Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libextractor: CVE-2017-15266 CVE-2017-15267

Related Vulnerabilities: CVE-2017-15266   CVE-2017-15267   CVE-2017-15600   CVE-2017-15601   CVE-2017-15602  

Source

Debian Bug report logs - #878314
libextractor: CVE-2017-15266 CVE-2017-15267

version graph

Package: src:libextractor; Maintainer for src:libextractor is Bertrand Marc <bmarc@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 12 Oct 2017 17:21:01 UTC

Severity: important

Tags: patch, security, upstream

Found in version libextractor/1:1.3-2

Fixed in version libextractor/1:1.6-1

Done: Bertrand Marc <bmarc@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bertrand Marc <bmarc@debian.org>:
Bug#878314; Package src:libextractor. (Thu, 12 Oct 2017 17:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bertrand Marc <bmarc@debian.org>. (Thu, 12 Oct 2017 17:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libextractor: CVE-2017-15266 CVE-2017-15267
Date: Thu, 12 Oct 2017 19:17:33 +0200
Source: libextractor
Version: 1:1.3-2
Severity: important
Tags: patch security upstream

Hi,

the following vulnerabilities were published for libextractor.

CVE-2017-15266[0]:
| In GNU Libextractor 1.4, there is a Divide-By-Zero in
| EXTRACTOR_wav_extract_method in wav_extractor.c via a zero sample rate.

CVE-2017-15267[1]:
| In GNU Libextractor 1.4, there is a NULL Pointer Dereference in
| flac_metadata in flac_extractor.c.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15266
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15266
[1] https://security-tracker.debian.org/tracker/CVE-2017-15267
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15267

The security-tracker entries contain link to the respective commits as
well.

Regards,
Salvatore

Reply sent to Bertrand Marc <bmarc@debian.org>:
You have taken responsibility. (Sat, 21 Oct 2017 18:51:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 21 Oct 2017 18:51:06 GMT) (full text, mbox, link).

Message #10 received at 878314-close@bugs.debian.org (full text, mbox, reply):

From: Bertrand Marc <bmarc@debian.org>
To: 878314-close@bugs.debian.org
Subject: Bug#878314: fixed in libextractor 1:1.6-1
Date: Sat, 21 Oct 2017 18:49:55 +0000
Source: libextractor
Source-Version: 1:1.6-1

We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 878314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bertrand Marc <bmarc@debian.org> (supplier of updated libextractor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 21 Oct 2017 19:21:55 +0200
Source: libextractor
Binary: libextractor3 libextractor-dev extract
Architecture: source amd64
Version: 1:1.6-1
Distribution: unstable
Urgency: medium
Maintainer: Bertrand Marc <bmarc@debian.org>
Changed-By: Bertrand Marc <bmarc@debian.org>
Description:
 extract    - displays meta-data from files of arbitrary type
 libextractor-dev - extracts meta-data from files of arbitrary type (development)
 libextractor3 - extracts meta-data from files of arbitrary type (library)
Closes: 878314
Changes:
 libextractor (1:1.6-1) unstable; urgency=medium
 .
   * New upstream version 1.6: fixes CVE-2017-15266, CVE-2017-15267,
     CVE-2017-15600, CVE-2017-15601, CVE-2017-15602 (Closes: #878314).
   * Standards-version: 4.1.1.
   * Use https instead of ftp in debian/watch.
Checksums-Sha1:
 97a501634bd9758ce92423ef81df27f09d6dd572 2730 libextractor_1.6-1.dsc
 5ead229719c5e075149d5139e0d23946a1225c11 8053454 libextractor_1.6.orig.tar.gz
 c4423948046995b9ec233cd7f8764255b2644ee8 879 libextractor_1.6.orig.tar.gz.asc
 2f24fe7fa4fa89e6b51154a5886a9bf922573e16 16556 libextractor_1.6-1.debian.tar.xz
 eca285753a8231148248758a7e7e5f034c15c845 23708 extract-dbgsym_1.6-1_amd64.deb
 0c7db5bf17f948163e4af826129046cfd3c54400 105016 extract_1.6-1_amd64.deb
 5886dfd826c926cdf209b791a0a3d6886580e44f 26736 libextractor-dev_1.6-1_amd64.deb
 a31c749952e36a1e5647ca67eb22f586b5104474 518480 libextractor3-dbgsym_1.6-1_amd64.deb
 6ad1ade63527501ba858900af3da40526f123e2e 113192 libextractor3_1.6-1_amd64.deb
 180931db646c46ef5198a5a63d73948c76f57404 18289 libextractor_1.6-1_amd64.buildinfo
Checksums-Sha256:
 a2fe1c4f99c0e8f71cb8877df41ebf682cb9716f9b5975befad381e6fbe250c6 2730 libextractor_1.6-1.dsc
 26d4adca2e381d2a0c8b3037ec85e094ac5d40485623794466cfc176f5bbf69d 8053454 libextractor_1.6.orig.tar.gz
 30f8f0b2361dda17be0905f9a5cac604aafaf3085091036608e6c1fd6e8c6427 879 libextractor_1.6.orig.tar.gz.asc
 71116ef50ad010dfdbedb2f919a6480e1023f906c30a7d750bc7e316a7ed0e35 16556 libextractor_1.6-1.debian.tar.xz
 6418e32a4176eaf72293aa10abf26704d75cdf7adca306c8832d669fbc74872c 23708 extract-dbgsym_1.6-1_amd64.deb
 5a4d814d68ecd94b789e869116937109c3f8e6982c401dd9e628f6bc40bd8db2 105016 extract_1.6-1_amd64.deb
 c8ce91e5cac9d3e87c18562c91c81fee316fcb992673aa84e8dd7a843f85d40d 26736 libextractor-dev_1.6-1_amd64.deb
 0c0765de1bdcfef639686e7ce9769d29e423b672b8b9c2f38ce14510e70e3d64 518480 libextractor3-dbgsym_1.6-1_amd64.deb
 dd519848158316aafa496612ffaadd14254a564b0f356b67fe8b4452c98157ad 113192 libextractor3_1.6-1_amd64.deb
 f2c7de1889114e5853a8c300b2306c5abc4645bdb182ad9a4de75a66ae0a2806 18289 libextractor_1.6-1_amd64.buildinfo
Files:
 d7562308f389761ceefa4f32d903b8ba 2730 libs optional libextractor_1.6-1.dsc
 cbadbfa6051ee54837299ee81732a0eb 8053454 libs optional libextractor_1.6.orig.tar.gz
 78396f6247cfde4496fc4dd2b5396f34 879 libs optional libextractor_1.6.orig.tar.gz.asc
 29bb4917e016ae09845b9f34573882cf 16556 libs optional libextractor_1.6-1.debian.tar.xz
 36654e71a50635afa2599d6b159a4490 23708 debug optional extract-dbgsym_1.6-1_amd64.deb
 12827e72717b6ba3a3a85b97e0bc642b 105016 utils optional extract_1.6-1_amd64.deb
 695e8d76ab22d9e4c0fe874bcf988a44 26736 libdevel optional libextractor-dev_1.6-1_amd64.deb
 0b770c20178897a8768738e3e739c07b 518480 debug optional libextractor3-dbgsym_1.6-1_amd64.deb
 12bdb9daadc6b8b595640cbeaf8ca42f 113192 libs optional libextractor3_1.6-1_amd64.deb
 831c696038171990b951867816f4f2c8 18289 libs optional libextractor_1.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEKUUr1GPOZwMj0JuIoEqzutviY+4FAlnrh7URHGJtYXJjQGRl
Ymlhbi5vcmcACgkQoEqzutviY+4X4Q//RadAGGbRAXZEwTLjyJuju7/mAMs4fvGN
0OEIVYCDMERhJbVnghWorp1WfbJUoqy8ANBXciJRHA1UBZc1eE+3vTOdN+Ixpm+k
xfXVofgywTz35z08fQvDj1QYcf/FGOWPDd7+IW9k21DkfZvw4yQ6n89Q5fBNnVls
UUKQ1rJY9eFi7ULnBmu31NUnfV/MJm1pfhxkQqA4yATJ2k9pEq6BeRmRImEkruEo
7AQWjqL+jsU2ejlkJUr9OdXE4WT6SvGhj7S3k/1a7wWWnJyzE/cWPKpbJvBKrAFX
WCfgFz9O6aTOFBcq1Oe+A/jFv3nXB8/mOi20To5mQ31Chdg9YDOEfOnjjZuTJxK2
DSwW01gHNJSRjJ1t8CJzH2FfHX/LaNjbB7nvkgNAb8Wug3qJGMKHHiDVDUVtIBZU
cV3a3GBgpynXDDC9yV4cCl3OJQq2jLJeq1wtv+dQu6zDr4A6L58WizGNjp5yOZtu
AJdesDQ4Fr6BQTvV6mH0hNjoOZXVt9tl4k5DjBCiTZn+eXXT/9O0IyyLv403yARp
BGXJvul4GMJ/7aD+2rBXPHqbIv0q7tzwB8mzH55HakoubY7fjWTgHftvq6rr6rEp
7WFDPkW+qTeHFbvlPuqb/fa1T1oxPuAqgs+i3QOZOMx5xo2M/P48G9iGwcih4lTK
ZXa7pynjmiU=
=EGnC
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Nov 2017 07:26:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:55:30 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started