Debian Bug report logs -
#876783
libsndfile: CVE-2017-14634
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 25 Sep 2017 20:27:01 UTC
Severity: normal
Tags: fixed-upstream, security, upstream
Found in versions libsndfile/1.0.28-4, libsndfile/1.0.25-9, libsndfile/1.0.25-9.1
Fixed in version libsndfile/1.0.28-5
Done: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/erikd/libsndfile/issues/318
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#876783
; Package src:libsndfile
.
(Mon, 25 Sep 2017 20:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Mon, 25 Sep 2017 20:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Version: 1.0.28-4
Severity: normal
Tags: upstream security
Forwarded: https://github.com/erikd/libsndfile/issues/318
Control: found -1 1.0.25-9.1
Hi,
the following vulnerability was published for libsndfile.
CVE-2017-14634[0]:
| In libsndfile 1.0.28, a divide-by-zero error exists in the function
| double64_init() in double64.c, which may lead to DoS when playing a
| crafted audio file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14634
[1] https://github.com/erikd/libsndfile/issues/318
Regards,
Salvatore
Marked as found in versions libsndfile/1.0.25-9.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 25 Sep 2017 20:27:04 GMT) (full text, mbox, link).
Marked as found in versions libsndfile/1.0.25-9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 25 Sep 2017 20:33:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org
.
(Mon, 02 Oct 2017 18:03:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#876783
; Package src:libsndfile
.
(Sun, 26 Nov 2017 07:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sun, 26 Nov 2017 07:36:05 GMT) (full text, mbox, link).
Message #16 received at 876783@bugs.debian.org (full text, mbox, reply):
Hi
On Mon, Sep 25, 2017 at 10:24:01PM +0200, Salvatore Bonaccorso wrote:
> Forwarded: https://github.com/erikd/libsndfile/issues/318
Upstream fix: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#876783.
(Tue, 12 Feb 2019 15:03:05 GMT) (full text, mbox, link).
Message #19 received at 876783-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #876783 in libsndfile reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/libsndfile/commit/28a8be8932bb69561aef4d279ccfb3e3bdd5205d
------------------------------------------------------------------------
Patch to fix division by zero (CVE-2017-14634)
Closes: #876783
Thanks: Fabian Greffrath <fabian@greffrath.com>
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/876783
Added tag(s) pending.
Request was from IOhannes zmölnig <noreply@salsa.debian.org>
to 876783-submitter@bugs.debian.org
.
(Tue, 12 Feb 2019 15:03:05 GMT) (full text, mbox, link).
Reply sent
to IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
:
You have taken responsibility.
(Tue, 12 Feb 2019 15:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 12 Feb 2019 15:39:03 GMT) (full text, mbox, link).
Message #26 received at 876783-close@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Source-Version: 1.0.28-5
We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876783@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 12 Feb 2019 15:59:58 +0100
Source: libsndfile
Architecture: source
Version: 1.0.28-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Closes: 876783 884735 917416
Changes:
libsndfile (1.0.28-5) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/control: Set Vcs-* to salsa.debian.org
* d/changelog: Remove trailing whitespaces
.
[ Felipe Sateler ]
* Change maintainer address to debian-multimedia@lists.debian.org
.
[ IOhannes m zmölnig (Debian/GNU) ]
* Normalize patches with 'gbp pq'
* Add patch to fix buffer overflows in alaw/ulaw code
(CVE-2018-19661, CVE-2018-19662, CVE-2017-17456 and CVE-2017-17457).
Thanks to Hugo Lefeuvre <hle@owl.eu.com> (Closes: #884735)
* Patch to fix division by zero (CVE-2017-14634)
Thanks to Fabian Greffrath <fabian@greffrath.com> (Closes: #876783)
* Patch to fix heap read overflow (CVE-2018-19758)
Thanks to Erik de Castro Lopo <erikd@mega-nerd.com> (Closes: #917416)
* Patch to ensure that maxnum channels is not exceeded.
Thanks to Brett T. Warden <brett.t.warden@intel.com>
* Declare that "root" is not required to build this package
* Removed whitespace at end of d/changelog
* Bumped dh compat to 12
* Bump standards version to 4.3.0
Checksums-Sha1:
4d5f1c81b5d55d14520c2945093d94eacff22bae 2195 libsndfile_1.0.28-5.dsc
caf1b1b16264c42efc00043c6e24d88772a658d3 16088 libsndfile_1.0.28-5.debian.tar.xz
c6631b5c8685da32e78da60cd4b6b28fab477b68 6704 libsndfile_1.0.28-5_amd64.buildinfo
Checksums-Sha256:
0065a33489ef2bc79e94c805a150369c096163776f567724918bf89da2916eda 2195 libsndfile_1.0.28-5.dsc
d58f7448e1d45457c8593b72c550a4c48d4aa094f930c2a5149c7bb82bc93291 16088 libsndfile_1.0.28-5.debian.tar.xz
db0fdf23a8db0a2e8651669881e864d0c6e67160edac0c05bddca845be161f5e 6704 libsndfile_1.0.28-5_amd64.buildinfo
Files:
09028a82ce0166635d3bc780ca4be327 2195 devel optional libsndfile_1.0.28-5.dsc
b0e2293bad7a72173d19ac5f9dffb051 16088 devel optional libsndfile_1.0.28-5.debian.tar.xz
76f1f665f8362236e2043755c565926c 6704 devel optional libsndfile_1.0.28-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlxi4JcACgkQtlAZxH96
NvghiQ//b52qFtYrEGNSvTi00imiqY6XTCqBR6GBZN6Sto7jWtY/RJEE+xJOhBhU
EnJo+xiG0fbda9iEV5EMy1pvZGr2YUfkGBcr4xTNCf+F4rQRgSuVNvKwzuxEfM1M
Tixp/sVH9DW4pOy6BPOmdbAjtf6ALOog5Hh6DdSdKNWD6vJqM0q6jHJmOQZHgE5O
2AqvFbYxLjNPMjX9C173DRZ9OvKzI6C5Df7R9RbAFiSWk/hv2yk76Y2U0QyN/43G
7gckO947zAjwf+lRjOu8IQ5s3U/Q91K1ghYuPn/Lpat57z7xl2JMZ1PHLYApHMt+
f3RvX9Lnye2QsZf+Huz7GN6jgxsBUiJicQyzVm0jkGbnPqKjbuaogRlefAt9oJ87
lms77grSTrjgRFH4s9lXN0FCfMmw5pMCJ64fQAnPI6Cct8W279INTVC2jFm48d8X
KXpY8yfMwjEi4VJnd8ApnacER7buXOyFHvQj82iYmSvNzQcekRPs/JdkDjoyNmNi
1j78Jv8LyQIzse6VkPSh8bfgQe2z+l6QV3x9opir0y1x45IvC8xr/ga23MZD0R0c
xpeclKxeau1zadLkqFc1+piNPDIu4YMULOE77BTe+Uqzc/XCDPvIsB724+nS/X5t
MTi18jHamdikrTnJ7KTuVK0Yd3r4cwI7/19cUPcSnlFOsry7cvQ=
=OMcG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 18 Apr 2019 07:31:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:53:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.