Debian Bug report logs -
#853076
wavpack: CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 29 Jan 2017 15:48:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version wavpack/5.0.0-1
Fixed in version wavpack/5.0.0-2
Done: Sebastian Ramacher <sramacher@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#853076; Package src:wavpack.
(Sun, 29 Jan 2017 15:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Sun, 29 Jan 2017 15:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Version: 5.0.0-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerabilities were published for wavpack.
CVE-2016-10169[0]:
global buffer overread in read_code / read_words.c
CVE-2016-10170[1]:
heap out of bounds read in WriteCaffHeader / caff.c
CVE-2016-10171[2]:
heap out of bounds read in unreorder_channels / wvunpack.c
CVE-2016-10172[3]:
heap oob read in read_new_config_info / open_utils.c
They are all fixed by the same commit [4] upstream.
Unless I'm wrong, I think those issues would not warrant a DSA for
jessie, but could you please make the fix be included in stretch so
that we do not ship wavpack affected by these?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10169
[1] https://security-tracker.debian.org/tracker/CVE-2016-10170
[2] https://security-tracker.debian.org/tracker/CVE-2016-10171
[3] https://security-tracker.debian.org/tracker/CVE-2016-10172
[4] https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc
Please adjust the affected versions in the BTS as needed.
Added tag(s) pending.
Request was from Sebastian Ramacher <sramacher@debian.org>
to control@bugs.debian.org.
(Mon, 30 Jan 2017 20:09:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#853076.
(Mon, 30 Jan 2017 20:09:09 GMT) (full text, mbox, link).
Message #10 received at 853076-submitter@bugs.debian.org (full text, mbox, reply):
tag 853076 pending
thanks
Hello,
Bug #853076 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=pkg-multimedia/wavpack.git;a=commitdiff;h=9acfd3d
---
commit 9acfd3d4bc19a895297f23f6b33f86e62d07f668
Author: Sebastian Ramacher <sramacher@debian.org>
Date: Mon Jan 30 21:04:32 2017 +0100
Finalize changelog
diff --git a/debian/changelog b/debian/changelog
index 18586f6..3cc049a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+wavpack (5.0.0-2) unstable; urgency=medium
+
+ * Team upload.
+ * debian/patches: Apply upstream fix to fix some fuzz failures
+ (CVE-2016-10169, CVE-2016-10170, CVE-2016-10171, CVE-2016-10172). (Closes:
+ #853076)
+
+ -- Sebastian Ramacher <sramacher@debian.org> Mon, 30 Jan 2017 21:04:05 +0100
+
wavpack (5.0.0-1) unstable; urgency=medium
* Team upload.
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Mon, 30 Jan 2017 21:27:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 30 Jan 2017 21:27:09 GMT) (full text, mbox, link).
Message #15 received at 853076-close@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Source-Version: 5.0.0-2
We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 853076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 30 Jan 2017 21:04:05 +0100
Source: wavpack
Binary: libwavpack1 libwavpack-dev wavpack
Architecture: source
Version: 5.0.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
libwavpack-dev - audio codec (lossy and lossless) - development files
libwavpack1 - audio codec (lossy and lossless) - library
wavpack - audio codec (lossy and lossless) - encoder and decoder
Closes: 853076
Changes:
wavpack (5.0.0-2) unstable; urgency=medium
.
* Team upload.
* debian/patches: Apply upstream fix to fix some fuzz failures
(CVE-2016-10169, CVE-2016-10170, CVE-2016-10171, CVE-2016-10172). (Closes:
#853076)
Checksums-Sha1:
0a40f63748575a2c52dddad6ad446f33e5d191ea 2126 wavpack_5.0.0-2.dsc
67bba860d140270920781e00d33950a2591fb5ef 6412 wavpack_5.0.0-2.debian.tar.xz
98fb079c37d6d3846e5b705712f2d9cd817beb9b 5260 wavpack_5.0.0-2_amd64.buildinfo
Checksums-Sha256:
83acfbdf55f8d70a2bb6dae79b07821dd5c2f4bde9e68d0d75b2b725ec539ff4 2126 wavpack_5.0.0-2.dsc
16f736ae1edc43995eed1c0954baf3547e54d0c3f38b69a3e93934815f0db989 6412 wavpack_5.0.0-2.debian.tar.xz
21fef8c2425e0f6a44887dc5899a5a638f5f4df09e1eb11d9347986c6d209b2d 5260 wavpack_5.0.0-2_amd64.buildinfo
Files:
97259f7f49be66b108e555626c5d31ae 2126 sound optional wavpack_5.0.0-2.dsc
c77bca3da8218c3c7702ac9fca9753cd 6412 sound optional wavpack_5.0.0-2.debian.tar.xz
23b724177ec4041ad1b53064488d7f3d 5260 sound optional wavpack_5.0.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAliPnK4ACgkQafL8UW6n
GZNWmRAAkvzw+Pbl3LP+zI/3PWWFcdbn8wGG23pnxv8WTQlCuxcCGtPSvOudq2+P
eBOO/ZMAocbXCp/6yivZ49xd0UY/JRvWjAmCH4o74JuFO3raPQjMHAmGfA7dKxnN
sEGc0mraIhncLS/CmkDBJ48SxUndn0jEjPZay/7FxTOguF/Tb5N4wje3sXXIaSMI
PvaEMX1PdpCFa5h5F2rbzy+tX1zBmFZVl6f/jbhuCIDU5OLY/jjjO5Q9t4Za57hL
oR4O/UaRtY5b8qAxKe9N7EvA2wGdk7KVm+hYDKRk3usERPwC2g6p3tlZk9n7Wx9N
7ouGD7uj7Z41F3Q2UT9KwfVOcy7oVlYh9jI2ugdUhEMj3vD0KqeTkvF5fwIazEbN
wpMrIt/x1ir9M35cc00OUf6gEQN60bFup+keAYoELw6HsEanpiglbIiLYTC/WlQ4
KFX7+NE4UwBFbEwfBZpJERgZLBfpBPChIIq3Ew3PvfBhnitqo2Ufoon0/Fvb7Rqj
j+Lv9HjLByTSrOA635aIBPhJbgl01JY3Dx1cunIi3r+CU+dCKhryHh4LkB+wLCWz
FZL1iaWBzh46tT4NCrn2Fna4B2bjU2RLNCuQNXZNfrWe5y6K6ID+ELCRyRVBRked
dHGkEZhwqMRbdDwKt3jfRzCQ3nvOfHkadFMvK6T0vTyDTnrqK+A=
=S/vb
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 04 Mar 2017 07:37:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:12:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon