Debian Bug report logs -
#897015
flac: CVE-2017-6888
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 27 Apr 2018 06:00:02 UTC
Severity: important
Tags: security, upstream
Found in version flac/1.3.2-1
Fixed in version flac/1.3.2-2
Done: Fabian Greffrath <fabian@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#897015
; Package src:flac
.
(Fri, 27 Apr 2018 06:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Fri, 27 Apr 2018 06:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: flac
Version: 1.3.2-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for flac.
CVE-2017-6888[0]:
| An error in the "read_metadata_vorbiscomment_()" function
| (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited
| to cause a memory leak via a specially crafted FLAC file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6888
[1] https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
[2] https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Fabian Greffrath <fabian@debian.org>
:
You have taken responsibility.
(Tue, 01 May 2018 21:42:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 01 May 2018 21:42:04 GMT) (full text, mbox, link).
Message #10 received at 897015-close@bugs.debian.org (full text, mbox, reply):
Source: flac
Source-Version: 1.3.2-2
We believe that the bug you reported is fixed in the latest version of
flac, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 897015@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated flac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 May 2018 20:56:47 +0200
Source: flac
Binary: flac libflac8 libflac-doc libflac-dev libflac++6v5 libflac++-dev
Architecture: source amd64 all
Version: 1.3.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Description:
flac - Free Lossless Audio Codec - command line tools
libflac++-dev - Free Lossless Audio Codec - C++ development library
libflac++6v5 - Free Lossless Audio Codec - C++ runtime library
libflac-dev - Free Lossless Audio Codec - C development library
libflac-doc - Free Lossless Audio Codec - library documentation
libflac8 - Free Lossless Audio Codec - runtime C library
Closes: 897015
Changes:
flac (1.3.2-2) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/control: Set Vcs-* to salsa.debian.org
* d/changelog: Remove trailing whitespaces
.
[ Felipe Sateler ]
* Change maintainer address to debian-multimedia@lists.debian.org
.
[ Fabian Greffrath ]
* Apply two commits from upstream's GIT repo to fix memory leaks
(Closes: #897015, CVE-2017-6888).
Checksums-Sha1:
cbf2aa96a35caa747f64d4f5b1c28a95681bc6c6 2262 flac_1.3.2-2.dsc
020d852dda4885fdb6f8dfc2a3cc06f6ff57884e 17572 flac_1.3.2-2.debian.tar.xz
c188908b04e054d6f32c10e335a89f8dc79f2359 343004 flac-dbgsym_1.3.2-2_amd64.deb
240168373d82072059f29029e92fcb00bd8f3e01 7966 flac_1.3.2-2_amd64.buildinfo
a7fb397de93727f3ccfaa3975f460af152cd5362 160060 flac_1.3.2-2_amd64.deb
499abd3b8f6ab907c31f03cbc856136621b53fb0 41856 libflac++-dev_1.3.2-2_amd64.deb
d48ae45b05e10c95d06c1cd214644fd4d300fd29 97608 libflac++6v5-dbgsym_1.3.2-2_amd64.deb
d12927ce5ba1198a6ad459f72a828d1842a963c7 37608 libflac++6v5_1.3.2-2_amd64.deb
de6061ed1695a0427739cf7e5cbf72082e649f36 269572 libflac-dev_1.3.2-2_amd64.deb
4368a60c99d5edecbad8d05ec4d045329ba458fc 407084 libflac-doc_1.3.2-2_all.deb
5acfa390e53f91565e5683d763040632e0b34b32 393464 libflac8-dbgsym_1.3.2-2_amd64.deb
5a468b49f68e1afce778762cc381492ce9c64316 221168 libflac8_1.3.2-2_amd64.deb
Checksums-Sha256:
42d152c814b8ad8e4dbca78ae1bd186bd900183333fbd2c7400bd2158fd50e04 2262 flac_1.3.2-2.dsc
e9a80989dddba338a6f32df4a21c67b19ff983fcbd50e0cf3e8ddaf8956bacb0 17572 flac_1.3.2-2.debian.tar.xz
4665256e07d054b78587c13ff19163fa56699290d9aa6a1261faf0a93682e33b 343004 flac-dbgsym_1.3.2-2_amd64.deb
307ca26be376eff467517514e474289f6bb2fda93897c8a1adcb4de79032c382 7966 flac_1.3.2-2_amd64.buildinfo
3133f539afcc70d25d3ddb917817d5e45747a3c69eca3b31f4ee8e378b18933f 160060 flac_1.3.2-2_amd64.deb
3d178bb9a83142951cafd0b1e138feb4b0614544bb45a56aa1b5b955d0d80ca3 41856 libflac++-dev_1.3.2-2_amd64.deb
acbd2dc3ec3ac900c5a641c3d408f13fe379aeb15be7cc60418b417f0b8af19c 97608 libflac++6v5-dbgsym_1.3.2-2_amd64.deb
6a05c3c92406bc8fa6689e0d5b79478dbb1e003e275575e2b7d1f01bdacb3d85 37608 libflac++6v5_1.3.2-2_amd64.deb
baf492ef6f5ec8081560156b0e4bc12e04b9d12f5be0ad0dbf5e96634ff718f8 269572 libflac-dev_1.3.2-2_amd64.deb
33307fa0d0480e6995d0a54986403fda8c98764edbb35411f125cd060d342b53 407084 libflac-doc_1.3.2-2_all.deb
acf988527d469cbc694758df445a4ffca0c92cfd45617878d195c6968f465d43 393464 libflac8-dbgsym_1.3.2-2_amd64.deb
ebf5b638c820addf380e1abd46927c8e8bfa408ea5297a161a509b862113c2aa 221168 libflac8_1.3.2-2_amd64.deb
Files:
7a025bba4712ab07012fcc4a115eae22 2262 sound optional flac_1.3.2-2.dsc
9ec39ddea755765ccdb0b05c8805d028 17572 sound optional flac_1.3.2-2.debian.tar.xz
0d1a58ab2e4c8447e4a305f5f943ffc3 343004 debug optional flac-dbgsym_1.3.2-2_amd64.deb
75f591d1baf528a624620ea660390df3 7966 sound optional flac_1.3.2-2_amd64.buildinfo
c2899c84275055a0bb9cc8b6c1a208c5 160060 sound optional flac_1.3.2-2_amd64.deb
7f226202a5fc4e69587b3b6dd8c54141 41856 libdevel optional libflac++-dev_1.3.2-2_amd64.deb
7e91d30e63315fce3105c21674bd9395 97608 debug optional libflac++6v5-dbgsym_1.3.2-2_amd64.deb
7aba81be83a83269ec76d8de9aacecfb 37608 libs optional libflac++6v5_1.3.2-2_amd64.deb
91d354ecd713cb8bb07c98e34b8cbff6 269572 libdevel optional libflac-dev_1.3.2-2_amd64.deb
61d795b65e53276fd5da1fedaf7acb71 407084 doc optional libflac-doc_1.3.2-2_all.deb
b16ebb449aba889990aeb29d11f6fea7 393464 debug optional libflac8-dbgsym_1.3.2-2_amd64.deb
cec4afe7410894c9ae33f007d07bd89b 221168 libs optional libflac8_1.3.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAlrouyYSHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfg8kP/j2xXeRZqB8pndiol9A6qdaj37NCOE10
/z/bxHWPixYS1SHYALbdeEc/kqR1R7CeLd8s6wvoCTZCG7YP6S8bRifJBjM3wbcy
ZZ7ttBIp8PJmxxEgpKwuu+TH9BHxLUVU5Z7ZWt/NAQ253b7p0FquJvO4g5WcGCvn
NGCETHTmQkaL+jLDJOPkLnVQuuautCKO5xn9q5VX85r+gU19kAL2cQfHnHYbapy3
rulc6ClDNsgFIPN24cDCyewSQhp3SFuzTWgkkdNdavxZfVVtrf+GpXjj8ZQeZ8xc
XDn8+409PK0Ks7GhaHQKcJB7PODepSiwGrrcR+5AnF09xs0HNM1NVSJGPPsFmynR
s/USue2u+pIP0c1o0iLDG6QgJiGxmgFTl4GfSsiUOdyHyrOS82ZHXlYANCEEH4s/
sR92RNtOKlV2I+ZrzLR1ySM2HxHyIlU8kQQvB7EdL6P6dcsirKqonU4Vf9erWmXM
JlNLwhCZKxY7s3qnKukzbNQDSrrf19OmssskeT5etXsyhdkupXJZLodPv4uCpVcK
SIKhBfC/WzkxtCtHXIr8sPGtAmFad6Q9fzQ3/ulHEbj9yXitjSUrOtztVPFxdDs1
IeCITWac+h4RI0kUuzIJQY+Upoj+S9goJ0UvRDG7SyZUd9G/dyMHBnvhkI9+BJCE
V4OiyJ/r8YfF
=WvG5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 19 Jun 2018 07:26:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:48:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.