buffer overflow in libaudiofile

Debian Bug report logs - #510205
buffer overflow in libaudiofile

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Max Kellermann <max@duempel.org>

To: submit@bugs.debian.org, michael@68k.org

Cc: wyskas@gmail.com, musicpd-dev-team@lists.sourceforge.net

Subject: buffer overflow in libaudiofile

Date: Tue, 30 Dec 2008 14:28:58 +0100

Package: libaudiofile0
Version: 0.2.6-6
Severity: critical

Today, the Music Player Daemon project received a bug report from
Anton Khirnov: MPD crashed when attempting to play a WAV file.  "file"
says:

 RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100
 Hz

The MPD bug report: http://musicpd.org/mantis/view.php?id=1915

The test file: http://filebin.ca/meqmyu/max_theme.wav

Turns out that this is a bug in libaudiofile.  When attempting to
decode the file, libaudiofile writes past the buffer in msadpcm.c:194

  code = *encoded >> 4;
  newSample = ms_adpcm_decode_sample(state[0], code,
          coefficient[0]);
  *decoded++ = newSample;

Valgrind output:

 ==4680== Invalid write of size 2
 ==4680==    at 0x8CF0478: ms_adpcm_run_pull (msadpcm.c:194)
 ==4680==    by 0x8CEAF75: _AFpull (modules.c:111)
 ==4680==    by 0x8CF11A3: int2rebufferf2vrun_pull (rebuffer.template:409)
 ==4680==    by 0x8CDE4ED: afReadFrames (data.c:228)
 ==4680==    by 0x435EBA: audiofile_streamdecode (audiofile_plugin.c:159)
 ==4680==    by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
 ==4680==    by 0x414A5C: decoder_run (decoder_thread.c:189)
 ==4680==    by 0x414B7B: decoder_task (decoder_thread.c:214)
 ==4680==    by 0x72E0453: g_thread_create_proxy (gthread.c:635)
 ==4680==    by 0x62CBFC6: start_thread (pthread_create.c:297)
 ==4680==    by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
 ==4680==  Address 0x15a66de8 is 0 bytes after a block of size 4,096 alloc'd
 ==4680==    at 0x4C2260E: malloc (vg_replace_malloc.c:207)
 ==4680==    by 0x8CDF96A: _af_malloc (util.c:122)
 ==4680==    by 0x8CEEEBA: _AFsetupmodules (modules.c:2539)
 ==4680==    by 0x8CDE151: afGetFrameCount (format.c:218)
 ==4680==    by 0x435CDD: audiofile_streamdecode (audiofile_plugin.c:141)
 ==4680==    by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
 ==4680==    by 0x414A5C: decoder_run (decoder_thread.c:189)
 ==4680==    by 0x414B7B: decoder_task (decoder_thread.c:214)
 ==4680==    by 0x72E0453: g_thread_create_proxy (gthread.c:635)
 ==4680==    by 0x62CBFC6: start_thread (pthread_create.c:297)
 ==4680==    by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)

A quick look at the code revealed that the allocated buffer size
depended on the following formula:

  bufsize = outc->nframes * _af_format_frame_size(&outc->f, AF_TRUE);

outc->nframes basically comes from _AF_ATOMIC_NVFRAMES (1024), because
the msadpcm module does not implement the max_pull callback.  This
results in a 4096 byte allocation in modules.c:2539 (frame size is 4).

In ms_adpcm_decode_block(), msadpcm->samplesPerBlock is set to 2036
(unverified value from the input file header).  outputLength is 8144,
which obviously does not fit into the allocated 4096 byte buffer.

I could reproduce the same crash with "normalize-audio max_theme.wav".
The real crash happens after closing the file, probably due to heap
corruption.  valgrind notices the problem before the crash actually
occurs.

Severity "critical" because this is may be used for a remote DoS
attack on software like MPD.  I did not investigate whether it is
possible to inject code this way.  Chances are good, since arbitrary
amounts of heap can be overwritten.

Both Debian Etch and Lenny are affected.

Solution: don't use libaudiofile.  Change libaudiofile to allocate the
correct buffer size.  Add buffer size checks to libaudiofile.

Regards,
Max Kellermann

Message #12 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: Max Kellermann <max@duempel.org>, 510205@bugs.debian.org

Subject: Re: Bug#510205: buffer overflow in libaudiofile

Date: Tue, 30 Dec 2008 16:14:45 +0100

Hi!

On Tue, Dec 30, 2008 at 02:28:58PM +0100, Max Kellermann wrote:
> Solution: don't use libaudiofile.  Change libaudiofile to allocate the
> correct buffer size.  Add buffer size checks to libaudiofile.

Many thanks for investigating and the detailed report. I'll try to get
the buffer allocation fixed.

Regards,

Daniel.

Message #17 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: Max Kellermann <max@duempel.org>, 510205@bugs.debian.org

Cc: michael@68k.org, wyskas@gmail.com, musicpd-dev-team@lists.sourceforge.net

Subject: Re: Bug#510205: buffer overflow in libaudiofile

Date: Sun, 4 Jan 2009 01:51:21 +0100

[Message part 1 (text/plain, inline)]

tags 510205 + patch
thanks

Hi!

On Tue, Dec 30, 2008 at 02:28:58PM +0100, Max Kellermann wrote:
> Today, the Music Player Daemon project received a bug report from
> Anton Khirnov: MPD crashed when attempting to play a WAV file.  "file"
> says:
> 
>  RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100
>  Hz
> 
> The MPD bug report: http://musicpd.org/mantis/view.php?id=1915
> 
> The test file: http://filebin.ca/meqmyu/max_theme.wav

It seems that audiofile's modules/msadpcm.c::ms_adpcm_decode_block()
incorrectly scales the samplesPerBlock value with the number of
channels. All adpcm-coded files with two channels should be affected.
With the attached patch, I can play the "max_theme" test file without
audiofile crashing. However, I think a few additional checks are in
order to make the module more robust against malicious input. I'll try
to check this in the next days.

Regards,

Daniel.

[audiofile-msadpcm-fix.diff (text/plain, inline)]

diff -r 247fd11d763d libaudiofile/modules/msadpcm.c
--- a/libaudiofile/modules/msadpcm.c	Sat Jan 03 20:35:58 2009 +0100
+++ b/libaudiofile/modules/msadpcm.c	Sun Jan 04 01:43:06 2009 +0100
@@ -129,8 +129,7 @@
 	ms_adpcm_state	*state[2];
 
 	/* Calculate the number of bytes needed for decoded data. */
-	outputLength = msadpcm->samplesPerBlock * sizeof (int16_t) *
-		msadpcm->track->f.channelCount;
+	outputLength = msadpcm->samplesPerBlock * sizeof (int16_t);
 
 	channelCount = msadpcm->track->f.channelCount;
 
@@ -180,8 +179,7 @@
 		The first two samples have already been 'decoded' in
 		the block header.
 	*/
-	samplesRemaining = (msadpcm->samplesPerBlock - 2) *
-		msadpcm->track->f.channelCount;
+	samplesRemaining = msadpcm->samplesPerBlock - 2;
 
 	while (samplesRemaining > 0)
 	{

Message #24 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Matthias Drochner <M.Drochner@fz-juelich.de>

To: 510205@bugs.debian.org

Subject: Re: Bug#510205: buffer overflow in libaudiofile

Date: Mon, 12 Jan 2009 20:14:13 +0100

[Message part 1 (text/plain, inline)]

It seems the root of the bug is some misunderstanding between
the parsing and the decoding code about samples/frames per block.
What is parsed as "samplesPerBlock" in the .wav file is
a _frame_ count in reality, if we follow what seem to
be libaudiofile's conventions.
If you just decode less samples as in the proposed patch
you'll always skip the second half of each buffer.
The appended patch works better for me. It still doesn't
protect against buffer overflows.

best regards
Matthias





-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich

Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

[patch-ad (text/plain, attachment)]

Message #29 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 510205@bugs.debian.org

Cc: kobras@debian.org

Subject: Re: buffer overflow in libaudiofile

Date: Mon, 6 Apr 2009 17:54:46 +0200

[Message part 1 (text/plain, inline)]

Hi,
what is the current status of this bug, anyone still working 
on this?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 510205-submitter@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: 510205-submitter@bugs.debian.org

Subject: Re: Bug#510205: buffer overflow in libaudiofile

Date: Wed, 6 May 2009 21:48:37 -0400

hi,

any news on this one?  since this is being tracked with critical
severity, it really should be handled as swiftly as possible (it's been
six months now since the original disclosure).  suse has issued updates
for CVE-2008-5824, perhaps their patches may be helpful [1].  thanks.

mike

[1]
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html

Message #37 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marcdeslauriers@videotron.ca>

To: 510205@bugs.debian.org

Subject: Re: Bug#510205: buffer overflow in libaudiofile

Date: Tue, 16 Jun 2009 14:54:45 -0400

The SUSE update simply contains the patch from:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205#17

Message #42 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 510205@bugs.debian.org

Subject: status

Date: Thu, 27 Aug 2009 19:50:13 +0200

[Message part 1 (text/plain, inline)]

Hi Daniel,
what's the current status of this bug?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #47 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 510205@bugs.debian.org, control@bugs.debian.org

Cc: secure-testing-team@lists.alioth.debian.org

Subject: forwarded

Date: Fri, 27 Nov 2009 22:21:33 -0500

forwarded 510205 https://bugzilla.gnome.org/show_bug.cgi?id=603198
thanks

since there has been no debian activity on this bug for almost a year,
and upstream appears to be dead, i have forwarded the problem to gnome
since it is probably the most important downstream of libaudiofile.
they should have enough developer resources/brainpower to solve the
problem.

if nothing happens, perhaps this package should become a candidate for
removal?

mike

Message #54 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 510205@bugs.debian.org, Matthias Drochner <M.Drochner@fz-juelich.de>, Max Kellermann <max@duempel.org>

Subject: audiofile patch

Date: Sat, 28 Nov 2009 16:30:28 +0100 (CET)

[Message part 1 (text/plain, inline)]

Matthias was right, there is a confusion between samples and frames. I 
have completed the patch and added a few sanity checks. Reviewers are 
wellcome.

I will upload a NMU shortly.

BTW, this is not enough to make normalize-audio work under valgrind. 
Normalize-audio has an additional bug.

Cheers,
Stefan

[22_CVE-2008-5824.dpatch (text/plain, attachment)]

Message #59 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 510205@bugs.debian.org, Matthias Drochner <M.Drochner@fz-juelich.de>, Max Kellermann <max@duempel.org>

Subject: Re: Bug#510205: audiofile patch

Date: Sat, 28 Nov 2009 16:51:15 +0100 (CET)

[Message part 1 (text/plain, inline)]

On Sat, 28 Nov 2009, Stefan Fritsch wrote:

> Matthias was right, there is a confusion between samples and frames. I have 
> completed the patch and added a few sanity checks. Reviewers are wellcome.

Sorry, I attached the wrong file (a broken version). Now I have the right 
one...

[22_CVE-2008-5824.dpatch (text/plain, attachment)]

Message #68 received at 510205-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 510205-close@bugs.debian.org

Subject: Bug#510205: fixed in audiofile 0.2.6-7.1

Date: Sat, 28 Nov 2009 16:03:45 +0000

Source: audiofile
Source-Version: 0.2.6-7.1

We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive:

audiofile_0.2.6-7.1.diff.gz
  to main/a/audiofile/audiofile_0.2.6-7.1.diff.gz
audiofile_0.2.6-7.1.dsc
  to main/a/audiofile/audiofile_0.2.6-7.1.dsc
libaudiofile-dev_0.2.6-7.1_i386.deb
  to main/a/audiofile/libaudiofile-dev_0.2.6-7.1_i386.deb
libaudiofile0-dbg_0.2.6-7.1_i386.deb
  to main/a/audiofile/libaudiofile0-dbg_0.2.6-7.1_i386.deb
libaudiofile0_0.2.6-7.1_i386.deb
  to main/a/audiofile/libaudiofile0_0.2.6-7.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510205@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated audiofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 28 Nov 2009 15:41:28 +0100
Source: audiofile
Binary: libaudiofile-dev libaudiofile0 libaudiofile0-dbg
Architecture: source i386
Version: 0.2.6-7.1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libaudiofile-dev - Open-source version of SGI's audiofile library (header files)
 libaudiofile0 - Open-source version of SGI's audiofile library
 libaudiofile0-dbg - Open-source version of SGI's audiofile library
Closes: 510205
Changes: 
 audiofile (0.2.6-7.1) unstable; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2008-5824: Fix buffer overflow when decompressing MS ADPCM .wav files
     (closes: #510205).
Checksums-Sha1: 
 18b1e30599ae9cf4a78602b100647492c6ed2d68 1027 audiofile_0.2.6-7.1.dsc
 3db3254de7197bad0041a81e597daef4a14f8e04 301045 audiofile_0.2.6-7.1.diff.gz
 7b829611d261e200bcdada0eda467a36eafe81ba 117640 libaudiofile-dev_0.2.6-7.1_i386.deb
 b335b1921d831ae1a496747c6390c5fcffb9571e 77972 libaudiofile0_0.2.6-7.1_i386.deb
 8ee57ab5eeb314538b8277cb19e2b83d197d4e3b 164910 libaudiofile0-dbg_0.2.6-7.1_i386.deb
Checksums-Sha256: 
 74d065f7a84ff192ce552bbedae63bc947ebdb36481399a87e2f96fdb3210dad 1027 audiofile_0.2.6-7.1.dsc
 ea1e582b8dc65912671869621a35649030e9095882231e782f474d866ae2a46e 301045 audiofile_0.2.6-7.1.diff.gz
 407f073269671d944e501b8ad016d52a6c4c6a6dcb2494c7020b9801e2c8efc3 117640 libaudiofile-dev_0.2.6-7.1_i386.deb
 24b89b16f492d82e36482c82b3661cd436f509cbf39c3fab48b3abbbaf38f3c2 77972 libaudiofile0_0.2.6-7.1_i386.deb
 db5d8162d80d43cce4c0a545b711402541126788ce94a4fc04d29846e5ccd7f8 164910 libaudiofile0-dbg_0.2.6-7.1_i386.deb
Files: 
 c6b164ace07ee38609b39f722d30261a 1027 libs optional audiofile_0.2.6-7.1.dsc
 280d9ba76fa4767e45cc67302192c4f6 301045 libs optional audiofile_0.2.6-7.1.diff.gz
 ae8d6e209243f2451b8e4ea45a64aa6b 117640 libdevel optional libaudiofile-dev_0.2.6-7.1_i386.deb
 db46468fab8ecb57a2039ac91ef1f042 77972 libs optional libaudiofile0_0.2.6-7.1_i386.deb
 d5b0aa8b171c9bcd5fa09f6e1c564f1a 164910 libdevel optional libaudiofile0-dbg_0.2.6-7.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLEUh+bxelr8HyTqQRAm25AJ9/L4nOPK5uVdE6D4WpnBf8UGuSnQCdH4pA
5z5X4emPc250KMyDi2CeZJw=
=rZ1y
-----END PGP SIGNATURE-----

Message #75 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Michael Gilbert <michael.s.gilbert@gmail.com>

Cc: secure-testing-team@lists.alioth.debian.org, 510205@bugs.debian.org

Subject: Re: [Secure-testing-team] audiofile

Date: Sun, 29 Nov 2009 12:06:17 +0100 (CET)

Hi Michael,

On Fri, 27 Nov 2009, Michael Gilbert wrote:
> since there has been no debian activity on this bug for almost a year,
> and upstream appears to be dead, i have forwarded the problem to gnome
> since it is probably the most important downstream of libaudiofile.
> they should have enough developer resources/brainpower to solve the
> problem.
>
> if nothing happens, perhaps this package should become a candidate for
> removal?

I have fixed #510205 during our BSP, but it is definitely a good idea to 
try to find some new upstream maintainers for it.

Cheers,
Stefan

Message #80 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: secure-testing-team@lists.alioth.debian.org, 510205@bugs.debian.org

Subject: Re: [Secure-testing-team] audiofile

Date: Sun, 29 Nov 2009 14:49:40 -0500

On Sun, 29 Nov 2009 12:06:17 +0100 (CET) Stefan Fritsch wrote:

> Hi Michael,
> 
> On Fri, 27 Nov 2009, Michael Gilbert wrote:
> > since there has been no debian activity on this bug for almost a year,
> > and upstream appears to be dead, i have forwarded the problem to gnome
> > since it is probably the most important downstream of libaudiofile.
> > they should have enough developer resources/brainpower to solve the
> > problem.
> >
> > if nothing happens, perhaps this package should become a candidate for
> > removal?
> 
> I have fixed #510205 during our BSP, but it is definitely a good idea to 
> try to find some new upstream maintainers for it.

thanks Steffan!  i will update the gnome bug report and ask if they
would be willing to take over maintainership.

cheers,
mike

Message #85 received at 510205@bugs.debian.org (full text, mbox, reply):

From: Matthias Drochner <m.drochner@googlemail.com>

To: Stefan Fritsch <sf@sfritsch.de>

Cc: <510205@bugs.debian.org>, Matthias Drochner <M.Drochner@fz-juelich.de>, Max Kellermann <max@duempel.org>

Subject: Re: audiofile patch

Date: Tue, 1 Dec 2009 13:47:50 +0100

On Sat, 28 Nov 2009 16:30:28 +0100
Stefan Fritsch <sf@sfritsch.de> wrote:
> I have completed the patch and added a few sanity checks. Reviewers
> are wellcome.

Thanks for getting this into shape. For MSADPCM, it is
effectively identical to the code I've been using in
pkgsrc for a couple of months (without the extra checks).
Just tested with your patch, and my test files still play
fine in mpd/musicpd.
For IMA: the decompression code does only allow for one
channel anyway, so a simpler check would be sufficient.

best regards
Matthias

Message #90 received at 510205-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 510205-close@bugs.debian.org

Subject: Bug#510205: fixed in audiofile 0.2.6-7+lenny1

Date: Sun, 17 Jan 2010 14:06:51 +0000

Source: audiofile
Source-Version: 0.2.6-7+lenny1

We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive:

audiofile_0.2.6-7+lenny1.diff.gz
  to main/a/audiofile/audiofile_0.2.6-7+lenny1.diff.gz
audiofile_0.2.6-7+lenny1.dsc
  to main/a/audiofile/audiofile_0.2.6-7+lenny1.dsc
libaudiofile-dev_0.2.6-7+lenny1_i386.deb
  to main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_i386.deb
libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
  to main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
libaudiofile0_0.2.6-7+lenny1_i386.deb
  to main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510205@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated audiofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 19 Dec 2009 14:45:38 +0100
Source: audiofile
Binary: libaudiofile-dev libaudiofile0 libaudiofile0-dbg
Architecture: source i386
Version: 0.2.6-7+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libaudiofile-dev - Open-source version of SGI's audiofile library (header files)
 libaudiofile0 - Open-source version of SGI's audiofile library
 libaudiofile0-dbg - Open-source version of SGI's audiofile library
Closes: 510205
Changes: 
 audiofile (0.2.6-7+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2008-5824: Fix buffer overflow when decompressing MS ADPCM .wav
     files (closes: #510205).
Checksums-Sha1: 
 d4335df98c12848c027658e754074a796419b282 1048 audiofile_0.2.6-7+lenny1.dsc
 94a6ab8e5122bc1971cf186e5a52d032811c9bc5 374688 audiofile_0.2.6.orig.tar.gz
 6abd8c2dc9b4d2ff93a2a20fbb0cf78072383888 300816 audiofile_0.2.6-7+lenny1.diff.gz
 128134e12af2c4313c8df0286ccf95e13db3be35 118288 libaudiofile-dev_0.2.6-7+lenny1_i386.deb
 b29e6ac5cd369b6f0540d74bc2925e67575a9737 77984 libaudiofile0_0.2.6-7+lenny1_i386.deb
 36b6bfff9f2a1df27183d1db975445e5be884d1f 164582 libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
Checksums-Sha256: 
 d42e29ffc61b2cdb13b6a807e8e901efe44aa8090ee8494dd1bcb50da3ed82c5 1048 audiofile_0.2.6-7+lenny1.dsc
 4b6167b56e21556fb07c9ef06962fe32817064c62181ba47afd3322e0d0f22a9 374688 audiofile_0.2.6.orig.tar.gz
 219206ef3e107a6b91ad7ae488141b8147f20cb30ade32d5d38d1d29a919bde8 300816 audiofile_0.2.6-7+lenny1.diff.gz
 1cff69b2043f63e9ede34be1d570a4f70ac1f0d566ff15c61d0c847a1496208d 118288 libaudiofile-dev_0.2.6-7+lenny1_i386.deb
 43468a6d7a3abc612f6505533e5ac1cd90db458308e8dc6632b81a32387a2219 77984 libaudiofile0_0.2.6-7+lenny1_i386.deb
 ad0d0d514b6aa1f7b13c22344281dd7d7f59df526a2330ffdf834260b400d0e6 164582 libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
Files: 
 ba1535425e02719cb32aaed448b9e615 1048 libs optional audiofile_0.2.6-7+lenny1.dsc
 9c1049876cd51c0f1b12c2886cce4d42 374688 libs optional audiofile_0.2.6.orig.tar.gz
 57eece898416b8ecf3aa5dac27f2c4fc 300816 libs optional audiofile_0.2.6-7+lenny1.diff.gz
 99ca6cf504847281ffee6095d6c56df9 118288 libdevel optional libaudiofile-dev_0.2.6-7+lenny1_i386.deb
 eaa5796ba0a90db7d759719ea46e3ea7 77984 libs optional libaudiofile0_0.2.6-7+lenny1_i386.deb
 7c84007f5260c1b9ce714d9e090b649c 164582 libdevel optional libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLLNzWbxelr8HyTqQRAqAZAJ4ulZ96Gmc83P4Au6KQ8y67WJeSCwCgsd6J
5SUq4hBCe8GWe8vEMpjV6DA=
=Yd3u
-----END PGP SIGNATURE-----

Message #95 received at 510205-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 510205-close@bugs.debian.org

Subject: Bug#510205: fixed in audiofile 0.2.6-6+etch4

Date: Fri, 22 Jan 2010 19:52:41 +0000

Source: audiofile
Source-Version: 0.2.6-6+etch4

We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive:

audiofile_0.2.6-6+etch4.diff.gz
  to main/a/audiofile/audiofile_0.2.6-6+etch4.diff.gz
audiofile_0.2.6-6+etch4.dsc
  to main/a/audiofile/audiofile_0.2.6-6+etch4.dsc
libaudiofile-dev_0.2.6-6+etch4_i386.deb
  to main/a/audiofile/libaudiofile-dev_0.2.6-6+etch4_i386.deb
libaudiofile0_0.2.6-6+etch4_i386.deb
  to main/a/audiofile/libaudiofile0_0.2.6-6+etch4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510205@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated audiofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 19 Dec 2009 14:45:04 +0100
Source: audiofile
Binary: libaudiofile-dev libaudiofile0
Architecture: source i386
Version: 0.2.6-6+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libaudiofile-dev - Open-source version of SGI's audiofile library (header files)
 libaudiofile0 - Open-source version of SGI's audiofile library
Closes: 510205
Changes: 
 audiofile (0.2.6-6+etch4) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2008-5824: Fix buffer overflow when decompressing MS ADPCM .wav
     files (closes: #510205).
Files: 
 f9f760bd11ccb13c85266ace4f87d25d 629 libs optional audiofile_0.2.6-6+etch4.dsc
 dbc542c9c87880f436083facfb3ccc28 300089 libs optional audiofile_0.2.6-6+etch4.diff.gz
 4e3e58094cfa7314a7160d7f936baafb 118410 libdevel optional libaudiofile-dev_0.2.6-6+etch4_i386.deb
 e572289bc7e52fc49f256ed6d9ccbf80 77204 libs optional libaudiofile0_0.2.6-6+etch4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLU3IEbxelr8HyTqQRAjQ1AJ9fLEtnx2Uw+urm3z0g2o6jaCZmTwCaA53+
YJvhka4Rp12ZV6G+lIlWByA=
=8pXp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.