Debian Bug report logs -
#552743
CVE-2009-3378: liboggplay issue discovered by Mozilla
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 29 Oct 2009 02:45:02 UTC
Severity: grave
Tags: security
Fixed in version liboggplay/0.2.1~git20091120-1
Done: John Francesco Ferlito <johnf@inodes.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, John Francesco Ferlito <johnf@inodes.org>:
Bug#552743; Package liboggplay.
(Thu, 29 Oct 2009 02:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, John Francesco Ferlito <johnf@inodes.org>.
(Thu, 29 Oct 2009 02:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: liboggplay
Severity: grave
Tags: security
Firefox 3.5.4 fixed a security issue in the embedded liboggplay
copy: http://www.mozilla.org/security/announce/2009/mfsa2009-63.html
I checked the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=500311
and it is missing in the version from unstable.
BTW, the fixes for liboggz and libvorbis (also from Firefox
3.5.4) are already fixed in unstable, but still need to be fixed
for stable-security. If you can prepare updated packages, please
contact team@security.debian.org
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Reply sent
to John Francesco Ferlito <johnf@inodes.org>:
You have taken responsibility.
(Sat, 12 Dec 2009 04:36:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Dec 2009 04:36:07 GMT) (full text, mbox, link).
Message #10 received at 552743-close@bugs.debian.org (full text, mbox, reply):
Source: liboggplay
Source-Version: 0.2.1~git20091120-1
We believe that the bug you reported is fixed in the latest version of
liboggplay, which is due to be installed in the Debian FTP archive:
liboggplay1-dbg_0.2.1~git20091120-1_i386.deb
to main/libo/liboggplay/liboggplay1-dbg_0.2.1~git20091120-1_i386.deb
liboggplay1-dev_0.2.1~git20091120-1_i386.deb
to main/libo/liboggplay/liboggplay1-dev_0.2.1~git20091120-1_i386.deb
liboggplay1_0.2.1~git20091120-1_i386.deb
to main/libo/liboggplay/liboggplay1_0.2.1~git20091120-1_i386.deb
liboggplay_0.2.1~git20091120-1.diff.gz
to main/libo/liboggplay/liboggplay_0.2.1~git20091120-1.diff.gz
liboggplay_0.2.1~git20091120-1.dsc
to main/libo/liboggplay/liboggplay_0.2.1~git20091120-1.dsc
liboggplay_0.2.1~git20091120.orig.tar.gz
to main/libo/liboggplay/liboggplay_0.2.1~git20091120.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 552743@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
John Francesco Ferlito <johnf@inodes.org> (supplier of updated liboggplay package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 12 Dec 2009 13:45:51 +1100
Source: liboggplay
Binary: liboggplay1 liboggplay1-dev liboggplay1-dbg
Architecture: source i386
Version: 0.2.1~git20091120-1
Distribution: unstable
Urgency: low
Maintainer: John Francesco Ferlito <johnf@inodes.org>
Changed-By: John Francesco Ferlito <johnf@inodes.org>
Description:
liboggplay1 - A library for playing OGG multimedia
liboggplay1-dbg - A library for playing OGG multimedia (debugging symbols)
liboggplay1-dev - A library for playing OGG multimedia (development files)
Closes: 552743 557774
Changes:
liboggplay (0.2.1~git20091120-1) unstable; urgency=low
.
* Use latest git version.
* Move to debhelper dh.
* Add ${misc:Depends}.
* Patch for CVE-2009-3378 (Closes: #552743).
* Fix missing files in -dev package (Closes: #557774).
* Add README.source as we are now using quilt.
Checksums-Sha1:
d88889fb76ad38a777ce1736ece85f4c1cf50aee 1207 liboggplay_0.2.1~git20091120-1.dsc
4ac2a16654d4811d8e0f074c909975e3fa16bcb5 735539 liboggplay_0.2.1~git20091120.orig.tar.gz
3a336129cc7ecf360934e72222f59b57711eccc6 3633 liboggplay_0.2.1~git20091120-1.diff.gz
beeba76f8d1ea503ea7f80bf8671bc6beb78a9a2 31398 liboggplay1_0.2.1~git20091120-1_i386.deb
cf29a7dacec95980c0474594b68429d92171d010 38790 liboggplay1-dev_0.2.1~git20091120-1_i386.deb
a63e3eb83df7184418dcd4c4c1dfe27e436e69eb 60098 liboggplay1-dbg_0.2.1~git20091120-1_i386.deb
Checksums-Sha256:
3a5b66457973385507d7f37444ee77e10ce2007c618a0c675ff1794ac2ee0349 1207 liboggplay_0.2.1~git20091120-1.dsc
e77df037d0b08e3f2b71c359123e354e63acca67fa36ca333853cb3cab6b86e5 735539 liboggplay_0.2.1~git20091120.orig.tar.gz
4beea9e09ee44ffe4914080774472682d54296e719d327389cfb13ad5c85cbdb 3633 liboggplay_0.2.1~git20091120-1.diff.gz
3756afd34a1db69efdf705a48ba41bdbd0da13cad7432efe2769e72b8f90da71 31398 liboggplay1_0.2.1~git20091120-1_i386.deb
07df63c859a4001ffe1678aa1a093a116a4df3040b464a2f29163115b161f8ad 38790 liboggplay1-dev_0.2.1~git20091120-1_i386.deb
2e9859d48b5a935757c9d213ea305d8731081f16138dc90498c93effc7a2d19a 60098 liboggplay1-dbg_0.2.1~git20091120-1_i386.deb
Files:
0a72239c3c2344309aa819158b9a2f49 1207 libs extra liboggplay_0.2.1~git20091120-1.dsc
ca95a426111d4593e2e09ca406b77604 735539 libs extra liboggplay_0.2.1~git20091120.orig.tar.gz
2775f479d924a050be9ffb9490a77a83 3633 libs extra liboggplay_0.2.1~git20091120-1.diff.gz
c7160c02d4dd770800e8330490a68509 31398 libs extra liboggplay1_0.2.1~git20091120-1_i386.deb
d93fb0655266afcd44e1dfffa82e2ea1 38790 libdevel extra liboggplay1-dev_0.2.1~git20091120-1_i386.deb
b4d3c669d9f140083ef6dfbfe07cae1d 60098 debug extra liboggplay1-dbg_0.2.1~git20091120-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksjFI0ACgkQYcdJscd4KNQ+rgCeKUAGT86AHmaknbuoXHH3QOYd
qIAAnioBez+HTe1p52Rt3qn1mJOS79QW
=3mSG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 19 Jan 2010 07:36:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:43:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon