Debian Bug report logs -
#801102
audiofile: CVE-2015-7747
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#801102; Package audiofile.
(Tue, 06 Oct 2015 10:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Tue, 06 Oct 2015 10:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: audiofile
Severity: important
Tags: security
Please see http://www.openwall.com/lists/oss-security/2015/10/06/2
for details.
Cheers,
Moritz
Changed Bug title to 'audiofile: CVE-2015-7747' from 'audiofile: Memory corruption (no CVE yet)'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 08 Oct 2015 05:27:12 GMT) (full text, mbox, link).
Marked as found in versions 0.3.6-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 08 Oct 2015 05:27:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#801102; Package audiofile.
(Mon, 13 Jun 2016 09:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Mon, 13 Jun 2016 09:24:04 GMT) (full text, mbox, link).
Message #14 received at 801102@bugs.debian.org (full text, mbox, reply):
Hi. You get this email as author of the audiofile package. Are you
aware of the security issue reported in Debian for audiofile, see the
CVE entry on top of <URL: https://bugs.debian.org/src:audiofile >. Is
there a fix available? Is the same issue reported in other bug trackers
you are aware of? Are there plans for a new release?
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#801102; Package audiofile.
(Tue, 14 Jun 2016 13:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to James Cowgill <jcowgill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Tue, 14 Jun 2016 13:21:05 GMT) (full text, mbox, link).
Message #19 received at 801102@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://github.com/mpruett/audiofile/pull/25
Hi,
On Mon, 2016-06-13 at 11:20 +0200, Petter Reinholdtsen wrote:
> Hi. You get this email as author of the audiofile package. Are you
> aware of the security issue reported in Debian for audiofile, see the
> CVE entry on top of <URL: https://bugs.debian.org/src:audiofile
> >. Is there a fix available? Is the same issue reported in other
> bug trackers you are aware of? Are there plans for a new release?
The fix is here:
https://github.com/mpruett/audiofile/pull/25
The links at the top of this page should lead you to various other bug
trackers:
https://security-tracker.debian.org/tracker/CVE-2015-7747
I can fix it right now in Debian (along with a few other things). Hold
on a moment...
James
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#801102; Package audiofile.
(Tue, 14 Jun 2016 13:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Tue, 14 Jun 2016 13:45:03 GMT) (full text, mbox, link).
Message #26 received at 801102@bugs.debian.org (full text, mbox, reply):
[James Cowgill]
> I can fix it right now in Debian (along with a few other things). Hold
> on a moment...
Very good. Via the upstream github pull request I discovered that
Ubuntu already uploaded a fix, available as a rather messy patch from
<URL: https://patches.ubuntu.com/a/audiofile/audiofile_0.3.6-2ubuntu0.15.10.1.patch >.
I look forward to seeing the fix in Debian unstable. Do you plan to fix
it in stable too?
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#801102; Package audiofile.
(Tue, 14 Jun 2016 14:03:12 GMT) (full text, mbox, link).
Acknowledgement sent
to James Cowgill <jcowgill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Tue, 14 Jun 2016 14:03:12 GMT) (full text, mbox, link).
Message #31 received at 801102@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, 2016-06-14 at 15:43 +0200, Petter Reinholdtsen wrote:
> [James Cowgill]
> > I can fix it right now in Debian (along with a few other things). Hold
> > on a moment...
>
> Very good. Via the upstream github pull request I discovered that
> Ubuntu already uploaded a fix, available as a rather messy patch from
> .
>
> I look forward to seeing the fix in Debian unstable. Do you plan to fix
> it in stable too?
After I've fixed it in unstable, I'll ping the security team and see
what they have to say about stable updates. Jessie has 0.3.6 as well so
the patch should be identical.
James
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from James Cowgill <james410@cowgill.org.uk>
to control@bugs.debian.org.
(Tue, 14 Jun 2016 14:24:09 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#801102.
(Tue, 14 Jun 2016 14:24:14 GMT) (full text, mbox, link).
Message #36 received at 801102-submitter@bugs.debian.org (full text, mbox, reply):
tag 801102 pending
thanks
Hello,
Bug #801102 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=pkg-multimedia/audiofile.git;a=commitdiff;h=c1eab43
---
commit c1eab43f08216f7a025e6e4ad5f395a89ae76800
Author: James Cowgill <james410@cowgill.org.uk>
Date: Tue Jun 14 15:06:36 2016 +0100
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 2c57261..908a453 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,17 @@
-audiofile (0.3.6-3) UNRELEASED; urgency=medium
+audiofile (0.3.6-3) unstable; urgency=high
* Team upload.
- *
- -- James Cowgill <jcowgill@debian.org> Tue, 14 Jun 2016 11:14:39 +0100
+ * Add patches to:
+ - Fix CVE-2015-7747: buffer overflow when changing both sample format and
+ number of channels. (Closes: #801102)
+ - Fix FTBFS with GCC 6. (Closes: #812055)
+ - Remove usage of PATH_MAX to fix FTBFS on Hurd. (Closes: #762595)
+ * Drop -dbg package in favour of the automatic dbgsym package.
+ * Bump standards version to 3.9.8.
+ * Use secure Vcs URLs.
+
+ -- James Cowgill <jcowgill@debian.org> Tue, 14 Jun 2016 15:05:46 +0100
audiofile (0.3.6-2) unstable; urgency=low
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#801102; Package audiofile.
(Tue, 14 Jun 2016 15:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Tue, 14 Jun 2016 15:36:04 GMT) (full text, mbox, link).
Message #41 received at 801102@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Tue, Jun 14, 2016 at 03:00:08PM +0100, James Cowgill wrote:
> On Tue, 2016-06-14 at 15:43 +0200, Petter Reinholdtsen wrote:
> > [James Cowgill]
> > > I can fix it right now in Debian (along with a few other things). Hold
> > > on a moment...
> >
> > Very good. Via the upstream github pull request I discovered that
> > Ubuntu already uploaded a fix, available as a rather messy patch from
> > .
> >
> > I look forward to seeing the fix in Debian unstable. Do you plan to fix
> > it in stable too?
>
> After I've fixed it in unstable, I'll ping the security team and see
> what they have to say about stable updates. Jessie has 0.3.6 as well so
> the patch should be identical.
We marked the issue as no-dsa a while back. Could you (once the fix
landed in unstable) address this via a stable update via jessie-pu,
see
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
for documentation.
Thanks a lot for your work,
Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]
Reply sent
to James Cowgill <jcowgill@debian.org>:
You have taken responsibility.
(Tue, 14 Jun 2016 16:39:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 14 Jun 2016 16:39:14 GMT) (full text, mbox, link).
Message #46 received at 801102-close@bugs.debian.org (full text, mbox, reply):
Source: audiofile
Source-Version: 0.3.6-3
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 801102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 14 Jun 2016 15:05:46 +0100
Source: audiofile
Binary: audiofile-tools libaudiofile-dev libaudiofile1
Architecture: source
Version: 0.3.6-3
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
audiofile-tools - sfinfo and sfconvert tools
libaudiofile-dev - Open-source version of SGI's audiofile library (header files)
libaudiofile1 - Open-source version of SGI's audiofile library
Closes: 762595 801102 812055
Changes:
audiofile (0.3.6-3) unstable; urgency=high
.
* Team upload.
.
* Add patches to:
- Fix CVE-2015-7747: buffer overflow when changing both sample format and
number of channels. (Closes: #801102)
- Fix FTBFS with GCC 6. (Closes: #812055)
- Remove usage of PATH_MAX to fix FTBFS on Hurd. (Closes: #762595)
* Drop -dbg package in favour of the automatic dbgsym package.
* Bump standards version to 3.9.8.
* Use secure Vcs URLs.
Checksums-Sha1:
43ccc7bfd48a9a866bc7d3583b128c7706eee9fb 2129 audiofile_0.3.6-3.dsc
4e06bd38ea86d5f0da6df6eafc8d02ee8cafd6da 14124 audiofile_0.3.6-3.debian.tar.xz
Checksums-Sha256:
48ddbb83a13b79ea00d8dcc04fce2d07f6176311c8ca6791b8d168c433b1d67c 2129 audiofile_0.3.6-3.dsc
9a7f5503109ed99ded7ac951e2f28a8a25050300c45ba3df9a811624ec1279de 14124 audiofile_0.3.6-3.debian.tar.xz
Files:
6df1e201eaa6ac213a02060c90d4ff82 2129 libs optional audiofile_0.3.6-3.dsc
a85bc0accd02abfe67ba7a04d2b01e46 14124 libs optional audiofile_0.3.6-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXYBKNAAoJEMfxZ23qLQHvfggP/0cBZpEhAadsTPVz4PFvxM7t
RgiX8BR86kS7rNs1ygO8i/I+DFCg6xh67qUTqblDnL76CrFmzn/pbqsCq5HDnMj8
yd61tHHAv1c4bJZJhSQdFG4NfabNoOMvZVx2QgLpXirhhxWj9WZPrUMmVrUt9U6h
S4qgN5GILxsp0nO4dyCH3jpqb8+Ce8mimPDH0KQLDUM1HERGDjpCwSqvZAdyId9K
mcBLnXz8J7FB4xc87n6PzIwclwX4O2ZeF9W1LKitQTjAQ4W81uaKltyTnDEpJXQk
+9eb1+FVInu/d10rstiu3vCqtw5D/+DkGRh9oh4IVrqwDmqfiIV2QsetgD5vS/l3
G2Rz/NJN5zgBrzajegG0bKqyCiM9cAFfc3PyEqtQOo9fMjyV6ql8Uzbiss6WzbzC
pB8lIACUDc/e8ZmL5s6lc/DByGMxlg2588EsWDutWZ1k7gEADKoEsbBbdvyIyaLF
OFWcBudgXRjI8rx35xe/ozshqnAthrtAXO5AqeME1bcbAaNag5FguUDLMcLoeaZE
AjfCdeBjoYrlpLiYqF8wqZJH0GWHFG5tT9r0B9S/GR9+ITLBpiGbAslcG5YdxU5r
sCOai5uC63H1qgUuLIw6OQ6X1wjy+HW9uamNvKIBnSQNPBYVCKecHqngs+85OTlw
hfipOVpskghAm6TJVxf3
=mucb
-----END PGP SIGNATURE-----
Reply sent
to James Cowgill <jcowgill@debian.org>:
You have taken responsibility.
(Tue, 28 Jun 2016 05:21:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 28 Jun 2016 05:21:08 GMT) (full text, mbox, link).
Message #51 received at 801102-close@bugs.debian.org (full text, mbox, reply):
Source: audiofile
Source-Version: 0.3.6-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 801102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 14 Jun 2016 16:39:49 +0100
Source: audiofile
Binary: audiofile-tools libaudiofile-dev libaudiofile1 libaudiofile-dbg
Architecture: source amd64
Version: 0.3.6-2+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
audiofile-tools - sfinfo and sfconvert tools
libaudiofile-dbg - Open-source version of SGI's audiofile library (debug)
libaudiofile-dev - Open-source version of SGI's audiofile library (header files)
libaudiofile1 - Open-source version of SGI's audiofile library
Closes: 801102
Changes:
audiofile (0.3.6-2+deb8u1) jessie; urgency=high
.
* Team upload.
* Fix CVE-2015-7747: buffer overflow when changing both sample format and
number of channels. (Closes: #801102)
Checksums-Sha1:
d3058882b7dfbcc5cb2b12754ef08fd344c073ed 2216 audiofile_0.3.6-2+deb8u1.dsc
42f92b79025c63a460d7e8158d3a7587943fe077 12084 audiofile_0.3.6-2+deb8u1.debian.tar.xz
2e6a7da1c58441d4a8f4811530639f75cb061f42 34724 audiofile-tools_0.3.6-2+deb8u1_amd64.deb
e400cac3ada3c64533d20733912718f08357e1fc 58748 libaudiofile-dev_0.3.6-2+deb8u1_amd64.deb
dc43e86e651331ad3b0732f7cee56fc937cb7f3c 114430 libaudiofile1_0.3.6-2+deb8u1_amd64.deb
ce0bf161be64b4c5ddfc9fb8cd6620688ba04164 595382 libaudiofile-dbg_0.3.6-2+deb8u1_amd64.deb
Checksums-Sha256:
b869c097202b5560fdddb81cff0ad768dabc0f6c8f571334a9104f11609ba501 2216 audiofile_0.3.6-2+deb8u1.dsc
de88f0a307824b82dd51758528ebf990d53e54c471f5ceef1d314fd117c45177 12084 audiofile_0.3.6-2+deb8u1.debian.tar.xz
d70ef948be8bb2e655b010fc3324da8b02f1cbb9d36856d3fea82f4e79ed22b6 34724 audiofile-tools_0.3.6-2+deb8u1_amd64.deb
598b370456c5aebc7efd9000f784ef694c581527dc48feb7ccf16af33423048a 58748 libaudiofile-dev_0.3.6-2+deb8u1_amd64.deb
501cc29d87e0e078bfefcbf768ebb83f0abf8971dfd394c39f54bfde3c7ae8d7 114430 libaudiofile1_0.3.6-2+deb8u1_amd64.deb
7e6bf25c33816807a6cf10afbd44c34a22a6c411071873dd4a8894b2bd58062d 595382 libaudiofile-dbg_0.3.6-2+deb8u1_amd64.deb
Files:
af29958010465ce3f5d8c4779f573141 2216 libs optional audiofile_0.3.6-2+deb8u1.dsc
d4e1b4b3c15764ae03a2d60d300e1560 12084 libs optional audiofile_0.3.6-2+deb8u1.debian.tar.xz
eaddfc1d67697c8a2b96c82ab47885dc 34724 utils optional audiofile-tools_0.3.6-2+deb8u1_amd64.deb
cf69ac70d4fd2439c8a9b54a4cecb25c 58748 libdevel optional libaudiofile-dev_0.3.6-2+deb8u1_amd64.deb
2a56ea3b9ed291dccd03ef0606f654ef 114430 libs optional libaudiofile1_0.3.6-2+deb8u1_amd64.deb
7c51b697c522424128c51a5030794c87 595382 debug extra libaudiofile-dbg_0.3.6-2+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXZHN0AAoJEMfxZ23qLQHvLHIP/10CJFAJeGAzpjf7cm0GPdFE
M66X1BvfRqWXy/07sYjhx/CggtiVM2Uz+yhJvPC4AVs/YDj3YDhteWzUM/xqtcB6
vrSz+NULADHAuQ3YC13QpqnoWjFMcIC1Ylw9afIElpAfZqSBwdP43ukYuJyFf/NO
Xj0WaKMh8fDS8wG7MIygD+Yq+lrRMfW02DPF5DBxO78gosvqAxYtjBXm102GWl8h
DYGbn/hR4OlhJVfG9Cr+MI9LOZ66lgXi/Rkbb8dFV9YGJP4kUZU+QFKw2N/k6eOl
JSy/Vbf3Vc9/sUBlpxonyZ9JvDVB4DPB5EOZIzObzsKe5Fbozmsh4G5NMzDYtXW1
7WbXSkEZ3TEngvTJeW/nMzEpEsTo4ynIFY+1ArXG2l/9NA+OqZdcYIu09hywWXtE
/OOue9TvN5shpo5vT/oYGoCO5LwcGXqijDgHsKD/3BswY6BaVnR2RiayJjVdaduZ
+34vJDAkzY/NvBrGYZjMEWWeNKyPOJdlhwKMBeScMvCrM49NSW4l8MqJh4auvWS0
OZN0sUbrto6C9aWRc+KCIR7tk4mGG1TO76z+9QMCL+eOv8D+jJA/f7MBPEmB8DxF
Dtm6E86aAkr07Q4bJD8Lo7UxyovnSdsSPS2UUb4IGyeBR9rh9NbgjhUVJg+DZ/Ao
UB43bIARjKuAnFwHuQHt
=k7nh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jul 2016 07:25:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:55:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon