Your message dated Mon, 07 May 2018 11:35:51 +0000
with message-id <[email protected]>
and subject line Bug#287519: fixed in libmad 0.15.1b-8+deb8u1
has caused the Debian Bug report #287519,
regarding libmad: Assertion failed; buffer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
287519: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=287519
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libmad0
Version: 0.15.1b-1
Severity: normal
File: libmad
After enabling assertions in config.h:
mpg321: layer3.c:2633: mad_layer_III: Assertion `stream->md_len + md_len
- si.main_data_begin <= (511 + 2048 + 8)' failed.
This can crash mpg321; see my opened bug there.
-- System Information:
Debian Release: 3.1
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.7-5-amd64-k8-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages libmad0 depends on:
ii libc6 2.3.2.ds1-19.0.0.2.pure64 GNU C Library: Shared libraries an
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libmad
Source-Version: 0.15.1b-8+deb8u1
We believe that the bug you reported is fixed in the latest version of
libmad, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated libmad package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 01 May 2018 13:20:28 +0200
Source: libmad
Binary: libmad0 libmad0-dev
Architecture: source amd64
Version: 0.15.1b-8+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Mad Maintainers <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description:
libmad0 - MPEG audio decoder library
libmad0-dev - MPEG audio decoder development library
Closes: 287519
Changes:
libmad (0.15.1b-8+deb8u1) jessie-security; urgency=high
.
* Properly check the size of the main data. The previous patch
only checked that it could fit in the buffer, but didn't ensure there
was actually enough room free in the buffer. This was assigned both
CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a
different way to detect it. (Closes: #287519)
* Rewrite patch to check the size of buffer. It now checks it before reading
it instead of afterwards checking that we did read too much. This now also
covers parsing the frame and layer3, not just layer 1 and 2. This was
original reported in #508133. CVE-2017-8374 mentions a case in layer 3.
Checksums-Sha1:
62c756feea4ab78319f65fad4eed3c659b808440 1926 libmad_0.15.1b-8+deb8u1.dsc
cac19cd00e1a907f3150cc040ccc077783496d76 502379 libmad_0.15.1b.orig.tar.gz
b67e223e57dbad575e8850cad7c5ad1c65ae331c 13490 libmad_0.15.1b-8+deb8u1.diff.gz
d68b13b04d08b96674f1384dd2de15a3defd5ac4 69232
libmad0_0.15.1b-8+deb8u1_amd64.deb
67c4168412c14ad485d6178b0ba1690ff4876280 78034
libmad0-dev_0.15.1b-8+deb8u1_amd64.deb
Checksums-Sha256:
989206361a434043439761bc28c2fb78c23f0288ee064214f6bcbba67f9c3141 1926
libmad_0.15.1b-8+deb8u1.dsc
bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690 502379
libmad_0.15.1b.orig.tar.gz
f5bd15e31442cce502ae593c6ed66b09f97440d4d04690cbc5374e773a02d5d7 13490
libmad_0.15.1b-8+deb8u1.diff.gz
5071f7777da93fe8c00574775ef436f92a87570e51ee7b9b55ceeaad6e90e6ed 69232
libmad0_0.15.1b-8+deb8u1_amd64.deb
d93b0831212080e8a6e8f6f7b7cbc058bbdac9fb5d19a63bee725f4272ac5600 78034
libmad0-dev_0.15.1b-8+deb8u1_amd64.deb
Files:
27814037e7b8fb21927914915badb82b 1926 sound optional
libmad_0.15.1b-8+deb8u1.dsc
1be543bc30c56fb6bea1d7bf6a64e66c 502379 sound optional
libmad_0.15.1b.orig.tar.gz
92978cfeb59a5a45273ac1c9c3c3df79 13490 sound optional
libmad_0.15.1b-8+deb8u1.diff.gz
445590759791e38cbe8c2665099f1780 69232 libs optional
libmad0_0.15.1b-8+deb8u1_amd64.deb
7639b7be551f805c47997827f3dd1573 78034 libdevel optional
libmad0-dev_0.15.1b-8+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUWHm1ANgDdycoJP748TdzR5MEkQFAlroY5IACgkQ48TdzR5M
EkTOMA//f1oyd7qmJ7cO8TLC8xWPlLvmPTdW+HAywmqq3z+lvSfXqMnYhceyKnCH
RcKAx8/zfFseHPVl7w14CWMEC/+pjKOlp9vD9NhQ3DQphnom4HmqCRhfHUaosPoA
AJNNujXrts5QjvZImGgfFftAWBaVWGs90CiK1iM8lbJV9B/p1g7oWCoOw+fz13OX
Jd3Kx2gf6BAV2aWpY6AezkaBL4PNay5O6P7W4+h7LFsbkg76s7rmbjE5SvWcy2BT
NzKuPqg4zO/Bv3D5ZTb47rllewW/oEfda6Mljv1pY+SHa5PioSiE6C7nyWKz4UFJ
tU9egVQAHOexBWDRZQ4pOeq+WFSiPFBLUU8yClp4MILDCYkKeu6Er+7HCiySiElu
g56HbbUgkzIGdM3eZFtiZKzTFpsV54yyr8h+Z0FNwQwJtKc5ZbVOsZnEN3z9uSQ6
Qe/phw0iYc+iZEFAJZf7oprI0Rf2plbDzofxmv/Dk1wws48y9OoQXFlmFvqV+L94
kfY+Ej3y5WbRZbjHL7Hu/p3Th3611LxEcVJuCf6D4k30ikcvSN1u2QcM8WyUSV2x
O49Mr5P2x751tyqPOFISb9R7WWvRXAnDC05paxrA7FJMnruU4zN6hLHmoXV+6hBx
bLHvl0av9xPvsbR0GSjJLqTW0CFwIq451NwCF23ROuztLy7hh/0=
=EQWZ
-----END PGP SIGNATURE-----
--- End Message ---
