Bug#770918: marked as done (flac: CVE-2014-8962/CVE-2014-9028: heap buffer overflows)

Thu, 27 Nov 2014 08:07:12 -0800 

Your message dated Thu, 27 Nov 2014 16:04:11 +0000
with message-id <e1xu1yb-0005p4...@franck.debian.org>
and subject line Bug#770918: fixed in flac 1.3.0-3
has caused the Debian Bug report #770918,
regarding flac: CVE-2014-8962/CVE-2014-9028: heap buffer overflows
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
770918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770918
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: flac
Version: 1.3.0-2+b1
Severity: serious
Tags: security

From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html

> Google Security Team member, Michele Spagnuolo, recently found two potential
> problems in the FLAC code base. They are :
> 
> 
>     CVE-2014-9028 : Heap buffer write overflow
>     CVE-2014-8962 : Heap buffer read overflow
> 
> For Linux distributions, the specific fixes for these two CVEs are available
> from Git here:
> 
>     
> https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
>     
> https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
> 
> and are simple enough that they should apply cleanly to the last official
> release 1.3.0 and possibly even the previous one, 1.2.1.
> 
> A pre-release (version 1.3.1pre1) for the next version which includes these
> fixes and more is available here:
> 
>     http://downloads.xiph.org/releases/flac/beta/
> 
> A full release (version 1.3.1) will be available in the next couple of days.


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (500, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_AU.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages flac depends on:
ii  libc6     2.19-13
ii  libflac8  1.3.0-2+b1

flac recommends no packages.

flac suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: flac
Source-Version: 1.3.0-3

We believe that the bug you reported is fixed in the latest version of
flac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian+deb...@greffrath.com> (supplier of updated flac 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Nov 2014 16:52:51 +0100
Source: flac
Binary: flac libflac8 libflac-doc libflac-dev libflac++6 libflac++-dev
Architecture: source amd64 all
Version: 1.3.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintain...@lists.alioth.debian.org>
Changed-By: Fabian Greffrath <fabian+deb...@greffrath.com>
Description:
 flac       - Free Lossless Audio Codec - command line tools
 libflac++-dev - Free Lossless Audio Codec - C++ development library
 libflac++6 - Free Lossless Audio Codec - C++ runtime library
 libflac-dev - Free Lossless Audio Codec - C development library
 libflac-doc - Free Lossless Audio Codec - library documentation
 libflac8   - Free Lossless Audio Codec - runtime C library
Closes: 770918
Changes:
 flac (1.3.0-3) unstable; urgency=high
 .
   * Fixes for CVE-2014-8962 and CVE-2014-9028:
     + Backport three patches from upstream GIT repository:
       - CVE-2014-8962.patch: Fix a buffer read overflow.
       - CVE-2014-9028.patch: Avoid a heap overflow.
       - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
         the former fix, but strictly speaking not the same vulnerability.
     + Closes: #770918.
     + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!
Checksums-Sha1:
 afd9218d22316717874fa8819c1903bb9882f6c8 2259 flac_1.3.0-3.dsc
 d5cf793e8d010dab3b30280ef24f52c5f485186d 14772 flac_1.3.0-3.debian.tar.xz
 a52ffa2d39a70a51686ac063f925d802938b1206 121872 flac_1.3.0-3_amd64.deb
 648e0ed79e5c48af542caa7fc07b207704609150 89338 libflac8_1.3.0-3_amd64.deb
 ac9628c3a1e31196162695438f2a0eb4fe9b26ba 697574 libflac-doc_1.3.0-3_all.deb
 1eb6f20fd201494f46793233bc4b03c2949cc26d 137580 libflac-dev_1.3.0-3_amd64.deb
 434afd33215a55b788d3c120aec9c64166e86d86 32474 libflac++6_1.3.0-3_amd64.deb
 b9d4a248c2f7a49b2c3638d872892cdb83133351 39006 libflac++-dev_1.3.0-3_amd64.deb
Checksums-Sha256:
 9dafbe2aa5bfd1aff558b6d0c50598a54ec66c89346648f3e51ccea153dbc8ce 2259 
flac_1.3.0-3.dsc
 4be6690850e4646764a740bdfa14688cd16c8913af5c9f26f539c30c69c879f2 14772 
flac_1.3.0-3.debian.tar.xz
 20b03f83c29fb2c3a7f1671bf9cbd7a34ee567200438e32287545aa9aed21d1e 121872 
flac_1.3.0-3_amd64.deb
 a896332bb1d649b0ff8997d9f17a5c40275451d084de6227a3a4ef0269f5e4b0 89338 
libflac8_1.3.0-3_amd64.deb
 07600d12edbb7628798474700fdd7b2175c462a28fdf0158dc94082bb4c33390 697574 
libflac-doc_1.3.0-3_all.deb
 8f3296ae2473723378fbc02be96816b079653afce3585fd62e66b2a80c720cb7 137580 
libflac-dev_1.3.0-3_amd64.deb
 cef3041c045728a950a39871e75a1758f40a0f1fc738ced8b42391bbb38df360 32474 
libflac++6_1.3.0-3_amd64.deb
 1da6536fa2dc94d69c16b067dd8d69569669c95684cb4b41096a18b73f7d6dc9 39006 
libflac++-dev_1.3.0-3_amd64.deb
Files:
 b9a7fa51da3a01ca56d9a8a296730c82 2259 sound optional flac_1.3.0-3.dsc
 ad82e54da7f973053bcbc6eee97b8fb1 14772 sound optional 
flac_1.3.0-3.debian.tar.xz
 c89bbc50c12d202a53b888e6a26e5809 121872 sound optional flac_1.3.0-3_amd64.deb
 e14e552f7d7684b5ca96fc53d800080a 89338 libs optional libflac8_1.3.0-3_amd64.deb
 d12909596e06c5add1f2df22297275a2 697574 doc optional 
libflac-doc_1.3.0-3_all.deb
 25460a9c959b61924fb77133388d9b1a 137580 libdevel optional 
libflac-dev_1.3.0-3_amd64.deb
 61f59471887fbcc58d01ee171c1c6085 32474 libs optional 
libflac++6_1.3.0-3_amd64.deb
 d9d4e01c870c06e6dfc9bf477e029e6d 39006 libdevel optional 
libflac++-dev_1.3.0-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUd0nTAAoJEMvqjpcMzVnf5mkQAKKJ+pqpt22JPJdoSdq94FaN
o3TT7NuYd57KijxEQWYGyzuNtWcm9s7SeuNyAnz3OXfnE/4LEcCSZshXxPPO0cEm
waR28TFZlkYzgxhmWEZc6Gr7W39HF0GyViKr6ngFKyzHCQx5RAMc2wLLCxrvCjkH
ZKmG2vh5RTCvTfuZw/tSUkGHUW0RYeE5n882D7VIya1JR6pLnzr35pGLkT2Ydgb/
XrSnxlyoElsgWu/eAeK70mUpStiJU9YRnEr92MdbHH0nnm9c7fNf9j5FY3i5Ncla
I901oq5ucMLqS3Ece6PdPFOmcDoOGrqX+mqX+2L7sQqRVdyQvzsfKHrcXvp9JF8F
T1/1IusI718Pk/jM9BUNgPjzJOTExXLrSoj8XSQ8giXip0VPHSrLKN9q/ky8f3s0
QryLybmJ7jyZK19RyPtFR+e39asNMtjyDCxqISico+3x3+KdDdZ9V3RofhFkccGk
QAlymE4amlqa3/lkwBveb3cha351MbNt/BcUXwWM+0l+x8ePdZ6ljO/GB+fgPjJ9
aGKhf+4gTzMCA9UXAnu9CQLKTXv17vVYttbKOZ5N+zLotcNbejc2ifQxYiYv8Oxp
0IRW9HWQXriRh4LfGJAVoLhkKONch5ZGIg5EjPB5KtZ5/3XcWqK143FlwVLPRk+d
pAgwkLCyF0Y+1tuc5rTc
=fF/D
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to