Debian Bug report logs -
#505478
CVE-2008-5030: Buffer overflow
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 12 Nov 2008 21:21:01 UTC
Severity: grave
Tags: security
Fixed in version libcdaudio/0.99.12p2-7
Done: Daniel Baumann <daniel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Daniel Baumann <daniel@debian.org>
:
Bug#505478
; Package libcdaudio
.
(Wed, 12 Nov 2008 21:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Daniel Baumann <daniel@debian.org>
.
(Wed, 12 Nov 2008 21:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libcdaudio
Severity: grave
Tags: security
Justification: user security hole
Hi Daniel, please see
http://www.openwall.com/lists/oss-security/2008/11/05/1
http://www.openwall.com/lists/oss-security/2008/11/07/1
I'm attaching the dpatch I'm using for stable-security for your
convenience. Please upload to unstable with urgency=high and
pester the RMs.
Cheers,
Moritz
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
[02-cddb-bufferoverflow.dpatch (text/x-shellscript, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@debian.org>
:
Bug#505478
; Package libcdaudio
.
(Wed, 12 Nov 2008 21:50:32 GMT) (full text, mbox, link).
Acknowledgement sent
to daniel@debian.org
:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@debian.org>
.
(Wed, 12 Nov 2008 21:50:57 GMT) (full text, mbox, link).
Message #10 received at 505478@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff wrote:
> Package: libcdaudio
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi Daniel, please see
> http://www.openwall.com/lists/oss-security/2008/11/05/1
> http://www.openwall.com/lists/oss-security/2008/11/07/1
>
> I'm attaching the dpatch I'm using for stable-security for your
> convenience.
thanks.
> Please upload to unstable with urgency=high
done.
> and pester the RMs.
done hereby.
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@debian.org>
:
Bug#505478
; Package libcdaudio
.
(Wed, 12 Nov 2008 22:17:47 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@debian.org>
.
(Wed, 12 Nov 2008 22:17:49 GMT) (full text, mbox, link).
Message #15 received at 505478@bugs.debian.org (full text, mbox, reply):
Daniel Baumann wrote:
> Moritz Muehlenhoff wrote:
>> Package: libcdaudio
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Hi Daniel, please see
>> http://www.openwall.com/lists/oss-security/2008/11/05/1
>> http://www.openwall.com/lists/oss-security/2008/11/07/1
>>
>> I'm attaching the dpatch I'm using for stable-security for your
>> convenience.
>
> thanks.
>
>> Please upload to unstable with urgency=high
>
> done.
unblocked
Cheers
Luk
Reply sent
to Daniel Baumann <daniel@debian.org>
:
You have taken responsibility.
(Wed, 12 Nov 2008 22:18:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Wed, 12 Nov 2008 22:18:18 GMT) (full text, mbox, link).
Message #20 received at 505478-close@bugs.debian.org (full text, mbox, reply):
Source: libcdaudio
Source-Version: 0.99.12p2-7
We believe that the bug you reported is fixed in the latest version of
libcdaudio, which is due to be installed in the Debian FTP archive:
libcdaudio-dbg_0.99.12p2-7_i386.deb
to pool/main/libc/libcdaudio/libcdaudio-dbg_0.99.12p2-7_i386.deb
libcdaudio-dev_0.99.12p2-7_i386.deb
to pool/main/libc/libcdaudio/libcdaudio-dev_0.99.12p2-7_i386.deb
libcdaudio1_0.99.12p2-7_i386.deb
to pool/main/libc/libcdaudio/libcdaudio1_0.99.12p2-7_i386.deb
libcdaudio_0.99.12p2-7.diff.gz
to pool/main/libc/libcdaudio/libcdaudio_0.99.12p2-7.diff.gz
libcdaudio_0.99.12p2-7.dsc
to pool/main/libc/libcdaudio/libcdaudio_0.99.12p2-7.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 505478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated libcdaudio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 12 Nov 2008 22:34:00 +0100
Source: libcdaudio
Binary: libcdaudio1 libcdaudio-dev libcdaudio-dbg
Architecture: source i386
Version: 0.99.12p2-7
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Daniel Baumann <daniel@debian.org>
Description:
libcdaudio-dbg - library for controlling a CD-ROM when playing audio CDs (debug)
libcdaudio-dev - library for controlling a CD-ROM when playing audio CDs (developm
libcdaudio1 - library for controlling a CD-ROM when playing audio CDs
Closes: 505478
Changes:
libcdaudio (0.99.12p2-7) unstable; urgency=high
.
* Updating vcs fields in control file.
* Using patch-stamp rather than patch in rules file.
* Replacing obsolete dh_clean -k with dh_prep.
* Adding patch from Moritz Muehlenhoff <jmm@inutil.org> to fix bufferoverflow
with CDDB handling [CVE-2008-5030] (Closes: #505478).
Checksums-Sha1:
3eebf514cfd8dc70a4f1fecd1567cd026ed8320b 1211 libcdaudio_0.99.12p2-7.dsc
2c6a025d674edf82b6dc8ded767b177984188245 5227 libcdaudio_0.99.12p2-7.diff.gz
9c12e89cafd2a0714695ddd683c0a0ca68c6c434 44804 libcdaudio1_0.99.12p2-7_i386.deb
15c1c80d0a3c546ec5db2d2689a41efa0dce440d 48350 libcdaudio-dev_0.99.12p2-7_i386.deb
38402fb5cb166d14122f89007a5b0249655524e1 47506 libcdaudio-dbg_0.99.12p2-7_i386.deb
Checksums-Sha256:
c809cd5f634ac2f6e55f0fbe5dca73617000f535e4a643111823534f5ca99c46 1211 libcdaudio_0.99.12p2-7.dsc
3a5144408aeb24b1e03495ab64ff0ec0ef91612be6d8d4bb80387e8d6bbcf7e4 5227 libcdaudio_0.99.12p2-7.diff.gz
de499d70fdc24fb0d2a22fa3969709ff0dd9dd5930eaf9e2f6d1df630220d876 44804 libcdaudio1_0.99.12p2-7_i386.deb
f60d407b9e7a0d131b8f9dd6a35239212a4439a0b5a29e91e8911e15fa52269a 48350 libcdaudio-dev_0.99.12p2-7_i386.deb
63ddf4126787121d50445fb8698a9d309312f1e800caf0550e298f427ce8df1a 47506 libcdaudio-dbg_0.99.12p2-7_i386.deb
Files:
80f88403871f9c4001393ea5cfa439e5 1211 libs optional libcdaudio_0.99.12p2-7.dsc
3fde3ac0eee70c540830e8ba454304f3 5227 libs optional libcdaudio_0.99.12p2-7.diff.gz
3814f9ca102514906e082abec18d43bb 44804 libs optional libcdaudio1_0.99.12p2-7_i386.deb
9f6fd3c6c109c7d9df94f4c14c717c4c 48350 libdevel optional libcdaudio-dev_0.99.12p2-7_i386.deb
7ec980026dc2d05a85740dbfd08c51b5 47506 devel extra libcdaudio-dbg_0.99.12p2-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEUEARECAAYFAkkbTG0ACgkQ+C5cwEsrK54VKgCg4PW7BXHYFGmj/cZqVH0Uz62s
P8IAl2zpWHRlB2VJ1XjtM9lj0CBEudU=
=FPlA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 19 Dec 2008 07:32:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:36:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.