis/1.2.0.dfsg-4
Done: Clint Adams <schizo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers):
Bug#482039; Package libvorbis0a.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers).
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libvorbis0a
Version: 1.2.0.dfsg-3
Severity: normal
Tags: security
Hi
As discussed on IRC with dato, here are the information to this:
The following CVE(0) has been issued against vorbis.
CVE-2008-2009:
Xiph.org libvorbis before 1.0 does not properly check for underpopulated
Huffman trees, which allows remote attackers to cause a denial of
service (crash) via a crafted OGG file that triggers memory corruption
during execution of the _make_decode_tree function.
Now the version in unstable is not as old as the one mentioned in the
CVE. However, I was wondering, if the sanity checks upstream added in
their patch(0) are needed for our debian versions as well?
Could someone familiar with the code maybe have a look?
Cheers
Steffen
(0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2009
(1): https://trac.xiph.org/changeset/14811?format=diff&new=14811
Information forwarded to debian-bugs-dist@lists.debian.org, pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers):
Bug#482039; Package libvorbis0a.
(full text, mbox, link).
Acknowledgement sent to Clint Adams <schizo@debian.org>:
Extra info received and forwarded to list. Copy sent to pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers).
(full text, mbox, link).
Message #10 received at 482039@bugs.debian.org (full text, mbox, reply):
On Tue, May 20, 2008 at 10:00:49PM +1000, Steffen Joeris wrote:
> (0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2009
>
> (1): https://trac.xiph.org/changeset/14811?format=diff&new=14811
Additional info at
https://bugzilla.redhat.com/show_bug.cgi?id=444443
Reply sent
to Clint Adams <schizo@debian.org>:
You have taken responsibility.
(Sat, 28 Feb 2009 00:36:02 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Sat, 28 Feb 2009 00:36:02 GMT) (full text, mbox, link).
Message #15 received at 482039-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Source-Version: 1.2.0.dfsg-4
We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive:
libvorbis-dev_1.2.0.dfsg-4_i386.deb
to pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-4_i386.deb
libvorbis0a_1.2.0.dfsg-4_i386.deb
to pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-4_i386.deb
libvorbis_1.2.0.dfsg-4.diff.gz
to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-4.diff.gz
libvorbis_1.2.0.dfsg-4.dsc
to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-4.dsc
libvorbisenc2_1.2.0.dfsg-4_i386.deb
to pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-4_i386.deb
libvorbisfile3_1.2.0.dfsg-4_i386.deb
to pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 482039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Clint Adams <schizo@debian.org> (supplier of updated libvorbis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 10 Jun 2008 12:06:58 -0400
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev
Architecture: source i386
Version: 1.2.0.dfsg-4
Distribution: unstable
Urgency: low
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Clint Adams <schizo@debian.org>
Description:
libvorbis-dev - The Vorbis General Audio Compression Codec (development files)
libvorbis0a - The Vorbis General Audio Compression Codec
libvorbisenc2 - The Vorbis General Audio Compression Codec
libvorbisfile3 - The Vorbis General Audio Compression Codec
Closes: 482039
Changes:
libvorbis (1.2.0.dfsg-4) unstable; urgency=low
.
* Add upstream-r14811_huffman_sanity_checks.diff. closes: #482039.
* Bump to Standards-Version 3.8.0.
* Remove myself from Uploaders.
Checksums-Sha1:
8d27cf2edd20966be31f2d8dda55194f2e0ab901 1219 libvorbis_1.2.0.dfsg-4.dsc
12ea87db204c70f809eeba3fffc1dc7347ebc157 10026 libvorbis_1.2.0.dfsg-4.diff.gz
4ac50c1e9630cf7a6165e2b84d241508fdd387e7 101670 libvorbis0a_1.2.0.dfsg-4_i386.deb
4057c6a2c7a6a5d749728a33b427da08273b2440 77102 libvorbisenc2_1.2.0.dfsg-4_i386.deb
a11267958160708dd12b23ff2d2e110fbd04f511 20974 libvorbisfile3_1.2.0.dfsg-4_i386.deb
dc3a110639554dcc75c8489fc525fb6a51272d84 465274 libvorbis-dev_1.2.0.dfsg-4_i386.deb
Checksums-Sha256:
26aa34a748164075d39d6d66b562c81ff6fe59bfc458d303e9b1e011637a67bf 1219 libvorbis_1.2.0.dfsg-4.dsc
4c4a22f946c23ee24a0840e323f29f7f6e80fa91ac74d57987bd7206cf36c4a4 10026 libvorbis_1.2.0.dfsg-4.diff.gz
63fc88dd678420f063285b5f75f762e35060a726ebfbdb185986229aca76384a 101670 libvorbis0a_1.2.0.dfsg-4_i386.deb
85f1d3c020d7baf44413d011671ca8a347c2be5030822990c4e2318fc5c7eab4 77102 libvorbisenc2_1.2.0.dfsg-4_i386.deb
d0bfd951eae37919175954069ec727dc7aa994353eeeebea4a4fb80e40491a8e 20974 libvorbisfile3_1.2.0.dfsg-4_i386.deb
bdda7b6704ba9b770d4062efd7b715eb92775ad9e75f32fe275b01adaade782a 465274 libvorbis-dev_1.2.0.dfsg-4_i386.deb
Files:
1b37edf8cd0fcda8714786f114202a1e 1219 libs optional libvorbis_1.2.0.dfsg-4.dsc
6b848d1d6ca053bae0f93425a40dab78 10026 libs optional libvorbis_1.2.0.dfsg-4.diff.gz
695c9bdbecbf42dcd0fb5ecb762f89f4 101670 libs optional libvorbis0a_1.2.0.dfsg-4_i386.deb
02f354d5e2e15ebd66f6266edcad0f22 77102 libs optional libvorbisenc2_1.2.0.dfsg-4_i386.deb
c1a359bda3335985575a08554765157d 20974 libs optional libvorbisfile3_1.2.0.dfsg-4_i386.deb
42fc26faae247e0e15056bc3ead0e23f 465274 libdevel optional libvorbis-dev_1.2.0.dfsg-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Debian!
iD8DBQFJqIC95m0u66uWM3ARAqH7AJ49vDQx1LRebPaCPEtjOuqU8ta5SACfTY3/
gANU3t56KtqNuQMn0G+zER8=
=/I1n
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 07 Apr 2009 07:30:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:48:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon