Debian Bug report logs -
#865909
faac: CVE-2017-9129 CVE-2017-9130
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#865909; Package src:faac.
(Sun, 25 Jun 2017 19:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Sun, 25 Jun 2017 19:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: faac
Version: 1.28+cvs20151130-1
Severity: important
Tags: security upstream
Hi,
the following vulnerabilities were published for faac.
CVE-2017-9129[0]:
| The wav_open_read function in frontend/input.c in Freeware Advanced
| Audio Coder (FAAC) 1.28 allows remote attackers to cause a denial of
| service (large loop) via a crafted wav file.
CVE-2017-9130[1]:
| The faacEncOpen function in libfaac/frame.c in Freeware Advanced Audio
| Coder (FAAC) 1.28 allows remote attackers to cause a denial of service
| (invalid memory read and application crash) via a crafted wav file.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9129
[1] https://security-tracker.debian.org/tracker/CVE-2017-9130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9130
[2] https://www.exploit-db.com/exploits/42207/
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#865909; Package src:faac.
(Fri, 30 Jun 2017 18:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Fabian Greffrath <fabian@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Fri, 30 Jun 2017 18:54:03 GMT) (full text, mbox, link).
Message #10 received at 865909@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: forwarded -1 https://sourceforge.net/p/faac/bugs/208/
control: tags -1 +patch
[faac_CVE-2017-9130.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Fabian Greffrath <fabian@debian.org>
to 865909-submit@bugs.debian.org.
(Fri, 30 Jun 2017 18:54:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Fabian Greffrath <fabian@debian.org>
to control@bugs.debian.org.
(Wed, 05 Jul 2017 18:21:07 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#865909.
(Wed, 05 Jul 2017 18:21:13 GMT) (full text, mbox, link).
Message #19 received at 865909-submitter@bugs.debian.org (full text, mbox, reply):
tag 865909 pending
thanks
Hello,
Bug #865909 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://anonscm.debian.org/git/pkg-multimedia/faac.git/commit/?id=869c36e
---
commit 869c36eaa625a6026da1d246bbede91300f0e4d9
Author: Fabian Greffrath <fabian@debian.org>
Date: Wed Jul 5 20:14:17 2017 +0200
update debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 9f2c583..10d9dae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,19 @@
-faac (1.29-1) UNRELEASED; urgency=medium
-
- *
-
- -- Fabian Greffrath <fabian@debian.org> Tue, 04 Jul 2017 21:30:14 +0200
+faac (1.29+git20170704-1) unstable; urgency=medium
+
+ * New upstream version 1.29+git20170704 (commit 451843).
+ + Fixes CVE-2017-9129 CVE-2017-9130 (Closes: 865909).
+ * Update debian/watch file.
+ * Remove debian/README.source and debian/gbp.conf files,
+ they do not apply anymore.
+ * Remove Maia Kozheva from Uploaders (Closes: #829316).
+ * Bump Standards-Version to 4.0.0:
+ + Refer to MPL-1.1 in common-licenses in debian/copyright.
+ * Bump debhelper compat to 10.
+ * Fix spelling-error-in-readme-debian lintian warning.
+ * Fix vcs-field-uses-insecure-uri lintian warning.
+ * Enable all hardening flags.
+
+ -- Fabian Greffrath <fabian@debian.org> Wed, 05 Jul 2017 20:13:41 +0200
faac (1.28+cvs20151130-1) unstable; urgency=medium
Reply sent
to Fabian Greffrath <fabian@debian.org>:
You have taken responsibility.
(Wed, 05 Jul 2017 18:39:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Jul 2017 18:39:06 GMT) (full text, mbox, link).
Message #24 received at 865909-close@bugs.debian.org (full text, mbox, reply):
Source: faac
Source-Version: 1.29+git20170704-1
We believe that the bug you reported is fixed in the latest version of
faac, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated faac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Jul 2017 20:13:41 +0200
Source: faac
Binary: faac libfaac-dev libfaac0
Architecture: source amd64
Version: 1.29+git20170704-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Description:
faac - AAC audio encoder (frontend)
libfaac-dev - AAC audio encoder (development)
libfaac0 - AAC audio encoder (library)
Closes: 829316 865909
Changes:
faac (1.29+git20170704-1) unstable; urgency=medium
.
* New upstream version 1.29+git20170704 (commit 451843).
+ Fixes CVE-2017-9129 CVE-2017-9130 (Closes: 865909).
* Update debian/watch file.
* Remove debian/README.source and debian/gbp.conf files,
they do not apply anymore.
* Remove Maia Kozheva from Uploaders (Closes: #829316).
* Bump Standards-Version to 4.0.0:
+ Refer to MPL-1.1 in common-licenses in debian/copyright.
* Bump debhelper compat to 10.
* Fix spelling-error-in-readme-debian lintian warning.
* Fix vcs-field-uses-insecure-uri lintian warning.
* Enable all hardening flags.
Checksums-Sha1:
9ad3d3e68ac4f013c565287b2ed6a566d1b9fcb3 2204 faac_1.29+git20170704-1.dsc
cda5a5d4ed452ae0b3d4fdf10e7e664135d6bb92 302573 faac_1.29+git20170704.orig.tar.bz2
b5e1f825ef5792971fa2d9a415b023798d173e43 6412 faac_1.29+git20170704-1.debian.tar.xz
ca36d34fb23adaebe5c37d6cda3b0c24a2765487 17214 faac-dbgsym_1.29+git20170704-1_amd64.deb
e4cc4c8bde47b3d847720dcc0401f86ef5f6b49b 6574 faac_1.29+git20170704-1_amd64.buildinfo
fa2bcfe49f7d829c5f676f7d429822588d7c3b6c 17360 faac_1.29+git20170704-1_amd64.deb
1d59598956a261ecb9c40eb4338b6ffd9ffc8d0e 56290 libfaac-dev_1.29+git20170704-1_amd64.deb
63d0d5658c96a4567e51a775ee85aa1a9cf78e08 163786 libfaac0-dbgsym_1.29+git20170704-1_amd64.deb
86d7a9b11a924991331c53e659a1204c71018234 51528 libfaac0_1.29+git20170704-1_amd64.deb
Checksums-Sha256:
b8ef62e066fe74083c9b2b611b272808a2bd259e01d5ade80203ecff144bc1a6 2204 faac_1.29+git20170704-1.dsc
7f7a3243b79c8df237f75d02c192c272dfb0ccc3f171c5451c1be8fc8ffdd011 302573 faac_1.29+git20170704.orig.tar.bz2
21a8b511bb6e0c45767c0c43f30a94c0cf8376c665ff9802055e8c39696d13b4 6412 faac_1.29+git20170704-1.debian.tar.xz
32eafb1024ef6f0de794ffa77989ed1d4cf3361e0242b8fcf03ea8fc83f07e9e 17214 faac-dbgsym_1.29+git20170704-1_amd64.deb
406a5cf6283a943e1f922a1b1f2ac52b05bd784a57e3424a475310d65418763f 6574 faac_1.29+git20170704-1_amd64.buildinfo
c079032f0c5447aee444665c4f22ad4574c941613e454b2b7bcb470fa63922b0 17360 faac_1.29+git20170704-1_amd64.deb
0b5396994b61e5599e164b8415a3233b277392ed39de14a5e123905801b00eaf 56290 libfaac-dev_1.29+git20170704-1_amd64.deb
cf598c7bbbfd11b72cd1a39188b2d0c9f21ee105df9e0f4a5174153b2ba27817 163786 libfaac0-dbgsym_1.29+git20170704-1_amd64.deb
eae19623fc0fe774f75ac08746cd26d38145f6b5abfcf4f26939939f3fe6f3cb 51528 libfaac0_1.29+git20170704-1_amd64.deb
Files:
78a2a5a3b808585bfcdd5c2769ae7af1 2204 non-free/sound optional faac_1.29+git20170704-1.dsc
166438b2bcc2e50faafa68e4f8d1d346 302573 non-free/sound optional faac_1.29+git20170704.orig.tar.bz2
5cac201f947510eab2aacdb79ebe2a83 6412 non-free/sound optional faac_1.29+git20170704-1.debian.tar.xz
88953c4095d0bdef2418da3e5d96ed4b 17214 non-free/debug extra faac-dbgsym_1.29+git20170704-1_amd64.deb
7fc9531f5f90d361fcdf8083a457ff04 6574 non-free/sound optional faac_1.29+git20170704-1_amd64.buildinfo
d51bf6911e58be42239a0fdbfb34e4ed 17360 non-free/sound optional faac_1.29+git20170704-1_amd64.deb
21963649782a7738ff8cfa258ab6c8ef 56290 non-free/libdevel optional libfaac-dev_1.29+git20170704-1_amd64.deb
0822206e52c2c1cfc231c08ebee28194 163786 non-free/debug extra libfaac0-dbgsym_1.29+git20170704-1_amd64.deb
51f4bd941a24fa8e0bc218d0ac0d6070 51528 non-free/libs optional libfaac0_1.29+git20170704-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAlldLSISHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfkbIP/R9+ANLza6qw7gp5dvESFCJjdu1oX1YU
RcbctGg0rUhueJSyApMhpmhXnm47H+lrHz+fQoWXN8E96PAf8+sekPgk1GpWUFeH
LPzfF3JAWdKceBYlD0zWeviOrJEiH0M0GZoHmUp6eBRIjWTYOsXhHNEeodGiHUV+
A16vu4HG2ggY7RbYXOvXK7K8b60o4bV+i4HvjeIUZf0Kt99KlIW8xjsCDo1vQZU7
lW9P5usRzR6EYgAkRgzTCkaspe9L4Ued2X2tbJpXyTCKrY1Ev/eLnXaCzO+G2K5R
VR5yjXLfLM9VMFpAIC1K+rZzLZI8OFyXnfpf4BFD43ubtpN7x+mxz7rCT3opVMze
mPQcCxX6ohj9aeoAmkClntGSdNa4scX/BR7a6UiA+0dGQ6JGoCuqiSa/f774NXEP
Sa2Kdswfe5Vqd0DXIMWwHgbIzDs4ziEUBlcmIRBc13ft8PmWxF1/9G0J0aW/Hk5Y
Chv0cTvqlP+JEF/W7hoIfkOW8JlP+PRIQhu0hb0ZRg6j19UKWpEp7I4K1EnTAAQ3
F145zcbe+q4EDLth54EB9bFMDcALfF0qJwDcyTa0TApuylalef0t1lNX5fnH9Te8
dft+2bKYLYsKHhgLtUXnovroQ3mhJLIWEiwdNnXQ+QoXNlC52vOnHCJYpZbNLOxA
b0cXSKIMuroQ
=/kg+
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#865909; Package src:faac.
(Fri, 14 Jul 2017 09:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Fabian Greffrath" <fabian@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Fri, 14 Jul 2017 09:48:05 GMT) (full text, mbox, link).
Message #29 received at 865909@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tags -1 +patch +fixed-upstream
This has been fixed in upstream GIT.
Please find attached the cumulated patch
- Fabian
[faac_865909.patch (application/octet-stream, attachment)]
Added tag(s) fixed-upstream.
Request was from "Fabian Greffrath" <fabian@debian.org>
to 865909-submit@bugs.debian.org.
(Fri, 14 Jul 2017 09:48:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 28 Aug 2017 07:25:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:47:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon