Debian Bug report logs -
#774162
libsndfile: CVE-2014-9496: buffer overread
Reported by: Henri Salo <henri@nerv.fi>
Date: Mon, 29 Dec 2014 18:36:18 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version 1.0.25-9
Fixed in version libsndfile/1.0.25-9.1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Erik de Castro Lopo <erikd@mega-nerd.com>:
Bug#774162; Package libsndfile.
(Mon, 29 Dec 2014 18:36:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Erik de Castro Lopo <erikd@mega-nerd.com>.
(Mon, 29 Dec 2014 18:36:23 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: libsndfile
Version: 1.0.25-9
Severity: important
Tags: security, fixed-upstream
Fixed in https://github.com/erikd/libsndfile/commit/dbe14f00030af5d3577f4cabbf9861db59e9c378
CVE request http://www.openwall.com/lists/oss-security/2014/12/25/2
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlShnu0ACgkQXf6hBi6kbk8s6gCgs0UgWb7O8Aulun7iTA6bsLgk
UG4An045K2kMdC1xCo7cEGiHcblnTDYE
=W4We
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 29 Dec 2014 18:39:08 GMT) (full text, mbox, link).
Changed Bug title to 'libsndfile: CVE-2014-9496: buffer overread' from 'libsndfile: two buffer read overflows'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Jan 2015 04:45:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Erik de Castro Lopo <erikd@mega-nerd.com>:
Bug#774162; Package libsndfile.
(Mon, 26 Jan 2015 01:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Erik de Castro Lopo <erikd@mega-nerd.com>.
(Mon, 26 Jan 2015 01:39:04 GMT) (full text, mbox, link).
Message #14 received at 774162@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tag -1 patch, pending
Hi,
I've uploaded an nmu fixing this issue to delayed/5. Please see attached.
Best wishes,
Mike
[libsndfile.patch (text/x-patch, attachment)]
Added tag(s) pending and patch.
Request was from Michael Gilbert <mgilbert@debian.org>
to 774162-submit@bugs.debian.org.
(Mon, 26 Jan 2015 01:39:04 GMT) (full text, mbox, link).
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Sat, 31 Jan 2015 03:39:09 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sat, 31 Jan 2015 03:39:09 GMT) (full text, mbox, link).
Message #21 received at 774162-close@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Source-Version: 1.0.25-9.1
We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774162@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated libsndfile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 26 Jan 2015 01:32:01 +0000
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs libsndfile1-dbg sndfile-programs-dbg
Architecture: source
Version: 1.0.25-9.1
Distribution: unstable
Urgency: high
Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
libsndfile1 - Library for reading/writing audio files
libsndfile1-dbg - debugging symbols for libsndfile
libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
sndfile-programs - Sample programs that use libsndfile
sndfile-programs-dbg - debugging symbols for sndfile-programs
Closes: 774162
Changes:
libsndfile (1.0.25-9.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2014-9496: buffer overread issues (closes: #774162).
Checksums-Sha1:
58f385d32830f9ef6865a219b9ee0a6a94e80d0a 2805 libsndfile_1.0.25-9.1.dsc
d1d4737f6142b3847f8fa368e10bead35f885763 11520 libsndfile_1.0.25-9.1.debian.tar.xz
Checksums-Sha256:
dcf3ca93668ca1e5be0657b1efb65d0e6298d531f744b25b118b04be61a9f258 2805 libsndfile_1.0.25-9.1.dsc
bb51e90a602fc0ac5ec7c8d19b1f3d066aa0f859aa51f7a4b58aaca14622d5ed 11520 libsndfile_1.0.25-9.1.debian.tar.xz
Files:
bf8f7593edd57e3be3a812d1db080185 2805 devel optional libsndfile_1.0.25-9.1.dsc
1d12de2e89d94a0e075f95f8391569dc 11520 devel optional libsndfile_1.0.25-9.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQQcBAEBCgAGBQJUxZlqAAoJELjWss0C1vRzLCYf+gPDF71enT/AXOBzbWPZwh7D
rZF6wVoAsww10WkqMD7pHl5XB9h5xo74s+eeYHBwxpXbZksQJQ0chZZulhdIHkgD
6s6Qm9OA/u9D7mSVVp0JpdlTKbdn/AUmt1+u+Tsbd5zuLMSV4Lg3ddo/Q6GcETDa
IB2UhbRbS5tPz2dktmcoL5UeAip0yXZ4JZEk3uDNwMlNjjOY4Yup8jhQf1ZsL9r8
zCmiT098h8eSp1NEn9V7feygFUxPD1do1O/O3kDdfeuhAKq7f8l6MmVwV4lwnCUC
pCKW7Fst0hGPXRJNXjZl0srPSx+4JyWZGX8RxqPeYBLoa281oFux7ROBlPbnuyW/
Olm1bV3KI/iT5raTlu517LlazV9upFvvX0lXs7salNRt+2WBi31WZfaI9SzE1fjZ
zmfUBn8QSn+jmkIG8Vl1EW/TH+LqamFiXFZ+75Wnfg2txFHLquzolyNzoqOLt+kK
8Lg0P2VfJ+/sQK35AeR0POqRgdDZFEV6VNcfAJewTuAGvV2BkqxXbF9mrjba643Z
4hE4o+1nAnmUEASjGpgHjETlUdlN1HBgiSPRIvEYEsoYHZ48jn5NpcpV8igOLddb
Yir3qxZWuSe//bIsyoDWREoK4Vwl4fbWW2lcC5DtaL71EhNfZ7V1FHWyg/+ItfXI
0CA+5rbgqWtjMuUo6BjPW+oQ/r03D4GMhn++RoKQgF5JzlJy1RHfuabWaERXekbK
533N19W30+Me2llXRf1LMqX1I113s4yWUFduTIufvGmmHjrfitfnaTuVYZRI4NJz
JxzjM2exPbmS3rvNnqNO99RNtuBHEb+k5gQh53IjL8eDX4ecBg2iWIlWaKr3NwOu
nV1XCVA5dKq7NJePkqnNZEM9KXpL7MsQfZWrQnVUInRXuyI+4UNEUV5hB9L1TFf5
ECKg37vtNGlhvd18xHOWqxTvxpDofUHe7LF/YUkKK9xRCV1rDhbabQ/RMFrsX2Hy
YjdpYk7Miz8Pjb8wuCF0d85ZR9TA6+i0VxDsaDAvN8Y+JG90ZqUH+A2xutCTZ11D
OuXenlCY+NIQ1z7ytN3gic47TOnZh07iWawLwiCo8tSsnys5buDbT+/i3Yo2Ozwj
rd4f18d9+odXou17pztXOcxo58VxGiH9/T7HY14KPZ5K1mUEtMZjpBrMVYWiAMQk
GG1QHM0Iq6ZP4hDNyC3iv1VsqTSFtQ6ZwsTVBOh40GBVRdMwbQCpyuUVswI6Dr4W
kSHZHjI16/PiqjlkQ445pm/EjT8LOukUbsaN1QnL50xKF301IbKkcbrMdAAOg4RS
zANmhXk9hlsSc55p+4RGlc1k+fSDFhe+QnHh9hiYkxkJXKcUJ9tZw+qwtiqQYK8=
=GohE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 02 Mar 2015 07:28:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:55:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon