flac: CVE-2014-8962/CVE-2014-9028: heap buffer overflows

Debian Bug report logs - #770918
flac: CVE-2014-8962/CVE-2014-9028: heap buffer overflows

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Erik de Castro Lopo <erikd@mega-nerd.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Two CVEs against FLAC

Date: Tue, 25 Nov 2014 19:36:18 +1100

Package: flac
Version: 1.3.0-2+b1
Severity: serious
Tags: security

From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html

> Google Security Team member, Michele Spagnuolo, recently found two potential
> problems in the FLAC code base. They are :
> 
> 
>     CVE-2014-9028 : Heap buffer write overflow
>     CVE-2014-8962 : Heap buffer read overflow
> 
> For Linux distributions, the specific fixes for these two CVEs are available
> from Git here:
> 
>     https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
>     https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
> 
> and are simple enough that they should apply cleanly to the last official
> release 1.3.0 and possibly even the previous one, 1.2.1.
> 
> A pre-release (version 1.3.1pre1) for the next version which includes these
> fixes and more is available here:
> 
>     http://downloads.xiph.org/releases/flac/beta/
> 
> A full release (version 1.3.1) will be available in the next couple of days.


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (500, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages flac depends on:
ii  libc6     2.19-13
ii  libflac8  1.3.0-2+b1

flac recommends no packages.

flac suggests no packages.

-- no debconf information

Message #14 received at 770918@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 770918@bugs.debian.org

Subject: patches

Date: Tue, 25 Nov 2014 13:53:18 +0200

[Message part 1 (text/plain, inline)]

Attached patches from upstream, which apply to 1.2.1-6. DSA should be created.

---
Henri Salo

[CVE-2014-8962.patch (text/x-diff, attachment)]

[CVE-2014-9028.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 770918@bugs.debian.org (full text, mbox, reply):

From: Erik de Castro Lopo <erikd@mega-nerd.com>

To: 770918@bugs.debian.org

Subject: Re: Bug#770918: Two CVEs against FLAC

Date: Wed, 26 Nov 2014 19:58:05 -0800

Erik de Castro Lopo wrote:

> Package: flac
> Version: 1.3.0-2+b1
> Severity: serious
> Tags: security
> 
> From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html
> 
> > Google Security Team member, Michele Spagnuolo, recently found two potential
> > problems in the FLAC code base. They are :
> > 
> >     CVE-2014-9028 : Heap buffer write overflow
> >     CVE-2014-8962 : Heap buffer read overflow
> > 
> > For Linux distributions, the specific fixes for these two CVEs are available
> > from Git here:
> > 
> >     https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
> >     https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
> > 
> > and are simple enough that they should apply cleanly to the last official
> > release 1.3.0 and possibly even the previous one, 1.2.1.

One more patch to cherry pick:

    https://git.xiph.org/?p=flac.git;a=commit;h=5a365996d739bdf4711af51d9c2c71c8a5e14660


> > A pre-release (version 1.3.1pre1) for the next version which includes these
> > fixes and more is available here:
> > 
> >     http://downloads.xiph.org/releases/flac/beta/
> > 
> > A full release (version 1.3.1) will be available in the next couple of days.

The 1.3.1 release is available here:

    http://downloads.xiph.org/releases/flac/

Cheers,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/

Message #28 received at 770918@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>

To: Erik de Castro Lopo <erikd@mega-nerd.com>, 770918@bugs.debian.org

Subject: Re: Bug#770918: Two CVEs against FLAC

Date: Thu, 27 Nov 2014 10:22:34 +0100

Am Mittwoch, den 26.11.2014, 19:58 -0800 schrieb Erik de Castro Lopo: 
> One more patch to cherry pick:

Thank you very much!

I hope to be able to prepare updated packages by next week.

- Fabian

Message #33 received at 770918-close@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian+debian@greffrath.com>

To: 770918-close@bugs.debian.org

Subject: Bug#770918: fixed in flac 1.3.0-3

Date: Thu, 27 Nov 2014 16:04:11 +0000

Source: flac
Source-Version: 1.3.0-3

We believe that the bug you reported is fixed in the latest version of
flac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770918@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian+debian@greffrath.com> (supplier of updated flac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Nov 2014 16:52:51 +0100
Source: flac
Binary: flac libflac8 libflac-doc libflac-dev libflac++6 libflac++-dev
Architecture: source amd64 all
Version: 1.3.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Fabian Greffrath <fabian+debian@greffrath.com>
Description:
 flac       - Free Lossless Audio Codec - command line tools
 libflac++-dev - Free Lossless Audio Codec - C++ development library
 libflac++6 - Free Lossless Audio Codec - C++ runtime library
 libflac-dev - Free Lossless Audio Codec - C development library
 libflac-doc - Free Lossless Audio Codec - library documentation
 libflac8   - Free Lossless Audio Codec - runtime C library
Closes: 770918
Changes:
 flac (1.3.0-3) unstable; urgency=high
 .
   * Fixes for CVE-2014-8962 and CVE-2014-9028:
     + Backport three patches from upstream GIT repository:
       - CVE-2014-8962.patch: Fix a buffer read overflow.
       - CVE-2014-9028.patch: Avoid a heap overflow.
       - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
         the former fix, but strictly speaking not the same vulnerability.
     + Closes: #770918.
     + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!
Checksums-Sha1:
 afd9218d22316717874fa8819c1903bb9882f6c8 2259 flac_1.3.0-3.dsc
 d5cf793e8d010dab3b30280ef24f52c5f485186d 14772 flac_1.3.0-3.debian.tar.xz
 a52ffa2d39a70a51686ac063f925d802938b1206 121872 flac_1.3.0-3_amd64.deb
 648e0ed79e5c48af542caa7fc07b207704609150 89338 libflac8_1.3.0-3_amd64.deb
 ac9628c3a1e31196162695438f2a0eb4fe9b26ba 697574 libflac-doc_1.3.0-3_all.deb
 1eb6f20fd201494f46793233bc4b03c2949cc26d 137580 libflac-dev_1.3.0-3_amd64.deb
 434afd33215a55b788d3c120aec9c64166e86d86 32474 libflac++6_1.3.0-3_amd64.deb
 b9d4a248c2f7a49b2c3638d872892cdb83133351 39006 libflac++-dev_1.3.0-3_amd64.deb
Checksums-Sha256:
 9dafbe2aa5bfd1aff558b6d0c50598a54ec66c89346648f3e51ccea153dbc8ce 2259 flac_1.3.0-3.dsc
 4be6690850e4646764a740bdfa14688cd16c8913af5c9f26f539c30c69c879f2 14772 flac_1.3.0-3.debian.tar.xz
 20b03f83c29fb2c3a7f1671bf9cbd7a34ee567200438e32287545aa9aed21d1e 121872 flac_1.3.0-3_amd64.deb
 a896332bb1d649b0ff8997d9f17a5c40275451d084de6227a3a4ef0269f5e4b0 89338 libflac8_1.3.0-3_amd64.deb
 07600d12edbb7628798474700fdd7b2175c462a28fdf0158dc94082bb4c33390 697574 libflac-doc_1.3.0-3_all.deb
 8f3296ae2473723378fbc02be96816b079653afce3585fd62e66b2a80c720cb7 137580 libflac-dev_1.3.0-3_amd64.deb
 cef3041c045728a950a39871e75a1758f40a0f1fc738ced8b42391bbb38df360 32474 libflac++6_1.3.0-3_amd64.deb
 1da6536fa2dc94d69c16b067dd8d69569669c95684cb4b41096a18b73f7d6dc9 39006 libflac++-dev_1.3.0-3_amd64.deb
Files:
 b9a7fa51da3a01ca56d9a8a296730c82 2259 sound optional flac_1.3.0-3.dsc
 ad82e54da7f973053bcbc6eee97b8fb1 14772 sound optional flac_1.3.0-3.debian.tar.xz
 c89bbc50c12d202a53b888e6a26e5809 121872 sound optional flac_1.3.0-3_amd64.deb
 e14e552f7d7684b5ca96fc53d800080a 89338 libs optional libflac8_1.3.0-3_amd64.deb
 d12909596e06c5add1f2df22297275a2 697574 doc optional libflac-doc_1.3.0-3_all.deb
 25460a9c959b61924fb77133388d9b1a 137580 libdevel optional libflac-dev_1.3.0-3_amd64.deb
 61f59471887fbcc58d01ee171c1c6085 32474 libs optional libflac++6_1.3.0-3_amd64.deb
 d9d4e01c870c06e6dfc9bf477e029e6d 39006 libdevel optional libflac++-dev_1.3.0-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUd0nTAAoJEMvqjpcMzVnf5mkQAKKJ+pqpt22JPJdoSdq94FaN
o3TT7NuYd57KijxEQWYGyzuNtWcm9s7SeuNyAnz3OXfnE/4LEcCSZshXxPPO0cEm
waR28TFZlkYzgxhmWEZc6Gr7W39HF0GyViKr6ngFKyzHCQx5RAMc2wLLCxrvCjkH
ZKmG2vh5RTCvTfuZw/tSUkGHUW0RYeE5n882D7VIya1JR6pLnzr35pGLkT2Ydgb/
XrSnxlyoElsgWu/eAeK70mUpStiJU9YRnEr92MdbHH0nnm9c7fNf9j5FY3i5Ncla
I901oq5ucMLqS3Ece6PdPFOmcDoOGrqX+mqX+2L7sQqRVdyQvzsfKHrcXvp9JF8F
T1/1IusI718Pk/jM9BUNgPjzJOTExXLrSoj8XSQ8giXip0VPHSrLKN9q/ky8f3s0
QryLybmJ7jyZK19RyPtFR+e39asNMtjyDCxqISico+3x3+KdDdZ9V3RofhFkccGk
QAlymE4amlqa3/lkwBveb3cha351MbNt/BcUXwWM+0l+x8ePdZ6ljO/GB+fgPjJ9
aGKhf+4gTzMCA9UXAnu9CQLKTXv17vVYttbKOZ5N+zLotcNbejc2ifQxYiYv8Oxp
0IRW9HWQXriRh4LfGJAVoLhkKONch5ZGIg5EjPB5KtZ5/3XcWqK143FlwVLPRk+d
pAgwkLCyF0Y+1tuc5rTc
=fF/D
-----END PGP SIGNATURE-----

Message #38 received at 770918-close@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian+debian@greffrath.com>

To: 770918-close@bugs.debian.org

Subject: Bug#770918: fixed in flac 1.3.1-1

Date: Tue, 02 Dec 2014 09:20:39 +0000

Source: flac
Source-Version: 1.3.1-1

We believe that the bug you reported is fixed in the latest version of
flac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770918@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian+debian@greffrath.com> (supplier of updated flac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 01 Dec 2014 18:32:57 +0100
Source: flac
Binary: flac libflac8 libflac-doc libflac-dev libflac++6 libflac++-dev
Architecture: source amd64 all
Version: 1.3.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Fabian Greffrath <fabian+debian@greffrath.com>
Description:
 flac       - Free Lossless Audio Codec - command line tools
 libflac++-dev - Free Lossless Audio Codec - C++ development library
 libflac++6 - Free Lossless Audio Codec - C++ runtime library
 libflac-dev - Free Lossless Audio Codec - C development library
 libflac-doc - Free Lossless Audio Codec - library documentation
 libflac8   - Free Lossless Audio Codec - runtime C library
Closes: 770918
Changes:
 flac (1.3.1-1) experimental; urgency=medium
 .
   [ Jackson Doak ]
   * Disable silent rules
   * Enable hardening
   * Add symbols files
 .
   [ Fabian Greffrath ]
   * Adapt debian/watch file to reflect actual upstream versioning scheme.
   * Imported Upstream version 1.3.1
     + Fixes CVE-2014-8962 and CVE-2014-9028 (Closes: #770918).
     + Support for 3DNOW! optimizations has been removed.
     + Localized RU documentation has been removed.
   * Drop patches applied upstream.
   * Backport patch from upstream GIT to fix another input validation bug.
   * Fix "privacy-breach-logo" and "privacy-breach-w3c-valid-html"
     lintian errors.
   * In debian/rules, remove the "override_dh_makeshlibs" rule
     for the symbols files to have effect.
   * Update, improve and convert debian/copyright to machine-readable format.
   * Bump Standards-Version to 3.9.6.
Checksums-Sha1:
 a9769c536307978d806c32e23806520e2f455e3a 2256 flac_1.3.1-1.dsc
 38e17439d11be26207e4af0ff50973815694b26f 941848 flac_1.3.1.orig.tar.xz
 8b90322d24f5bad2d4e26773554431f1ae91d33b 19684 flac_1.3.1-1.debian.tar.xz
 1aade478e896cdbb49299b81eaf4ddf691980a1e 153748 flac_1.3.1-1_amd64.deb
 4722e04c0400422205cf0dfa4c8bfb402c16220c 214466 libflac8_1.3.1-1_amd64.deb
 b90faa71b35b4cde49a89e7573b6f528c1d47b00 353918 libflac-doc_1.3.1-1_all.deb
 db63c45748eab7e400b4128c715f92f7f6a2ea3d 269420 libflac-dev_1.3.1-1_amd64.deb
 23174d09942bae036404a7016a08127a3c273f28 37816 libflac++6_1.3.1-1_amd64.deb
 b1e4bfddcb02579feaccf32d6217bbaae5f7779c 40740 libflac++-dev_1.3.1-1_amd64.deb
Checksums-Sha256:
 65c9bcdedd9d7cf2e8bdaa8de4c1468ad412e9cd79f195306f48e122ba7d19cf 2256 flac_1.3.1-1.dsc
 4773c0099dba767d963fd92143263be338c48702172e8754b9bc5103efe1c56c 941848 flac_1.3.1.orig.tar.xz
 3ca678fb4bf060035d72e0939d8dfc7ab7d1120311f5cf42b0760c478f7c835e 19684 flac_1.3.1-1.debian.tar.xz
 c9de047c864dfec3d9d46fa69b56e72cee7e9927fdb83c6a8328fc15820ede9f 153748 flac_1.3.1-1_amd64.deb
 5af745174a4cb9a62c062ca3a4cf5db8d066a65be1ba308920099506f11b4188 214466 libflac8_1.3.1-1_amd64.deb
 7f33fe15ce59c68fa7991a0c40272e45cf7770f2da81e92c308d59c96a844655 353918 libflac-doc_1.3.1-1_all.deb
 effec9d44f5cffc09c770216156e553f746ac0c507aec5e0382fdb051b39fbf1 269420 libflac-dev_1.3.1-1_amd64.deb
 7ca4fb1b37b556ef579f9c53aa15f62bc72b318f103a095bc9af0fc3d74ab877 37816 libflac++6_1.3.1-1_amd64.deb
 8f7eaa44d80c53b2ab06a820d045f794d031e51bdba4b13874718a8afdfe5e43 40740 libflac++-dev_1.3.1-1_amd64.deb
Files:
 eae1ea8ed0d116a70d6114033987e180 2256 sound optional flac_1.3.1-1.dsc
 b9922c9a0378c88d3e901b234f852698 941848 sound optional flac_1.3.1.orig.tar.xz
 54389084a5f28f60a4fddb8c2538be99 19684 sound optional flac_1.3.1-1.debian.tar.xz
 d664942c0263f3cd92cc732e707f54a6 153748 sound optional flac_1.3.1-1_amd64.deb
 ea828a9a7753b085f2080916bdd90b12 214466 libs optional libflac8_1.3.1-1_amd64.deb
 67db3179ba20d76e7df9e1abbc3e530b 353918 doc optional libflac-doc_1.3.1-1_all.deb
 18c5dfe548d8dc2f1c3b0dd21dcb7d8e 269420 libdevel optional libflac-dev_1.3.1-1_amd64.deb
 b7d6e7fb200ce5b0ec34a8eea790e78e 37816 libs optional libflac++6_1.3.1-1_amd64.deb
 4a542aea84222fc8aec9c147d65660d1 40740 libdevel optional libflac++-dev_1.3.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUfXJRAAoJEMvqjpcMzVnfxowQAKDEt9m+m+xv8f7FC9K37eZe
IWq+N2QaIw067VFkt6XL+3odgVMyIapOb9+1Bx7xx0ov9g5ZRcpYvtYw/q3xZtn8
eRMBeFB1XyPJhAH56bJnuFK34Vsttgc56FSLMZiyVMZfifmXkWphtQr8R2KDeZxd
m4tQy33dRmnalhobVZloau2C+gHRhdSwf41SCEVMhHU9e73w/n+NCIzwwszrgss9
XxNGNp/rDJ9eJgPyZJbe+tYftA8rTrEXABDqDR7boG0fzuP2HzizJVZihNuGP7Ow
g2zZYj3GPMf1EjKciuqWvMzjnuUYcFwBQZN9RypZReRJiYMVmykHWXXn4yEP3XnJ
lewsuQj6qWm2ZrXxO9b5tQ966kHzInA036B+SFB72s2NosLCrQ/utQnaRlvep75A
Fq+kMYeDBWPzXszLGUM2Qz+LXLxS3oaE8+cmSz8Gw/qeVka6HqqDEt2PvyBJMlnm
AxXm9UVSG6/yrdM1Wie5hab8Z/SgxAO+9LhVmGgWnKwGA8OKg90UUAvKXNPdohfU
Sp+MUXVC7J5qRwRPK/IdLdQDqDsdqDDhh5ijS8+rX4+ILNfKoTUR1fi201Jo8i6n
1TfQm33NfhJOW1R9GwWEaCxOEnSeg4D0dBcYTHSRpugmu9NMpJDI5Y1oGxkdAHxh
Lm9vpyiBnr0/NeaGU6z9
=DU9H
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.