Your message dated Wed, 27 Dec 2017 17:51:02 +0000
with message-id <[email protected]>
and subject line Bug#876779: fixed in libvorbis 1.3.5-4.1
has caused the Debian Bug report #876779,
regarding libvorbis: CVE-2017-14632
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
876779: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876779
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libvorbis
Version: 1.3.5-4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2328
Hi,
the following vulnerability was published for libvorbis.
CVE-2017-14633[0]:
| In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
| exists in the function mapping0_forward() in mapping0.c, which may lead
| to DoS when operating on a crafted audio file with vorbis_analysis().
The reproducer was not attached to the upstream issue, since looks was
not possible for the reporter to include it in the report.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
[1] https://gitlab.xiph.org/xiph/vorbis/issues/2328
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libvorbis
Source-Version: 1.3.5-4.1
We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <[email protected]> (supplier of updated libvorbis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 20 Dec 2017 17:31:19 +0100
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev libvorbis-dbg
Architecture: source
Version: 1.3.5-4.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Xiph.org Maintainers <[email protected]>
Changed-By: Guido Günther <[email protected]>
Description:
libvorbis-dbg - debug files for Vorbis General Audio Compression Codec
libvorbis-dev - development files for Vorbis General Audio Compression Codec
libvorbis0a - decoder library for Vorbis General Audio Compression Codec
libvorbisenc2 - encoder library for Vorbis General Audio Compression Codec
libvorbisfile3 - high-level API for Vorbis General Audio Compression Codec
Closes: 876778 876779
Changes:
libvorbis (1.3.5-4.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Cherry-pick upstream patches for CVE-2017-14632 and CVE-2017-14633
(Closes: #876778, 876779)
Checksums-Sha1:
caabf97a9f1ce9850bda03ee514d3a851898363f 2391 libvorbis_1.3.5-4.1.dsc
2748ef0b7c00b0feb4ff03ba6d0d393d4283a734 11544
libvorbis_1.3.5-4.1.debian.tar.xz
6e4433477dd179fe79ae3daa28001980fbb3e9dd 6637
libvorbis_1.3.5-4.1_amd64.buildinfo
Checksums-Sha256:
57098a8ad2ee2bd2e51ec6ba7c4a3510b421860d01c6de70912e18a46a70b74f 2391
libvorbis_1.3.5-4.1.dsc
ae6b6215e6d3998dd235ace7c82804b060e1e4063efdaa4268555b29ed85a702 11544
libvorbis_1.3.5-4.1.debian.tar.xz
32b6ec5f7b6237487e1b98ff108132a885ecd5072be6d014594270de7e056d15 6637
libvorbis_1.3.5-4.1_amd64.buildinfo
Files:
c07d9b53753d6df5243e33e01021798f 2391 libs optional libvorbis_1.3.5-4.1.dsc
113b77844a315da7eb2868ba6c106f9f 11544 libs optional
libvorbis_1.3.5-4.1.debian.tar.xz
70ca6a31488b1c7eb232cfad37a2f54f 6637 libs optional
libvorbis_1.3.5-4.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEvHzQcjh1660F3xzZB7i3sOqYEgsFAlo6mS0ACgkQB7i3sOqY
Egvs8w/6AtLhMChlDtrNhhrPb9k535OQW+SoU/7a3GJoOd0q6MiXumJrdwcjE1vQ
FDkXI3N55T6aKyAM7kWDDU5BdhIvF8xu3NZCPNrfZifWKrKopjy7tacnTTx0JH4u
518IqRhpk4BP0Yje5ndXa/s8n44n7TqD1TX5fYJsS7yPZxgW045hKxMynUvmxEqf
8cNvNZWTwdPO6un7ZFTa8iDBkoHo7vdxIZ1tET+7B1dkz8O1DpdH6Bojnd3qlRAZ
KYf1an33wxGsT30TweJVMjBM02uT0Dtwm6RV4y57elX+B+E1HyMMMrqZhTa3Zi9D
AV8yED/GTDwap7xpmAq/MVByQv2QwCTJRXYK1kcqdwM7mTDFtN6R/SDWIqezxekM
yYzbw3vcoLvjZPDfBHG505saoowfRZ3rmJtJ6oBbfGhPhJHpbUpwCndanjYUii7a
GKtq6KXtKRa8W9Jz53iIbx/8tojLyhGl9RIBKIA0pW8vXTyfo5MxoDDULdRDF3Do
V+1aaj2x7I7J91fWYCyJtlmilx/uNXNBJl+jIv0mYxEj9fSDIqHjZQ5RwUcrbjZ7
r/mfRBe3nLeK4TXWAyfVWekTtleihj757lnH/dlqPfsstBUJLqKvG10b5hLzvRqd
LHiCqyKediRbBlR2Qiq+oFI3ZZ6jcDR2m/Ax6cMgBkgVMJOEa2k=
=3+f5
-----END PGP SIGNATURE-----
--- End Message ---
