Your message dated Fri, 12 Oct 2007 17:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#446034: fixed in alsaplayer 0.99.79-3+lenny1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: alsaplayer
Severity: grave
Tags: security
Hi,
The following was released on:
http://secunia.com/advisories/27117/
| Some vulnerabilities have been reported in AlsaPlayer, which potentially can
be
| exploited by malicious people to compromise a user's system.
|
| The vulnerabilities are caused due to boundary errors in the vorbis input
| plug-in when processing .OGG files. These can be exploited to cause buffer
| overflows via a specially crafted .OGG file with overly long comments.
|
| Successful exploitation may allow execution of arbitrary code.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp9puGcO2SE7.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: alsaplayer
Source-Version: 0.99.79-3+lenny1
We believe that the bug you reported is fixed in the latest version of
alsaplayer, which is due to be installed in the Debian FTP archive:
alsaplayer-alsa_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-alsa_0.99.79-3+lenny1_i386.deb
alsaplayer-common_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-common_0.99.79-3+lenny1_i386.deb
alsaplayer-daemon_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-daemon_0.99.79-3+lenny1_i386.deb
alsaplayer-esd_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-esd_0.99.79-3+lenny1_i386.deb
alsaplayer-gtk_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-gtk_0.99.79-3+lenny1_i386.deb
alsaplayer-jack_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-jack_0.99.79-3+lenny1_i386.deb
alsaplayer-nas_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-nas_0.99.79-3+lenny1_i386.deb
alsaplayer-oss_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-oss_0.99.79-3+lenny1_i386.deb
alsaplayer-text_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-text_0.99.79-3+lenny1_i386.deb
alsaplayer-xosd_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-xosd_0.99.79-3+lenny1_i386.deb
alsaplayer_0.99.79-3+lenny1.diff.gz
to pool/main/a/alsaplayer/alsaplayer_0.99.79-3+lenny1.diff.gz
alsaplayer_0.99.79-3+lenny1.dsc
to pool/main/a/alsaplayer/alsaplayer_0.99.79-3+lenny1.dsc
libalsaplayer-dev_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/libalsaplayer-dev_0.99.79-3+lenny1_i386.deb
libalsaplayer0_0.99.79-3+lenny1_i386.deb
to pool/main/a/alsaplayer/libalsaplayer0_0.99.79-3+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated alsaplayer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 12 Oct 2007 12:45:45 +0200
Source: alsaplayer
Binary: alsaplayer-daemon alsaplayer-xosd libalsaplayer-dev alsaplayer-jack
alsaplayer-esd alsaplayer-text alsaplayer-nas alsaplayer-oss alsaplayer-alsa
alsaplayer-gtk libalsaplayer0 alsaplayer-common
Architecture: source i386
Version: 0.99.79-3+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Hubert Chan <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
alsaplayer-alsa - PCM player designed for ALSA (ALSA output module)
alsaplayer-common - PCM player designed for ALSA (common files)
alsaplayer-daemon - PCM player designed for ALSA (non-interactive version)
alsaplayer-esd - PCM player designed for ALSA (EsounD output module)
alsaplayer-gtk - PCM player designed for ALSA (GTK version)
alsaplayer-jack - PCM player designed for ALSA (JACK output module)
alsaplayer-nas - PCM player designed for ALSA (NAS output module)
alsaplayer-oss - PCM player designed for ALSA (OSS output module)
alsaplayer-text - PCM player designed for ALSA (text version)
alsaplayer-xosd - PCM player designed for ALSA (osd version)
libalsaplayer-dev - PCM player designed for ALSA (interface library,
development file
libalsaplayer0 - PCM player designed for ALSA (interface library)
Closes: 446034
Changes:
alsaplayer (0.99.79-3+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by testing security team.
* Added CVE-2007-5301.dpatch to fix buffer overflow
via crafted ogg vorbis files (CVE-2007-5301) (Closes: #446034).
Files:
2d20038dd6e7dc569c00cc4375d6a8a1 1105 sound optional
alsaplayer_0.99.79-3+lenny1.dsc
55dc879c79ae741895dc5e42d6f484c9 855696 sound optional
alsaplayer_0.99.79.orig.tar.gz
64041b62a1ffafddad30949868e3e502 15732 sound optional
alsaplayer_0.99.79-3+lenny1.diff.gz
ab8d4bf624facc2a4b0af14d08373925 162300 sound optional
alsaplayer-common_0.99.79-3+lenny1_i386.deb
6177f3a9a892e75a1ec107c56b40ddee 115748 sound optional
alsaplayer-gtk_0.99.79-3+lenny1_i386.deb
392839e046a1aaaafc70dacfd2b4b4c1 29168 sound optional
alsaplayer-text_0.99.79-3+lenny1_i386.deb
50c79b6be4bb8cf002e936e90963523c 28148 sound optional
alsaplayer-daemon_0.99.79-3+lenny1_i386.deb
3e86f25935976811152e9e59d341f422 28892 sound optional
alsaplayer-xosd_0.99.79-3+lenny1_i386.deb
75e76949e7629a592e903834a688ee1e 26204 sound optional
alsaplayer-oss_0.99.79-3+lenny1_i386.deb
9573c7646eaeab065614c849b1fb884d 27798 sound optional
alsaplayer-alsa_0.99.79-3+lenny1_i386.deb
c1adb7aebde26bf90c28268213e605b3 26084 sound optional
alsaplayer-esd_0.99.79-3+lenny1_i386.deb
84587306ac6a55ff62c7aeee21fa9ebb 27952 sound optional
alsaplayer-nas_0.99.79-3+lenny1_i386.deb
5c5a7479d2c01ef9f9c8faac7d772f70 30008 sound optional
alsaplayer-jack_0.99.79-3+lenny1_i386.deb
9cfe74eac5e97e3f472cf57d38ea4234 32142 libs optional
libalsaplayer0_0.99.79-3+lenny1_i386.deb
fa62ce5d82c583c8fc75517971f503d2 82378 libdevel optional
libalsaplayer-dev_0.99.79-3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHD1JAHYflSXNkfP8RAv5jAJ94FLRcvbYOAnbSEFAvAlR05HjYkwCdHXwj
FYqsLJxRNYxEHkh++daLh+8=
=PvD9
-----END PGP SIGNATURE-----
--- End Message ---
