Debian Bug report logs -
#867724
Multiple security issues
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 8 Jul 2017 22:09:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version faad2/2.7-1
Fixed in version faad2/2.8.1-1
Done: Fabian Greffrath <fabian@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#867724
; Package src:faad2
.
(Sat, 08 Jul 2017 22:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sat, 08 Jul 2017 22:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: faad2
Severity: important
Tags: security
Multiple vulnerabilities in faad2, please see:
http://seclists.org/fulldisclosure/2017/Jun/32
Cheers,
Moritz
Marked as found in versions faad2/2.7-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 09 Jul 2017 07:30:03 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 09 Jul 2017 07:30:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#867724
; Package src:faad2
.
(Fri, 14 Jul 2017 09:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Fabian Greffrath" <fabian@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Fri, 14 Jul 2017 09:36:03 GMT) (full text, mbox, link).
Message #14 received at 867724@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tags -1 +patch +fixed-upstream
This has been fixed in upstream GIT.
Please find attached the cumulated patch
- Fabian
[faad2_867724.patch (application/octet-stream, attachment)]
Added tag(s) patch.
Request was from "Fabian Greffrath" <fabian@debian.org>
to 867724-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:36:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from "Fabian Greffrath" <fabian@debian.org>
to 867724-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:36:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Fabian Greffrath <fabian@debian.org>
to control@bugs.debian.org
.
(Mon, 17 Jul 2017 20:33:07 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug#867724.
(Mon, 17 Jul 2017 20:33:13 GMT) (full text, mbox, link).
Message #23 received at 867724-submitter@bugs.debian.org (full text, mbox, reply):
tag 867724 pending
thanks
Hello,
Bug #867724 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://anonscm.debian.org/git/pkg-multimedia/faad2.git/commit/?id=3a796f4
---
commit 3a796f4c0be9deaf87be5fa4ce6548090f9e64c0
Author: Fabian Greffrath <fabian@debian.org>
Date: Mon Jul 17 22:26:01 2017 +0200
update debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 6505e68..7987cb6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,24 @@
-faad2 (2.8.1-1) UNRELEASED; urgency=medium
-
- *
-
- -- Fabian Greffrath <fabian@debian.org> Mon, 17 Jul 2017 21:58:07 +0200
+faad2 (2.8.1-1) unstable; urgency=medium
+
+ * New upstream version 2.8.1.
+ + Fixes multiple vulnerabilities: CVE-2017-9218,
+ CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
+ CVE-2017-9222, CVE-2017-9223, CVE-2017-9253,
+ CVE-2017-9254, CVE-2017-9255, CVE-2017-9256,
+ CVE-2017-9257 (Closes: #867724).
+ * Update debian/watch file.
+ * Refresh reproducible-build.patch.
+ * Remove debian/README.source and debian/gbp.conf files,
+ they do not apply anymore.
+ * Bump Standards-Version to 4.0.0.
+ * Bump debhelper compat to 10.
+ * Fix vcs-field-uses-insecure-uri lintian warnings.
+ * Enable all hardening flags.
+ * Update debian/copyright,
+ refer to MPL-1.1 in common-licenses.
+ * Drop obsolete faad2-dbg package.
+
+ -- Fabian Greffrath <fabian@debian.org> Mon, 17 Jul 2017 22:25:26 +0200
faad2 (2.8.0~cvs20161113-1) unstable; urgency=medium
Reply sent
to Fabian Greffrath <fabian@debian.org>
:
You have taken responsibility.
(Mon, 17 Jul 2017 21:09:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Mon, 17 Jul 2017 21:09:13 GMT) (full text, mbox, link).
Message #28 received at 867724-close@bugs.debian.org (full text, mbox, reply):
Source: faad2
Source-Version: 2.8.1-1
We believe that the bug you reported is fixed in the latest version of
faad2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated faad2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 17 Jul 2017 22:25:26 +0200
Source: faad2
Binary: faad libfaad-dev libfaad2
Architecture: source amd64
Version: 2.8.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Description:
faad - freeware Advanced Audio Decoder player
libfaad-dev - freeware Advanced Audio Decoder - development files
libfaad2 - freeware Advanced Audio Decoder - runtime files
Closes: 867724
Changes:
faad2 (2.8.1-1) unstable; urgency=medium
.
* New upstream version 2.8.1.
+ Fixes multiple vulnerabilities: CVE-2017-9218,
CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
CVE-2017-9222, CVE-2017-9223, CVE-2017-9253,
CVE-2017-9254, CVE-2017-9255, CVE-2017-9256,
CVE-2017-9257 (Closes: #867724).
* Update debian/watch file.
* Refresh reproducible-build.patch.
* Remove debian/README.source and debian/gbp.conf files,
they do not apply anymore.
* Bump Standards-Version to 4.0.0.
* Bump debhelper compat to 10.
* Fix vcs-field-uses-insecure-uri lintian warnings.
* Enable all hardening flags.
* Update debian/copyright,
refer to MPL-1.1 in common-licenses.
* Drop obsolete faad2-dbg package.
Checksums-Sha1:
0e31ef256d00f84d2d3de68c2cf30fd50078017c 2121 faad2_2.8.1-1.dsc
51767d1d4e2b1312ebd6ce01f6ef174a7bb0151d 802453 faad2_2.8.1.orig.tar.gz
c9b7c0ce3229939f428ff9662412a30040501774 7868 faad2_2.8.1-1.debian.tar.xz
a085d17a449a9816cd3764e3cf1e9bff5067493e 56696 faad-dbgsym_2.8.1-1_amd64.deb
d233e4d0b60ed65376f3f0ccd62dc05a49457b6c 6365 faad2_2.8.1-1_amd64.buildinfo
60019992ba49e7bfa6769fb44742bea59d81bdb3 31310 faad_2.8.1-1_amd64.deb
5065691d364a4473885b69d1b6255e8ce2cae0d2 175308 libfaad-dev_2.8.1-1_amd64.deb
a4788da19d6bd936af16ade3cd0b39b741068df6 434022 libfaad2-dbgsym_2.8.1-1_amd64.deb
029691ba2d6106af292cd564fd564ef85b20cc97 159940 libfaad2_2.8.1-1_amd64.deb
Checksums-Sha256:
a6e963854bcadd770dd6a72b0a29bb07a37f5b94a18ac3fce516965e3f597042 2121 faad2_2.8.1-1.dsc
133270a9be0c9ab8fea18017703ab4a94f9eddbb45a8aa6a511a1469fa413591 802453 faad2_2.8.1.orig.tar.gz
3515851db05a45f66bb89b36ff6f640aca2e00991c3638aed235ff85648b26ac 7868 faad2_2.8.1-1.debian.tar.xz
c65794e1f3d1a24eb17d94e2d9c8ea5801674cb862dfc48597e88420ac5f55ec 56696 faad-dbgsym_2.8.1-1_amd64.deb
8703ec95388debf8a0cb9b110db3cae5bcc9bd640d18d10380b5c385ceaeb565 6365 faad2_2.8.1-1_amd64.buildinfo
6f7db07af1782218b4cb7d5669b49c763ce24f42b046b12d49a0692cd2dab48c 31310 faad_2.8.1-1_amd64.deb
55416d999d3db849f0d25552fcab1310586ec864d0936108d7e9888326a736f4 175308 libfaad-dev_2.8.1-1_amd64.deb
a3857ce2828a4096d7f16c36597e12d5b711db0c45f53799bdc8359d02fc73b1 434022 libfaad2-dbgsym_2.8.1-1_amd64.deb
bddafbf9fd942effc400facc74a75b3fdf31629677df4c14ac1768c184e99482 159940 libfaad2_2.8.1-1_amd64.deb
Files:
84e6b87f1603ab9529d206ee61f69f55 2121 libs optional faad2_2.8.1-1.dsc
45f0593e99e97785c5ba79875a4e30a7 802453 libs optional faad2_2.8.1.orig.tar.gz
3e1289fd17bf756000651d6b80f59518 7868 libs optional faad2_2.8.1-1.debian.tar.xz
e49664f0076f19be884dd696f82fe097 56696 debug extra faad-dbgsym_2.8.1-1_amd64.deb
13138cc680562583796bd12338f9b751 6365 libs optional faad2_2.8.1-1_amd64.buildinfo
ac681dda7f3773aca172aa28d82dc394 31310 sound optional faad_2.8.1-1_amd64.deb
bd5019abd82e6e05778b89bf9234838f 175308 libdevel optional libfaad-dev_2.8.1-1_amd64.deb
63a8ee82fb733bc8577b32d4e649e4a7 434022 debug extra libfaad2-dbgsym_2.8.1-1_amd64.deb
f5a8aa456a8e4221ea380b63bcad0aea 159940 libs optional libfaad2_2.8.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAlltHdYSHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfDxEQAJsGBHJGG2BBR1GrATQok4/8FIeBO7OQ
wIb4zKR2x/rTLs5MpGL63MAFcDBSUD5U73n8t2oQY6KgPUzochh4gyPu0mYXCPEY
Zw3FYKq1PVc/Ih7rpRpwfhgghzT20sXSucEco3+CYSy7AI8OabGUfX7RmBnI/6Ad
ZCMMCpbtFpp7pUh4jyA+/oKTgALLVXDVSuAhvW+jxisWg/xUtsNVCXa8tAtWg2lQ
sNPE2LeGJsmNMG04C3SV62luKy2TmS5jX1pzuYItOZyw3SIXAGSu8r/Yoow+a2H6
/TyZTxQWAjpLLEu3zfJe/sELsfBz5ggUKXx+11ZeSuDiHPpjRLqk1c567oq4VTvU
kG79UK7jOBf1pp8D6chfEtUMqIDp6ReY576s6PVGZHzY/B9lBW0g0pl0Y0kOYFmz
Ht4nQe6U9qOpeprN3j3H+pYHfcYFqVfD27A0YxRh7N/a36SPyxqcncQoiZ1KGlcs
9wJCf59nuTjG/JcyRb7DejTSGfh7XrqzvBwbMkWqTofup1AnFwEZydN5ZNA83Mb7
KJBkBSpMI75xl3STU2WogAUBQrVRAT6L6+C+TghBKJL3pb/MbtPBWms89YNR8Nw2
qFEBl1Cf732+A5q0VONhMVQVBCpgsX0Ex3nuMGZ2LOTKHTZWPWTSvTSL4JkFciI2
+9c78WuokYwN
=2Grt
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#867724
; Package src:faad2
.
(Sun, 27 Aug 2017 18:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sun, 27 Aug 2017 18:45:02 GMT) (full text, mbox, link).
Message #33 received at 867724@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, 14 Jul 2017 11:32:42 +0200 "Fabian Greffrath"
<fabian@debian.org> wrote:
> control: tags -1 +patch +fixed-upstream
>
> This has been fixed in upstream GIT.
>
> Please find attached the cumulated patch
>
Hi Fabian,
I am currently working on a security update for faad2 in Wheezy. I saw
that upstream did another commit three days after you attached your
patch to this bug report.
https://sourceforge.net/p/faac/faad2/ci/a67c75ed600cf4b41205d69664d3d9106e9c5380/
Apparently there were some issues with an earlier version of your patch.
However beside from the changes in two additional header files I don't
see a difference between your patch in this bug report and upstream's
latest commit to address the security vulnerabilities.
Are you aware of any issues with your patch?
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#867724
; Package src:faad2
.
(Sun, 27 Aug 2017 19:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Fabian Greffrath <fabian@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sun, 27 Aug 2017 19:42:06 GMT) (full text, mbox, link).
Message #38 received at 867724@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am Sonntag, den 27.08.2017, 20:33 +0200 schrieb Markus Koschany:
> Are you aware of any issues with your patch?
Yes, there was an issue with my patch! I added a field to a struct to
keep track of reading errors, but the struct was defined in two
different places in the source code. This led to a crash when free()ing
a pointer to this struct on Linux, but not on Windows which I used to
develop the patch (don't ask).
Applying this patch on top of the one I sent to the Debian BTS should
fix this issue, although upstream decided to go a different way
and entirely replace the mp4ff library.
https://sourceforge.net/p/faac/bugs/209/?limit=25&page=1#d838
- Fabian
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#867724
; Package src:faad2
.
(Wed, 30 Aug 2017 20:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Wed, 30 Aug 2017 20:27:05 GMT) (full text, mbox, link).
Message #43 received at 867724@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 27 Aug 2017 21:29:43 +0200 Fabian Greffrath <fabian@debian.org>
wrote:
> Am Sonntag, den 27.08.2017, 20:33 +0200 schrieb Markus Koschany:
> > Are you aware of any issues with your patch?
>
> Yes, there was an issue with my patch! I added a field to a struct to
> keep track of reading errors, but the struct was defined in two
> different places in the source code. This led to a crash when free()ing
> a pointer to this struct on Linux, but not on Windows which I used to
> develop the patch (don't ask).
>
> Applying this patch on top of the one I sent to the Debian BTS should
> fix this issue, although upstream decided to go a different way
> and entirely replace the mp4ff library.
>
> https://sourceforge.net/p/faac/bugs/209/?limit=25&page=1#d838
>
> - Fabian
Hi,
I uploaded a security update for faad2 to wheezy-security a few hours
ago. I am attaching the debdiff to this bug report.
Do you intend to fix the issue in Stretch too? I could prepare the
update for Jessie and ask the release team for a jessie-pu.
Markus
[faad2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#867724
; Package src:faad2
.
(Fri, 01 Sep 2017 09:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Fabian Greffrath" <fabian@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Fri, 01 Sep 2017 09:15:03 GMT) (full text, mbox, link).
Message #48 received at 867724@bugs.debian.org (full text, mbox, reply):
Hi Markus,
Markus Koschany wrote:
> I uploaded a security update for faad2 to wheezy-security a few hours
> ago. I am attaching the debdiff to this bug report.
thank you very much for that!
> Do you intend to fix the issue in Stretch too? I could prepare the
> update for Jessie and ask the release team for a jessie-pu.
I don't have any plans to do that.
Cheers,
- Fabian
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 30 Sep 2017 07:26:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.