Bug#870333: marked as done (libid3tag: CVE-2017-11551)

Debian Bug Tracking System Sun, 07 Jan 2018 04:15:44 -0800

Your message dated Sun, 7 Jan 2018 13:13:18 +0100
with message-id <[email protected]>
and subject line Re: [pkg-mad-maintainers] Bug#870333: libid3tag: CVE-2017-11551
has caused the Debian Bug report #870333,
regarding libid3tag: CVE-2017-11551
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
870333: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: libid3tag
Version: 0.15.1b-11
Severity: normal
Tags: security upstream

Hi,

the following vulnerability was published for libid3tag.

CVE-2017-11551[0]:
| The id3_field_parse function in field.c in libid3tag 0.15.1b allows
| remote attackers to cause a denial of service (OOM) via a crafted MP3
| file.

Quickly skimming over the code looks this would be present. But please
double-check. This CVE is the second of the issues listed at [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11551
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11551
[1] http://seclists.org/fulldisclosure/2017/Jul/85

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

On Tue, Aug 01, 2017 at 10:14:21AM +0200, Salvatore Bonaccorso wrote:
> the following vulnerability was published for libid3tag.
> 
> CVE-2017-11551[0]:
> | The id3_field_parse function in field.c in libid3tag 0.15.1b allows
> | remote attackers to cause a denial of service (OOM) via a crafted MP3
> | file.
> 
> Quickly skimming over the code looks this would be present. But please
> double-check. This CVE is the second of the issues listed at [1].

It's not present, it's the same problem as #304913. I've marked
this fixed in the tracker.


Kurt

--- End Message ---

Bug#870333: marked as done (libid3tag: CVE-2017-11551)

Reply via email to