Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

flac: CVE-2017-6888

Related Vulnerabilities: CVE-2017-6888  

Source

Debian Bug report logs - #897015
flac: CVE-2017-6888

version graph

Package: src:flac; Maintainer for src:flac is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 27 Apr 2018 06:00:02 UTC

Severity: important

Tags: security, upstream

Found in version flac/1.3.2-1

Fixed in version flac/1.3.2-2

Done: Fabian Greffrath <fabian@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#897015; Package src:flac. (Fri, 27 Apr 2018 06:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Fri, 27 Apr 2018 06:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: flac: CVE-2017-6888
Date: Fri, 27 Apr 2018 07:57:05 +0200
Source: flac
Version: 1.3.2-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for flac.

CVE-2017-6888[0]:
| An error in the "read_metadata_vorbiscomment_()" function
| (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited
| to cause a memory leak via a specially crafted FLAC file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6888
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6888
[1] https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
[2] https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Fabian Greffrath <fabian@debian.org>:
You have taken responsibility. (Tue, 01 May 2018 21:42:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 01 May 2018 21:42:04 GMT) (full text, mbox, link).

Message #10 received at 897015-close@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@debian.org>
To: 897015-close@bugs.debian.org
Subject: Bug#897015: fixed in flac 1.3.2-2
Date: Tue, 01 May 2018 21:40:20 +0000
Source: flac
Source-Version: 1.3.2-2

We believe that the bug you reported is fixed in the latest version of
flac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 897015@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated flac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 01 May 2018 20:56:47 +0200
Source: flac
Binary: flac libflac8 libflac-doc libflac-dev libflac++6v5 libflac++-dev
Architecture: source amd64 all
Version: 1.3.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Description:
 flac       - Free Lossless Audio Codec - command line tools
 libflac++-dev - Free Lossless Audio Codec - C++ development library
 libflac++6v5 - Free Lossless Audio Codec - C++ runtime library
 libflac-dev - Free Lossless Audio Codec - C development library
 libflac-doc - Free Lossless Audio Codec - library documentation
 libflac8   - Free Lossless Audio Codec - runtime C library
Closes: 897015
Changes:
 flac (1.3.2-2) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * d/copyright: Use https protocol in Format field
   * d/control: Set Vcs-* to salsa.debian.org
   * d/changelog: Remove trailing whitespaces
 .
   [ Felipe Sateler ]
   * Change maintainer address to debian-multimedia@lists.debian.org
 .
   [ Fabian Greffrath ]
   * Apply two commits from upstream's GIT repo to fix memory leaks
     (Closes: #897015, CVE-2017-6888).
Checksums-Sha1:
 cbf2aa96a35caa747f64d4f5b1c28a95681bc6c6 2262 flac_1.3.2-2.dsc
 020d852dda4885fdb6f8dfc2a3cc06f6ff57884e 17572 flac_1.3.2-2.debian.tar.xz
 c188908b04e054d6f32c10e335a89f8dc79f2359 343004 flac-dbgsym_1.3.2-2_amd64.deb
 240168373d82072059f29029e92fcb00bd8f3e01 7966 flac_1.3.2-2_amd64.buildinfo
 a7fb397de93727f3ccfaa3975f460af152cd5362 160060 flac_1.3.2-2_amd64.deb
 499abd3b8f6ab907c31f03cbc856136621b53fb0 41856 libflac++-dev_1.3.2-2_amd64.deb
 d48ae45b05e10c95d06c1cd214644fd4d300fd29 97608 libflac++6v5-dbgsym_1.3.2-2_amd64.deb
 d12927ce5ba1198a6ad459f72a828d1842a963c7 37608 libflac++6v5_1.3.2-2_amd64.deb
 de6061ed1695a0427739cf7e5cbf72082e649f36 269572 libflac-dev_1.3.2-2_amd64.deb
 4368a60c99d5edecbad8d05ec4d045329ba458fc 407084 libflac-doc_1.3.2-2_all.deb
 5acfa390e53f91565e5683d763040632e0b34b32 393464 libflac8-dbgsym_1.3.2-2_amd64.deb
 5a468b49f68e1afce778762cc381492ce9c64316 221168 libflac8_1.3.2-2_amd64.deb
Checksums-Sha256:
 42d152c814b8ad8e4dbca78ae1bd186bd900183333fbd2c7400bd2158fd50e04 2262 flac_1.3.2-2.dsc
 e9a80989dddba338a6f32df4a21c67b19ff983fcbd50e0cf3e8ddaf8956bacb0 17572 flac_1.3.2-2.debian.tar.xz
 4665256e07d054b78587c13ff19163fa56699290d9aa6a1261faf0a93682e33b 343004 flac-dbgsym_1.3.2-2_amd64.deb
 307ca26be376eff467517514e474289f6bb2fda93897c8a1adcb4de79032c382 7966 flac_1.3.2-2_amd64.buildinfo
 3133f539afcc70d25d3ddb917817d5e45747a3c69eca3b31f4ee8e378b18933f 160060 flac_1.3.2-2_amd64.deb
 3d178bb9a83142951cafd0b1e138feb4b0614544bb45a56aa1b5b955d0d80ca3 41856 libflac++-dev_1.3.2-2_amd64.deb
 acbd2dc3ec3ac900c5a641c3d408f13fe379aeb15be7cc60418b417f0b8af19c 97608 libflac++6v5-dbgsym_1.3.2-2_amd64.deb
 6a05c3c92406bc8fa6689e0d5b79478dbb1e003e275575e2b7d1f01bdacb3d85 37608 libflac++6v5_1.3.2-2_amd64.deb
 baf492ef6f5ec8081560156b0e4bc12e04b9d12f5be0ad0dbf5e96634ff718f8 269572 libflac-dev_1.3.2-2_amd64.deb
 33307fa0d0480e6995d0a54986403fda8c98764edbb35411f125cd060d342b53 407084 libflac-doc_1.3.2-2_all.deb
 acf988527d469cbc694758df445a4ffca0c92cfd45617878d195c6968f465d43 393464 libflac8-dbgsym_1.3.2-2_amd64.deb
 ebf5b638c820addf380e1abd46927c8e8bfa408ea5297a161a509b862113c2aa 221168 libflac8_1.3.2-2_amd64.deb
Files:
 7a025bba4712ab07012fcc4a115eae22 2262 sound optional flac_1.3.2-2.dsc
 9ec39ddea755765ccdb0b05c8805d028 17572 sound optional flac_1.3.2-2.debian.tar.xz
 0d1a58ab2e4c8447e4a305f5f943ffc3 343004 debug optional flac-dbgsym_1.3.2-2_amd64.deb
 75f591d1baf528a624620ea660390df3 7966 sound optional flac_1.3.2-2_amd64.buildinfo
 c2899c84275055a0bb9cc8b6c1a208c5 160060 sound optional flac_1.3.2-2_amd64.deb
 7f226202a5fc4e69587b3b6dd8c54141 41856 libdevel optional libflac++-dev_1.3.2-2_amd64.deb
 7e91d30e63315fce3105c21674bd9395 97608 debug optional libflac++6v5-dbgsym_1.3.2-2_amd64.deb
 7aba81be83a83269ec76d8de9aacecfb 37608 libs optional libflac++6v5_1.3.2-2_amd64.deb
 91d354ecd713cb8bb07c98e34b8cbff6 269572 libdevel optional libflac-dev_1.3.2-2_amd64.deb
 61d795b65e53276fd5da1fedaf7acb71 407084 doc optional libflac-doc_1.3.2-2_all.deb
 b16ebb449aba889990aeb29d11f6fea7 393464 debug optional libflac8-dbgsym_1.3.2-2_amd64.deb
 cec4afe7410894c9ae33f007d07bd89b 221168 libs optional libflac8_1.3.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAlrouyYSHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfg8kP/j2xXeRZqB8pndiol9A6qdaj37NCOE10
/z/bxHWPixYS1SHYALbdeEc/kqR1R7CeLd8s6wvoCTZCG7YP6S8bRifJBjM3wbcy
ZZ7ttBIp8PJmxxEgpKwuu+TH9BHxLUVU5Z7ZWt/NAQ253b7p0FquJvO4g5WcGCvn
NGCETHTmQkaL+jLDJOPkLnVQuuautCKO5xn9q5VX85r+gU19kAL2cQfHnHYbapy3
rulc6ClDNsgFIPN24cDCyewSQhp3SFuzTWgkkdNdavxZfVVtrf+GpXjj8ZQeZ8xc
XDn8+409PK0Ks7GhaHQKcJB7PODepSiwGrrcR+5AnF09xs0HNM1NVSJGPPsFmynR
s/USue2u+pIP0c1o0iLDG6QgJiGxmgFTl4GfSsiUOdyHyrOS82ZHXlYANCEEH4s/
sR92RNtOKlV2I+ZrzLR1ySM2HxHyIlU8kQQvB7EdL6P6dcsirKqonU4Vf9erWmXM
JlNLwhCZKxY7s3qnKukzbNQDSrrf19OmssskeT5etXsyhdkupXJZLodPv4uCpVcK
SIKhBfC/WzkxtCtHXIr8sPGtAmFad6Q9fzQ3/ulHEbj9yXitjSUrOtztVPFxdDs1
IeCITWac+h4RI0kUuzIJQY+Upoj+S9goJ0UvRDG7SyZUd9G/dyMHBnvhkI9+BJCE
V4OiyJ/r8YfF
=WvG5
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 19 Jun 2018 07:26:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:48:16 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started