Bug#770918: Two CVEs against FLAC
Am Mittwoch, den 26.11.2014, 19:58 -0800 schrieb Erik de Castro Lopo: > One more patch to cherry pick: Thank you very much! I hope to be able to prepare updated packages by next week. - Fabian -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#770918: Two CVEs against FLAC
Erik de Castro Lopo wrote: > Package: flac > Version: 1.3.0-2+b1 > Severity: serious > Tags: security > > From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html > > > Google Security Team member, Michele Spagnuolo, recently found two potential > > problems in the FLAC code base. They are : > > > > CVE-2014-9028 : Heap buffer write overflow > > CVE-2014-8962 : Heap buffer read overflow > > > > For Linux distributions, the specific fixes for these two CVEs are available > > from Git here: > > > > > > https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 > > > > https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e > > > > and are simple enough that they should apply cleanly to the last official > > release 1.3.0 and possibly even the previous one, 1.2.1. One more patch to cherry pick: https://git.xiph.org/?p=flac.git;a=commit;h=5a365996d739bdf4711af51d9c2c71c8a5e14660 > > A pre-release (version 1.3.1pre1) for the next version which includes these > > fixes and more is available here: > > > > http://downloads.xiph.org/releases/flac/beta/ > > > > A full release (version 1.3.1) will be available in the next couple of days. The 1.3.1 release is available here: http://downloads.xiph.org/releases/flac/ Cheers, Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#770918: Two CVEs against FLAC
Package: flac Version: 1.3.0-2+b1 Severity: serious Tags: security From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html > Google Security Team member, Michele Spagnuolo, recently found two potential > problems in the FLAC code base. They are : > > > CVE-2014-9028 : Heap buffer write overflow > CVE-2014-8962 : Heap buffer read overflow > > For Linux distributions, the specific fixes for these two CVEs are available > from Git here: > > > https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 > > https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e > > and are simple enough that they should apply cleanly to the last official > release 1.3.0 and possibly even the previous one, 1.2.1. > > A pre-release (version 1.3.1pre1) for the next version which includes these > fixes and more is available here: > > http://downloads.xiph.org/releases/flac/beta/ > > A full release (version 1.3.1) will be available in the next couple of days. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (900, 'testing'), (800, 'unstable'), (500, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages flac depends on: ii libc6 2.19-13 ii libflac8 1.3.0-2+b1 flac recommends no packages. flac suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
