Bug#877651: marked as done (libgig: CVE-2017-12951)

[Debian Bug Tracking System]

Your message dated Fri, 13 Oct 2017 21:43:44 +0000
with message-id <e1e37k8-0007jd...@fasolo.debian.org>
and subject line Bug#877651: fixed in libgig 4.0.0-5
has caused the Debian Bug report #877651,
regarding libgig: CVE-2017-12951
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877651: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877651
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libgig
X-Debbugs-CC: t...@security.debian.org 
secure-testing-t...@lists.alioth.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for libgig. See
http://seclists.org/fulldisclosure/2017/Aug/39 for the initial report
with reproducer files.

CVE-2017-12950[0]:
| The gig::Region::Region function in gig.cpp in libgig 4.0.0 allows
| remote attackers to cause a denial of service (NULL pointer
| dereference and application crash) via a crafted gig file.

CVE-2017-12951[1]:
| The gig::DimensionRegion::CreateVelocityTable function in gig.cpp in
| libgig 4.0.0 allows remote attackers to cause a denial of service
| (stack-based buffer over-read and application crash) via a crafted gig
| file.

CVE-2017-12952[2]:
| The LoadString function in helper.h in libgig 4.0.0 allows remote
| attackers to cause a denial of service (NULL pointer dereference and
| application crash) via a crafted gig file.

CVE-2017-12953[3]:
| The gig::Instrument::UpdateRegionKeyTable function in gig.cpp in
| libgig 4.0.0 allows remote attackers to cause a denial of service
| (invalid memory write and application crash) via a crafted gig file.

CVE-2017-12954[4]:
| The gig::Region::GetSampleFromWavePool function in gig.cpp in libgig
| 4.0.0 allows remote attackers to cause a denial of service (invalid
| memory read and application crash) via a crafted gig file.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12950
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12950
[1] https://security-tracker.debian.org/tracker/CVE-2017-12951
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12951
[2] https://security-tracker.debian.org/tracker/CVE-2017-12952
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12952
[3] https://security-tracker.debian.org/tracker/CVE-2017-12953
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12953
[4] https://security-tracker.debian.org/tracker/CVE-2017-12954
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12954

Please adjust the affected versions in the BTS as needed.


-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

--- End Message ---

--- Begin Message ---

Source: libgig
Source-Version: 4.0.0-5

We believe that the bug you reported is fixed in the latest version of
libgig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 877...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jaromír Mikeš <mira.mi...@seznam.cz> (supplier of updated libgig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 13 Oct 2017 22:33:54 +0200
Source: libgig
Binary: libgig-dev libgig7 libakai0 gigtools libgig-doc
Architecture: source amd64 all
Version: 4.0.0-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Jaromír Mikeš <mira.mi...@seznam.cz>
Description:
 gigtools   - command line tools for Gigasampler and DLS Level 1/2 files
 libakai0   - library for loading and modifying akai files
 libgig-dev - development files for libgig
 libgig-doc - HTML documentation for libgig
 libgig7    - library for loading and modifying Gigasampler and DLS files
Closes: 877651 877652
Changes:
 libgig (4.0.0-5) unstable; urgency=medium
 .
   * Add patch to fix CVE-2017-12951. (Closes: #877651)
   * Add patch to fix CVE-2017-12954. (Closes: #877652)
   * Bump Standards.
   * Update Vcs to use git instead of cgit.
Checksums-Sha1:
 9f69fed43129a38aa8a4c5508c75bf2aa5a19a29 2362 libgig_4.0.0-5.dsc
 9b8b1bddbb3b972f49fd4e3d873220d4f9a224b9 12316 libgig_4.0.0-5.debian.tar.xz
 d7d0131cb90cfd9771faf65402e3c1f053c2ed7f 977094 
gigtools-dbgsym_4.0.0-5_amd64.deb
 fd3768aa3f6c20af80a586aa5c5ed4a06954898b 113430 gigtools_4.0.0-5_amd64.deb
 89e710149f48103cceba75382619274f4e37bde2 94208 
libakai0-dbgsym_4.0.0-5_amd64.deb
 5c1891fe084055b5a4465360fc82cbacf37d7fb8 21182 libakai0_4.0.0-5_amd64.deb
 820708795c3597dfb5cd25a055ed474a11bfa5e2 44138 libgig-dev_4.0.0-5_amd64.deb
 4ca45a97c1b2dfa17cadfcf550dc3c81c4e94fbc 569580 libgig-doc_4.0.0-5_all.deb
 397f5e24450b7f66016618b322898f3338e0f3f0 722476 
libgig7-dbgsym_4.0.0-5_amd64.deb
 5fce3042d8fe584b1cfa4183a57b6bd3496ec8b1 109698 libgig7_4.0.0-5_amd64.deb
 c91ed06de0f29a575b0c2ffe38207cfe30413dde 7613 libgig_4.0.0-5_amd64.buildinfo
Checksums-Sha256:
 f2f8f52826c6c1c07f622488a4be9d011ea8429ed73041131f3525743da34dfc 2362 
libgig_4.0.0-5.dsc
 342f327fede5c68896e430ea76d82d495859b3994e543ddd26a05c82d07b9bc5 12316 
libgig_4.0.0-5.debian.tar.xz
 9fc442405d3dbb50de9777de4f77512967864d93186cf5edb963a46c169bc3f8 977094 
gigtools-dbgsym_4.0.0-5_amd64.deb
 605665959b3c085e929dd8028df2e0320e9f4275560cc1de64c712c2799b6300 113430 
gigtools_4.0.0-5_amd64.deb
 9baa08e74f18dc68a046d98ead40f9604333ebfb9dbfc1dd94389c99205d432e 94208 
libakai0-dbgsym_4.0.0-5_amd64.deb
 37db40330fad0f01e1baee58112e841325eb1061617b93dc757f06bfbf410209 21182 
libakai0_4.0.0-5_amd64.deb
 935975a56637ad59042a3550dcf1ad49ef6a38aa4988154d100e4f8b230d65ad 44138 
libgig-dev_4.0.0-5_amd64.deb
 bc3e34194c42a2032be72dd735d9e4b124fc313e3d1499f13e5487258c55ecce 569580 
libgig-doc_4.0.0-5_all.deb
 ebbffe2878693ebee29d983124443b75c7ab1d5fe42e32b918ef651dc9463a7f 722476 
libgig7-dbgsym_4.0.0-5_amd64.deb
 e265ece4124502bdef15d0b578c221f96d598797e14e3e8aecf0a804cbf9a43e 109698 
libgig7_4.0.0-5_amd64.deb
 7479487549d624229b53ac6b3df53729f8468767f9a3dde5913f64e229f56d62 7613 
libgig_4.0.0-5_amd64.buildinfo
Files:
 0916f2e951a69814d1511f0e4bafe88b 2362 devel optional libgig_4.0.0-5.dsc
 2d6c30d5ccd04e59d8e6a0e38d4aa4f0 12316 devel optional 
libgig_4.0.0-5.debian.tar.xz
 765c70c998aeb9ffb2bd9df3be986b4e 977094 debug optional 
gigtools-dbgsym_4.0.0-5_amd64.deb
 5b6e5fe66a96c85c74dfc0c08da32e6f 113430 utils optional 
gigtools_4.0.0-5_amd64.deb
 524bb1b40f99aab0449bf7a147e7ef34 94208 debug optional 
libakai0-dbgsym_4.0.0-5_amd64.deb
 fc1eec2408ea46a470b160b826d2d47b 21182 libs optional libakai0_4.0.0-5_amd64.deb
 44646239aba1d01d73047ec8cbb05a37 44138 libdevel optional 
libgig-dev_4.0.0-5_amd64.deb
 2502a580a846e2ed72025e16e072a451 569580 doc optional libgig-doc_4.0.0-5_all.deb
 0d4930ba197e4ac9dbd5ea4788876f59 722476 debug optional 
libgig7-dbgsym_4.0.0-5_amd64.deb
 d731495008f30922812d302e6b8d0e2f 109698 libs optional libgig7_4.0.0-5_amd64.deb
 4dbe7b7819505aff7d09693bb14d4a26 7613 devel optional 
libgig_4.0.0-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEESlQ1E9LfY1GoF46jWwGUVeK4T6UFAlnhJIkVHG1pcmEubWlr
ZXNAc2V6bmFtLmN6AAoJEFsBlFXiuE+lcCEP/i2LNpL3LnnAqnTQlQSkBGRGhXl9
Jj1uV5Bqj5LmBp8TWpSI9M5PdWP3XoGwXxYWc008S1o7PIzHhyqet47zy7MLNK43
OPhEIIcTksvCsYnc34RMd2rBg9JOFEJPeaQmXMg9RITppdbRY/RSz8z23UOImn81
HctUSWd+/0ZxtMRlEyrwOqvXVdQOH/J/XD88eaZ+/9CmX9LwAao63d5RXy3P7avc
82gNQp8fv/mk/yy9oDwLAK7Wg6er652dnESvtmCXqWJgL4Q32pyG+L8dQ5yWFHLM
G1atlggqCAyYSrC16icggCtTWPtPBzsrtpY3Od35CF5g/mhYSb/nnslpDqKyqDQX
H/rzY69w4iDVWYtEEHUAlmp6MUIsIg7+YG4HqeozTFafLHw4x4xu2A26+WA8eMU3
nDmX2fOFK3REPylKKMLVRzbQIFRbcf1aemygU8P26ze+GtHRvhTSsnkfqwQxSOiP
ve+xOpCjtK54QiPXxk1jSIGlTECUnQX/bhhW+6SpTjhOwJFdLJaW29mPt3UFCgqx
CoaJygVQy/G7OWihTPTxPHXsiYxv6zW+yKivhwTHc78z3+R7Hkxpcpud0vKXNk+c
EsyqWtLP5jawEcEOOSZpM5IiPsVvFhwsLKYbVtPs9buYw3SGoakClPNiBGXVUZiE
CTgbMdMyB6P/FvXV
=Vht0
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers