Your message dated Sat, 28 Feb 2009 00:17:16 +0000
with message-id <[email protected]>
and subject line Bug#482039: fixed in libvorbis 1.2.0.dfsg-4
has caused the Debian Bug report #482039,
regarding libvorbis0a: potential security patch, needs review
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
482039: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482039
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libvorbis0a
Version: 1.2.0.dfsg-3
Severity: normal
Tags: security
Hi
As discussed on IRC with dato, here are the information to this:
The following CVE(0) has been issued against vorbis.
CVE-2008-2009:
Xiph.org libvorbis before 1.0 does not properly check for underpopulated
Huffman trees, which allows remote attackers to cause a denial of
service (crash) via a crafted OGG file that triggers memory corruption
during execution of the _make_decode_tree function.
Now the version in unstable is not as old as the one mentioned in the
CVE. However, I was wondering, if the sanity checks upstream added in
their patch(0) are needed for our debian versions as well?
Could someone familiar with the code maybe have a look?
Cheers
Steffen
(0): http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2009
(1): https://trac.xiph.org/changeset/14811?format=diff&new=14811
--- End Message ---
--- Begin Message ---
Source: libvorbis
Source-Version: 1.2.0.dfsg-4
We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive:
libvorbis-dev_1.2.0.dfsg-4_i386.deb
to pool/main/libv/libvorbis/libvorbis-dev_1.2.0.dfsg-4_i386.deb
libvorbis0a_1.2.0.dfsg-4_i386.deb
to pool/main/libv/libvorbis/libvorbis0a_1.2.0.dfsg-4_i386.deb
libvorbis_1.2.0.dfsg-4.diff.gz
to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-4.diff.gz
libvorbis_1.2.0.dfsg-4.dsc
to pool/main/libv/libvorbis/libvorbis_1.2.0.dfsg-4.dsc
libvorbisenc2_1.2.0.dfsg-4_i386.deb
to pool/main/libv/libvorbis/libvorbisenc2_1.2.0.dfsg-4_i386.deb
libvorbisfile3_1.2.0.dfsg-4_i386.deb
to pool/main/libv/libvorbis/libvorbisfile3_1.2.0.dfsg-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Clint Adams <[email protected]> (supplier of updated libvorbis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 10 Jun 2008 12:06:58 -0400
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev
Architecture: source i386
Version: 1.2.0.dfsg-4
Distribution: unstable
Urgency: low
Maintainer: Debian Xiph.org Maintainers <[email protected]>
Changed-By: Clint Adams <[email protected]>
Description:
libvorbis-dev - The Vorbis General Audio Compression Codec (development files)
libvorbis0a - The Vorbis General Audio Compression Codec
libvorbisenc2 - The Vorbis General Audio Compression Codec
libvorbisfile3 - The Vorbis General Audio Compression Codec
Closes: 482039
Changes:
libvorbis (1.2.0.dfsg-4) unstable; urgency=low
.
* Add upstream-r14811_huffman_sanity_checks.diff. closes: #482039.
* Bump to Standards-Version 3.8.0.
* Remove myself from Uploaders.
Checksums-Sha1:
8d27cf2edd20966be31f2d8dda55194f2e0ab901 1219 libvorbis_1.2.0.dfsg-4.dsc
12ea87db204c70f809eeba3fffc1dc7347ebc157 10026 libvorbis_1.2.0.dfsg-4.diff.gz
4ac50c1e9630cf7a6165e2b84d241508fdd387e7 101670
libvorbis0a_1.2.0.dfsg-4_i386.deb
4057c6a2c7a6a5d749728a33b427da08273b2440 77102
libvorbisenc2_1.2.0.dfsg-4_i386.deb
a11267958160708dd12b23ff2d2e110fbd04f511 20974
libvorbisfile3_1.2.0.dfsg-4_i386.deb
dc3a110639554dcc75c8489fc525fb6a51272d84 465274
libvorbis-dev_1.2.0.dfsg-4_i386.deb
Checksums-Sha256:
26aa34a748164075d39d6d66b562c81ff6fe59bfc458d303e9b1e011637a67bf 1219
libvorbis_1.2.0.dfsg-4.dsc
4c4a22f946c23ee24a0840e323f29f7f6e80fa91ac74d57987bd7206cf36c4a4 10026
libvorbis_1.2.0.dfsg-4.diff.gz
63fc88dd678420f063285b5f75f762e35060a726ebfbdb185986229aca76384a 101670
libvorbis0a_1.2.0.dfsg-4_i386.deb
85f1d3c020d7baf44413d011671ca8a347c2be5030822990c4e2318fc5c7eab4 77102
libvorbisenc2_1.2.0.dfsg-4_i386.deb
d0bfd951eae37919175954069ec727dc7aa994353eeeebea4a4fb80e40491a8e 20974
libvorbisfile3_1.2.0.dfsg-4_i386.deb
bdda7b6704ba9b770d4062efd7b715eb92775ad9e75f32fe275b01adaade782a 465274
libvorbis-dev_1.2.0.dfsg-4_i386.deb
Files:
1b37edf8cd0fcda8714786f114202a1e 1219 libs optional libvorbis_1.2.0.dfsg-4.dsc
6b848d1d6ca053bae0f93425a40dab78 10026 libs optional
libvorbis_1.2.0.dfsg-4.diff.gz
695c9bdbecbf42dcd0fb5ecb762f89f4 101670 libs optional
libvorbis0a_1.2.0.dfsg-4_i386.deb
02f354d5e2e15ebd66f6266edcad0f22 77102 libs optional
libvorbisenc2_1.2.0.dfsg-4_i386.deb
c1a359bda3335985575a08554765157d 20974 libs optional
libvorbisfile3_1.2.0.dfsg-4_i386.deb
42fc26faae247e0e15056bc3ead0e23f 465274 libdevel optional
libvorbis-dev_1.2.0.dfsg-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Debian!
iD8DBQFJqIC95m0u66uWM3ARAqH7AJ49vDQx1LRebPaCPEtjOuqU8ta5SACfTY3/
gANU3t56KtqNuQMn0G+zER8=
=/I1n
-----END PGP SIGNATURE-----
--- End Message ---
