Bug#883355: marked as done (aubio: CVE-2017-17054: divide by zero in function new_aubio_source_wavread())

[Debian Bug Tracking System]

Your message dated Mon, 10 Sep 2018 15:49:03 +0000
with message-id <e1fzoqx-0001qw...@fasolo.debian.org>
and subject line Bug#883355: fixed in aubio 0.4.6-1
has caused the Debian Bug report #883355,
regarding aubio: CVE-2017-17054: divide by zero in function 
new_aubio_source_wavread()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883355: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883355
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: aubio
Version: 0.4.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/aubio/aubio/issues/148

Hi,

the following vulnerability was published for aubio.

CVE-2017-17054[0]:
| In aubio 0.4.6, a divide-by-zero error exists in the function
| new_aubio_source_wavread() in source_wavread.c, which may lead to DoS
| when playing a crafted audio file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17054
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17054
[1] https://github.com/aubio/aubio/issues/148

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: aubio
Source-Version: 0.4.6-1

We believe that the bug you reported is fixed in the latest version of
aubio, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Brossier <p...@debian.org> (supplier of updated aubio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 10 Sep 2018 16:20:59 +0200
Source: aubio
Binary: libaubio-dev libaubio5 aubio-tools libaubio-doc python-aubio 
python3-aubio
Architecture: source
Version: 0.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Paul Brossier <p...@debian.org>
Changed-By: Paul Brossier <p...@debian.org>
Description:
 aubio-tools - library for audio segmentation -- utilities
 libaubio-dev - library for audio and music analysis, synthesis, and effects
 libaubio-doc - library for audio segmentation -- documentation
 libaubio5  - library for audio segmentation
 python-aubio - Python interface for aubio, a library for audio segmentation
 python3-aubio - Python interface for aubio, a library for audio segmentation
Closes: 883355 884232 884237 888336 904906 904907 904908
Changes:
 aubio (0.4.6-1) unstable; urgency=medium
 .
   * New upstream version 0.4.6
   * Acknowledge NMU (thanks to Sebastian Ramacher, closes: #888336)
   * debian/watch: use https
   * debian/copyright: fix file path
   * debian/control:
     - remove duplicate Section from aubio-tools
     - capitalize Python in short descriptions
     - remove obsolete X-Python fields
     - bump Standards-Version to 4.2.1
     - move Vcs-Git and Browser to salsa.d.o
   * debian/rules:
     - add a comment to enable bindnow hardening
     - add -Wl,--as-needed to LDFLAGS
     - clean waf_gensyms and python/tests/sounds
   * debian/patches:
     - add upstream patches to fix security issues
     - add avoid_deprecated to omit av_register_all() where deprecated
   * CVE-2017-17054 div by zero, thx to my123px (closes: #883355)
   * CVE-2017-17554 null pointer dereference, thx to IvanCql (closes: #884237)
   * CVE-2017-17555 denial of service, thx to IvanCql (closes: #884232)
   * CVE-2018-14521 SEGV in aubiomfcc, thx to fCorleone (closes: #904908)
   * CVE-2018-14522 SEGV in aubionotes, thx to fCorleone (closes: #904907)
   * CVE-2018-14523 global buffer overflow, thx to fCorleone (closes: #904906)
Checksums-Sha1:
 1b8717b836572008818ba41358fb3f4f7255119f 2905 aubio_0.4.6-1.dsc
 3bcaf23d11936d3ff215307fb5fc3f0c3f7a70de 363016 aubio_0.4.6.orig.tar.bz2
 b40c085a943cc029d523f7e0b1220e7191eecf2b 963 aubio_0.4.6.orig.tar.bz2.asc
 3dc3d222957fc8c372be60cddef7dd206727e632 38908 aubio_0.4.6-1.debian.tar.xz
 b03941f9543423586ea1d780e1c13f6e11fa6804 14017 aubio_0.4.6-1_i386.buildinfo
Checksums-Sha256:
 fdf4499dd0f6e54eed6695d88865a722abb70e139c741a1ca42beccce3722b22 2905 
aubio_0.4.6-1.dsc
 bdc73be1f007218d3ea6d2a503b38a217815a0e2ccc4ed441f6e850ed5d47cfb 363016 
aubio_0.4.6.orig.tar.bz2
 b4c72db879bea78296d6f735adb8239a79b19c5ce95bc97b29b37f7bbd1af1f0 963 
aubio_0.4.6.orig.tar.bz2.asc
 3ef9a6a3c154173d94a4b8fd2ee28c6740f568c2cd89dcb5d5a48bc67e7ca5d1 38908 
aubio_0.4.6-1.debian.tar.xz
 b4d51d388c6f8364af05e8a5d0e35a4b4edca46677369efe0a77a079f52d14f1 14017 
aubio_0.4.6-1_i386.buildinfo
Files:
 b47e50a2f737a368a2fa8984537304f0 2905 sound optional aubio_0.4.6-1.dsc
 78d326e5e44d19b0d21a5abf834bae20 363016 sound optional aubio_0.4.6.orig.tar.bz2
 4908e555352a760b799174a3f5683915 963 sound optional 
aubio_0.4.6.orig.tar.bz2.asc
 8de807d100965e90475d6d0893136640 38908 sound optional 
aubio_0.4.6-1.debian.tar.xz
 6be9baaefdb456801c31fe7d26dbed23 14017 sound optional 
aubio_0.4.6-1_i386.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKkBAEBCgCOFiEEuIpQctSRWuz4GiQ0akmxlyir3ZIFAluWkDVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEI4
OEE1MDcyRDQ5MTVBRUNGODFBMjQzNDZBNDlCMTk3MjhBQkREOTIQHHBpZW1AZGVi
aWFuLm9yZwAKCRBqSbGXKKvdkm3uD/0aMKE/4IUVGIv9icg092M2iu8tbi2+lZyH
qs8uTwI5PBRXxxZWNop0/re0r9BvFz4znQ4d4Npkm1UZN82PatfwsRQbgcnQ909K
hTA5Ykiubkj/VIP8O04UdhSK76hB/0GwB3I+DUtJ987YAkJmahqC9NXYNFVDOnZB
wmybeOvgDHkwZGfHSnpPqUOysHEaXbEt14KnacuRjPOy1nCrFHlA+vl/CQ1gqy3D
4MAW8sD94wOQffIfWPH0BkjObtJKu1Q4h2sqxrIchC531XF+tlCD9Qlc37md5u/1
3zyux+4alzPz3nFeNadboCrSRNE3XD100oAboKpPcnmf7+WJBUpJVfS53ogremBB
U8wstqd1BDp8nkbJvCxTypa21OedeJXHqaBlXGy1oWsegX7xnjOOGG7qJfl+UuiQ
kjKd3+qCj9Z3h+d6VMNl1JEaVZ3TS25owsCmDqbYw7xZM+zodhT7Ea5W/EvJGsiC
n+vWMyTB4Iv53h/y0MD9VTaX7X8i8hJOQmartHedLSI/Y0nNThCXu9ajAfZSfcWK
Wvt9nw134rXWy5en6/lKB3oJXcbep1xhXETBymoasEJ605Hpf72Ok5mOSyEChnxj
ufYEsHUM5GfwyFvYp05lf4lAQq120m1xDYIEqlWkVn8rqxU/61//wiMOeUxkWf8W
L4NwDF7B9w==
=F2DT
-----END PGP SIGNATURE-----

--- End Message ---