Multiple security issues

Debian Bug report logs - #867724
Multiple security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Multiple security issues

Date: Sun, 09 Jul 2017 00:07:40 +0200

Source: faad2
Severity: important
Tags: security

Multiple vulnerabilities in faad2, please see:
http://seclists.org/fulldisclosure/2017/Jun/32 

Cheers,
        Moritz

Message #14 received at 867724@bugs.debian.org (full text, mbox, reply):

From: "Fabian Greffrath" <fabian@debian.org>

To: "Moritz Muehlenhoff" <jmm@debian.org>, 867724@bugs.debian.org

Subject: Re: Bug#867724: Multiple security issues

Date: Fri, 14 Jul 2017 11:32:42 +0200

[Message part 1 (text/plain, inline)]

control: tags -1 +patch +fixed-upstream

This has been fixed in upstream GIT.

Please find attached the cumulated patch

 - Fabian

[faad2_867724.patch (application/octet-stream, attachment)]

Message #23 received at 867724-submitter@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@debian.org>

To: 867724-submitter@bugs.debian.org

Subject: Bug#867724 marked as pending

Date: Mon, 17 Jul 2017 20:28:36 +0000

tag 867724 pending
thanks

Hello,

Bug #867724 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/faad2.git/commit/?id=3a796f4

---
commit 3a796f4c0be9deaf87be5fa4ce6548090f9e64c0
Author: Fabian Greffrath <fabian@debian.org>
Date:   Mon Jul 17 22:26:01 2017 +0200

    update debian/changelog

diff --git a/debian/changelog b/debian/changelog
index 6505e68..7987cb6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,24 @@
-faad2 (2.8.1-1) UNRELEASED; urgency=medium
-
-  * 
-
- -- Fabian Greffrath <fabian@debian.org>  Mon, 17 Jul 2017 21:58:07 +0200
+faad2 (2.8.1-1) unstable; urgency=medium
+
+  * New upstream version 2.8.1.
+    + Fixes multiple vulnerabilities: CVE-2017-9218,
+      CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
+      CVE-2017-9222, CVE-2017-9223, CVE-2017-9253,
+      CVE-2017-9254, CVE-2017-9255, CVE-2017-9256,
+      CVE-2017-9257 (Closes: #867724).
+  * Update debian/watch file.
+  * Refresh reproducible-build.patch.
+  * Remove debian/README.source and debian/gbp.conf files, 
+    they do not apply anymore.
+  * Bump Standards-Version to 4.0.0.
+  * Bump debhelper compat to 10.
+  * Fix vcs-field-uses-insecure-uri lintian warnings.
+  * Enable all hardening flags.
+  * Update debian/copyright,
+    refer to MPL-1.1 in common-licenses.
+  * Drop obsolete faad2-dbg package.
+
+ -- Fabian Greffrath <fabian@debian.org>  Mon, 17 Jul 2017 22:25:26 +0200
 
 faad2 (2.8.0~cvs20161113-1) unstable; urgency=medium
 

Message #28 received at 867724-close@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@debian.org>

To: 867724-close@bugs.debian.org

Subject: Bug#867724: fixed in faad2 2.8.1-1

Date: Mon, 17 Jul 2017 21:04:36 +0000

Source: faad2
Source-Version: 2.8.1-1

We believe that the bug you reported is fixed in the latest version of
faad2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated faad2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 17 Jul 2017 22:25:26 +0200
Source: faad2
Binary: faad libfaad-dev libfaad2
Architecture: source amd64
Version: 2.8.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Description:
 faad       - freeware Advanced Audio Decoder player
 libfaad-dev - freeware Advanced Audio Decoder - development files
 libfaad2   - freeware Advanced Audio Decoder - runtime files
Closes: 867724
Changes:
 faad2 (2.8.1-1) unstable; urgency=medium
 .
   * New upstream version 2.8.1.
     + Fixes multiple vulnerabilities: CVE-2017-9218,
       CVE-2017-9219, CVE-2017-9220, CVE-2017-9221,
       CVE-2017-9222, CVE-2017-9223, CVE-2017-9253,
       CVE-2017-9254, CVE-2017-9255, CVE-2017-9256,
       CVE-2017-9257 (Closes: #867724).
   * Update debian/watch file.
   * Refresh reproducible-build.patch.
   * Remove debian/README.source and debian/gbp.conf files,
     they do not apply anymore.
   * Bump Standards-Version to 4.0.0.
   * Bump debhelper compat to 10.
   * Fix vcs-field-uses-insecure-uri lintian warnings.
   * Enable all hardening flags.
   * Update debian/copyright,
     refer to MPL-1.1 in common-licenses.
   * Drop obsolete faad2-dbg package.
Checksums-Sha1:
 0e31ef256d00f84d2d3de68c2cf30fd50078017c 2121 faad2_2.8.1-1.dsc
 51767d1d4e2b1312ebd6ce01f6ef174a7bb0151d 802453 faad2_2.8.1.orig.tar.gz
 c9b7c0ce3229939f428ff9662412a30040501774 7868 faad2_2.8.1-1.debian.tar.xz
 a085d17a449a9816cd3764e3cf1e9bff5067493e 56696 faad-dbgsym_2.8.1-1_amd64.deb
 d233e4d0b60ed65376f3f0ccd62dc05a49457b6c 6365 faad2_2.8.1-1_amd64.buildinfo
 60019992ba49e7bfa6769fb44742bea59d81bdb3 31310 faad_2.8.1-1_amd64.deb
 5065691d364a4473885b69d1b6255e8ce2cae0d2 175308 libfaad-dev_2.8.1-1_amd64.deb
 a4788da19d6bd936af16ade3cd0b39b741068df6 434022 libfaad2-dbgsym_2.8.1-1_amd64.deb
 029691ba2d6106af292cd564fd564ef85b20cc97 159940 libfaad2_2.8.1-1_amd64.deb
Checksums-Sha256:
 a6e963854bcadd770dd6a72b0a29bb07a37f5b94a18ac3fce516965e3f597042 2121 faad2_2.8.1-1.dsc
 133270a9be0c9ab8fea18017703ab4a94f9eddbb45a8aa6a511a1469fa413591 802453 faad2_2.8.1.orig.tar.gz
 3515851db05a45f66bb89b36ff6f640aca2e00991c3638aed235ff85648b26ac 7868 faad2_2.8.1-1.debian.tar.xz
 c65794e1f3d1a24eb17d94e2d9c8ea5801674cb862dfc48597e88420ac5f55ec 56696 faad-dbgsym_2.8.1-1_amd64.deb
 8703ec95388debf8a0cb9b110db3cae5bcc9bd640d18d10380b5c385ceaeb565 6365 faad2_2.8.1-1_amd64.buildinfo
 6f7db07af1782218b4cb7d5669b49c763ce24f42b046b12d49a0692cd2dab48c 31310 faad_2.8.1-1_amd64.deb
 55416d999d3db849f0d25552fcab1310586ec864d0936108d7e9888326a736f4 175308 libfaad-dev_2.8.1-1_amd64.deb
 a3857ce2828a4096d7f16c36597e12d5b711db0c45f53799bdc8359d02fc73b1 434022 libfaad2-dbgsym_2.8.1-1_amd64.deb
 bddafbf9fd942effc400facc74a75b3fdf31629677df4c14ac1768c184e99482 159940 libfaad2_2.8.1-1_amd64.deb
Files:
 84e6b87f1603ab9529d206ee61f69f55 2121 libs optional faad2_2.8.1-1.dsc
 45f0593e99e97785c5ba79875a4e30a7 802453 libs optional faad2_2.8.1.orig.tar.gz
 3e1289fd17bf756000651d6b80f59518 7868 libs optional faad2_2.8.1-1.debian.tar.xz
 e49664f0076f19be884dd696f82fe097 56696 debug extra faad-dbgsym_2.8.1-1_amd64.deb
 13138cc680562583796bd12338f9b751 6365 libs optional faad2_2.8.1-1_amd64.buildinfo
 ac681dda7f3773aca172aa28d82dc394 31310 sound optional faad_2.8.1-1_amd64.deb
 bd5019abd82e6e05778b89bf9234838f 175308 libdevel optional libfaad-dev_2.8.1-1_amd64.deb
 63a8ee82fb733bc8577b32d4e649e4a7 434022 debug extra libfaad2-dbgsym_2.8.1-1_amd64.deb
 f5a8aa456a8e4221ea380b63bcad0aea 159940 libs optional libfaad2_2.8.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAlltHdYSHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfDxEQAJsGBHJGG2BBR1GrATQok4/8FIeBO7OQ
wIb4zKR2x/rTLs5MpGL63MAFcDBSUD5U73n8t2oQY6KgPUzochh4gyPu0mYXCPEY
Zw3FYKq1PVc/Ih7rpRpwfhgghzT20sXSucEco3+CYSy7AI8OabGUfX7RmBnI/6Ad
ZCMMCpbtFpp7pUh4jyA+/oKTgALLVXDVSuAhvW+jxisWg/xUtsNVCXa8tAtWg2lQ
sNPE2LeGJsmNMG04C3SV62luKy2TmS5jX1pzuYItOZyw3SIXAGSu8r/Yoow+a2H6
/TyZTxQWAjpLLEu3zfJe/sELsfBz5ggUKXx+11ZeSuDiHPpjRLqk1c567oq4VTvU
kG79UK7jOBf1pp8D6chfEtUMqIDp6ReY576s6PVGZHzY/B9lBW0g0pl0Y0kOYFmz
Ht4nQe6U9qOpeprN3j3H+pYHfcYFqVfD27A0YxRh7N/a36SPyxqcncQoiZ1KGlcs
9wJCf59nuTjG/JcyRb7DejTSGfh7XrqzvBwbMkWqTofup1AnFwEZydN5ZNA83Mb7
KJBkBSpMI75xl3STU2WogAUBQrVRAT6L6+C+TghBKJL3pb/MbtPBWms89YNR8Nw2
qFEBl1Cf732+A5q0VONhMVQVBCpgsX0Ex3nuMGZ2LOTKHTZWPWTSvTSL4JkFciI2
+9c78WuokYwN
=2Grt
-----END PGP SIGNATURE-----

Message #33 received at 867724@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Fabian Greffrath <fabian@debian.org>

Cc: 867724@bugs.debian.org

Subject: Re: Bug#867724: Multiple security issues

Date: Sun, 27 Aug 2017 20:33:50 +0200

[Message part 1 (text/plain, inline)]

On Fri, 14 Jul 2017 11:32:42 +0200 "Fabian Greffrath"
<fabian@debian.org> wrote:
> control: tags -1 +patch +fixed-upstream
> 
> This has been fixed in upstream GIT.
> 
> Please find attached the cumulated patch
> 

Hi Fabian,

I am currently working on a security update for faad2 in Wheezy. I saw
that upstream did another commit three days after you attached your
patch to this bug report.

https://sourceforge.net/p/faac/faad2/ci/a67c75ed600cf4b41205d69664d3d9106e9c5380/

Apparently there were some issues with an earlier version of your patch.
However beside from the changes in two additional header files I don't
see a difference between your patch in this bug report and upstream's
latest commit to address the security vulnerabilities.

Are you aware of any issues with your patch?

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #38 received at 867724@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: 867724@bugs.debian.org

Subject: Re: Bug#867724: Multiple security issues

Date: Sun, 27 Aug 2017 21:29:43 +0200

[Message part 1 (text/plain, inline)]

Am Sonntag, den 27.08.2017, 20:33 +0200 schrieb Markus Koschany:
> Are you aware of any issues with your patch?

Yes, there was an issue with my patch! I added a field to a struct to
keep track of reading errors, but the struct was defined in two
different places in the source code. This led to a crash when free()ing
a pointer to this struct on Linux, but not on Windows which I used to
develop the patch (don't ask).

Applying this patch on top of the one I sent to the Debian BTS should
fix this issue, although upstream decided to go a different way
and entirely replace the mp4ff library.

https://sourceforge.net/p/faac/bugs/209/?limit=25&page=1#d838

 - Fabian

[signature.asc (application/pgp-signature, inline)]

Message #43 received at 867724@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Fabian Greffrath <fabian@debian.org>

Cc: 867724@bugs.debian.org

Subject: Re: Bug#867724: Multiple security issues

Date: Wed, 30 Aug 2017 22:23:08 +0200

[Message part 1 (text/plain, inline)]

On Sun, 27 Aug 2017 21:29:43 +0200 Fabian Greffrath <fabian@debian.org>
wrote:
> Am Sonntag, den 27.08.2017, 20:33 +0200 schrieb Markus Koschany:
> > Are you aware of any issues with your patch?
> 
> Yes, there was an issue with my patch! I added a field to a struct to
> keep track of reading errors, but the struct was defined in two
> different places in the source code. This led to a crash when free()ing
> a pointer to this struct on Linux, but not on Windows which I used to
> develop the patch (don't ask).
> 
> Applying this patch on top of the one I sent to the Debian BTS should
> fix this issue, although upstream decided to go a different way
> and entirely replace the mp4ff library.
> 
> https://sourceforge.net/p/faac/bugs/209/?limit=25&page=1#d838
> 
>  - Fabian

Hi,

I uploaded a security update for faad2 to wheezy-security a few hours
ago. I am attaching the debdiff to this bug report.

Do you intend to fix the issue in Stretch too? I could prepare the
update for Jessie and ask the release team for a jessie-pu.

Markus

[faad2.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #48 received at 867724@bugs.debian.org (full text, mbox, reply):

From: "Fabian Greffrath" <fabian@debian.org>

To: "Markus Koschany" <apo@debian.org>

Cc: "Fabian Greffrath" <fabian@debian.org>, 867724@bugs.debian.org

Subject: Re: Bug#867724: Multiple security issues

Date: Fri, 1 Sep 2017 11:12:32 +0200

Hi Markus,

Markus Koschany wrote:
> I uploaded a security update for faad2 to wheezy-security a few hours
> ago. I am attaching the debdiff to this bug report.

thank you very much for that!

> Do you intend to fix the issue in Stretch too? I could prepare the
> update for Jessie and ask the release team for a jessie-pu.

I don't have any plans to do that.

Cheers,

 - Fabian

Send a report that this bug log contains spam.