Your message dated Thu, 12 Oct 2017 09:51:14 +0000
with message-id <[email protected]>
and subject line Bug#871511: fixed in taglib 1.11.1+dfsg.1-0.2
has caused the Debian Bug report #871511,
regarding taglib: CVE-2017-12678
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
871511: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871511
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: taglib
Version: 1.11.1+dfsg.1-0.1
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/taglib/taglib/issues/829
Hi,
the following vulnerability was published for taglib.
CVE-2017-12678[0]:
| In TagLib 1.11.1, the rebuildAggregateFrames function in
| id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
| remote attackers to cause a denial of service or possibly have
| unspecified other impact via a crafted audio file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12678
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12678
[1] https://github.com/taglib/taglib/issues/829
[2]
https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6#diff-37f706c8696a7c1ca939b169c0a04d97
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: taglib
Source-Version: 1.11.1+dfsg.1-0.2
We believe that the bug you reported is fixed in the latest version of
taglib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated taglib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Oct 2017 11:38:02 +0200
Source: taglib
Binary: libtag1v5 libtag1v5-vanilla libtag1-dev libtag1-doc libtagc0
libtagc0-dev
Architecture: source
Version: 1.11.1+dfsg.1-0.2
Distribution: unstable
Urgency: medium
Maintainer: Modestas Vainius <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Description:
libtag1-dev - audio meta-data library - development files
libtag1-doc - audio meta-data library - API documentation
libtag1v5 - audio meta-data library
libtag1v5-vanilla - audio meta-data library - vanilla flavour
libtagc0 - audio meta-data library - C bindings
libtagc0-dev - audio meta-data library - development files for C bindings
Closes: 871511
Changes:
taglib (1.11.1+dfsg.1-0.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Drop obsolete versioned build dependency on g++.
* Mark two more symbols as optional, not seen when building with -O3.
* Bump standards version to 4.1.1.
* CVE-2017-12678: Don't assume TDRC is an instance of
TextIdentificationFrame.
Closes: #871511.
Checksums-Sha1:
2367718b045377cb5931bd9494f1ea6eeb0f0aeb 2269 taglib_1.11.1+dfsg.1-0.2.dsc
8de036afc64751dab3156d02739d78ef2b7cddb5 33764
taglib_1.11.1+dfsg.1-0.2.debian.tar.xz
6d9a7597655de64ff1b6420145db02a12dec87b4 6308
taglib_1.11.1+dfsg.1-0.2_source.buildinfo
Checksums-Sha256:
6cbc1a3826894aef38d8c851d9cc38f53742b1bc474ccc19a6c4758a40ede192 2269
taglib_1.11.1+dfsg.1-0.2.dsc
7e7af66ce05cc39ac08d45c6f6acee5ecb8a7a73dd84be25bc6a624ff1a18297 33764
taglib_1.11.1+dfsg.1-0.2.debian.tar.xz
a6282b3911e41e028fb37b4ae8010cefc80254d3f66a9115c46dbf2b6778983e 6308
taglib_1.11.1+dfsg.1-0.2_source.buildinfo
Files:
c0c1cf279503b42b8735f7c22d3b5d4f 2269 libs optional
taglib_1.11.1+dfsg.1-0.2.dsc
bc64d76b4dfccb770ce6c9a62b7768df 33764 libs optional
taglib_1.11.1+dfsg.1-0.2.debian.tar.xz
d7c02c9645db41acb55d9c5589467f64 6308 libs optional
taglib_1.11.1+dfsg.1-0.2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJZ3zhDAAoJEL1+qmB3j6b1grMP/AknUSKgGMj44c6ZjEa6mpCQ
/X+Q/E8ar/JpkAVy94Ve7uOK8vQxWaOfySMzkyZ+WsqVOw1Kn8bFJS/1Bj9G0yC+
bQLw+QmOMWbXRxaY3Sw4giiVrtB3U6kMKtCBeI0FH4vQmdxknHmAQnyo5+/qwgZZ
NeSTgU+08+1C2RBltvKV1HkPB7/e4WfmOuRAaVUvRFETG5YEGLFGVdDPnyH8M4SJ
MMu4bV4sF9DeZQANhnUXeaILQeWdTtAEhzSvq7MHbjz0YZ9ThUq7BHvg00+doN5H
hXmC6dtKk7jaIEHtfOjXdMDp0tZ0mxvq9SqBpg0OnaKZRsK4olnNFA1L0BuV4gd3
N+LfK6H2EMCWkihQmbNQqB+JdjWQKMFW0qak4xODwzpp//q4kYUeyT1mypkDloo3
IU712M8K4AIdN59Zq1GwdHlz9cGfI8X26xAPMxNgZSLBDph3BLQ7utVlOTohb9cX
jDfoA7m06MtLjYbVP5ubft630pApitb6FdHmx8AQTmisvL+bx+o5xzHD9uZ3c7VT
G7yhiTzfXDMK0zhziOA1Q0f95IZ71oY6jQxn7+LbOQwu4/wM9+rLp6H9sSQ6HJiJ
AWhLx5d3mGGeUmP83Xbjs5z3aQyDviKnU0XoybKrX5QwwXTP3mSclx97Am1xPJwG
xOrcvwyad6ekUnGx4Of+
=avTB
-----END PGP SIGNATURE-----
--- End Message ---
