ACK on the debdiff in comment #1. Package is building now and will be
released as a security update. Thanks!
** Also affects: brotli (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: brotli (Ubuntu)
Status: New => Fix Released
** Changed in: brotli (Ubuntu Xenial)
Status: New => Fix Committed
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1737364
Title:
16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli
Status in brotli package in Ubuntu:
Fix Released
Status in brotli source package in Xenial:
Fix Committed
Bug description:
Impact
------
Integer underflow could be targeted as a buffer overflow
https://security-tracker.debian.org/tracker/source-package/brotli
Debdiff attached.
Because brotli is embedded in web browsers for WOFF2 support (to be
somewhat fixed by the proposed brotli MIR), this issue was already
mentioned in
https://usn.ubuntu.com/usn/USN-2917-1/ (Firefox)
Luke Li discovered a buffer overflow during Brotli decompression in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-1968)
https://usn.ubuntu.com/usn/USN-2895-1/ (Oxide)
An integer underflow was discovered in Brotli. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2016-1624)
Regression Potential
--------------------
This update was published in Debian unstable/testing as 0.3.0+dfsg-3 from
late March to mid June 2016 when it was superseded by a newer version. The
Ubuntu security sync tool wasn't able to retrieve this version now.
brotli has no reverse dependencies in Ubuntu and is in universe.
Testing Done
------------
Only a simple build test.
There is a build test to ensure basic functionality of brotli with
both python2 and python3.
Other Info
----------
The main purpose of this security update is to clear up the security history
section of MIR LP: #1737053.
It is mentioned in the MIR bug that it is intended for brotli 1.0.2 to
be backported to Ubuntu 16.04 and 17.10 as a security update (and
promoted to main there), after 17.04 reaches End of Life.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
