Your message dated Thu, 05 Feb 2026 21:36:01 +0000
with message-id <[email protected]>
and subject line Bug#1126910: fixed in localsearch 3.8.2-12
has caused the Debian Bug report #1126910,
regarding localsearch: CVE-2026-1764 CVE-2026-1765 CVE-2026-1766 CVE-2026-1767
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126910
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: localsearch
Version: 3.8.2-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for localsearch.
CVE-2026-1764[0]:
| Heap Buffer Overflow in GNOME localsearch MP3 Extractor
CVE-2026-1765[1]:
| Heap Buffer Overflow in GNOME localsearch MP3 Extractor (TXXX Tags)
CVE-2026-1766[2]:
| Heap Buffer Overflow in GNOME localsearch MP3 Extractor (ID3v2.3 COMM Tags)
CVE-2026-1767[3]:
| Heap Buffer Overflow in GNOME localsearch MP3 Extractor
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-1764
https://www.cve.org/CVERecord?id=CVE-2026-1764
[1] https://security-tracker.debian.org/tracker/CVE-2026-1765
https://www.cve.org/CVERecord?id=CVE-2026-1765
[2] https://security-tracker.debian.org/tracker/CVE-2026-1766
https://www.cve.org/CVERecord?id=CVE-2026-1766
[3] https://security-tracker.debian.org/tracker/CVE-2026-1767
https://www.cve.org/CVERecord?id=CVE-2026-1767
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: localsearch
Source-Version: 3.8.2-12
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
localsearch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated localsearch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 05 Feb 2026 16:06:08 -0500
Source: localsearch
Built-For-Profiles: noudeb
Architecture: source
Version: 3.8.2-12
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1126910
Changes:
localsearch (3.8.2-12) unstable; urgency=high
.
[ Marc Deslauriers ]
* SECURITY UPDATE: Heap Buffer Overflow
- debian/patches/CVE-2026-1764.patch: check for valid offsets
extracting MP3 performer tags in
src/tracker-extract/tracker-extract-mp3.c.
- CVE-2026-1764
* SECURITY UPDATE: NULL Pointer Dereference
- debian/patches/bug426.patch: bail out on 0-size frame for ID3v2.0
tags in src/tracker-extract/tracker-extract-mp3.c.
- No CVE number
* SECURITY UPDATE: Heap Buffer Overflow
- debian/patches/CVE-2026-1765.patch: check for buffer boundaries
extracting MP3 TXXX tags in
src/tracker-extract/tracker-extract-mp3.c.
- CVE-2026-1765
* SECURITY UPDATE: Heap Buffer Overflow
- debian/patches/CVE-2026-1766-pre1.patch: minor code refactor in
src/tracker-extract/tracker-extract-mp3.c.
- debian/patches/CVE-2026-1766.patch: refactor/fix handling of COMM
tags in src/tracker-extract/tracker-extract-mp3.c.
- CVE-2026-1766
* SECURITY UPDATE: Heap Buffer Overflow
- debian/patches/CVE-2026-1767.patch: fix accounting of offsets within
MP3 performer tags in src/tracker-extract/tracker-extract-mp3.c.
- CVE-2026-1767
- Closes: #1126910
Checksums-Sha1:
2d46ac9bcbdd188e4f8d811e68d2c1b70baca98e 3264 localsearch_3.8.2-12.dsc
9a679a354eb03379c7469bffddd8f27a9f5d1650 19612
localsearch_3.8.2-12.debian.tar.xz
3b45e086f5db68f0a4d634cb4e5f0f999e414bdc 15267
localsearch_3.8.2-12_source.buildinfo
Checksums-Sha256:
9ba20f69679b7e8179b3aadfc276956b2569f485e6a93c92b3986411cc34d54b 3264
localsearch_3.8.2-12.dsc
6a6777c0e95e3b974d667bdab5a303758a2cdf5722644f1846ea4a4e0359a05d 19612
localsearch_3.8.2-12.debian.tar.xz
53aa976156f6a32a4274a16173a4039659d1c20b52c43eb5b21f2f02ce2e856a 15267
localsearch_3.8.2-12_source.buildinfo
Files:
2e0ee1c25a47354c159b90c0126dfefe 3264 utils optional localsearch_3.8.2-12.dsc
a994fdb0b385303a375e5de8f352fbc4 19612 utils optional
localsearch_3.8.2-12.debian.tar.xz
fe61b336a7a7d5715cebde443d7a3ee3 15267 utils optional
localsearch_3.8.2-12_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmmFB7EACgkQ5mx3Wuv+
bH1ZXg//XPBOqYt7wGvhilOtVe9m0wda/t4PLpyCqXMGJaDfj+5KmswlhUQgOh21
I9FLbJ9Iz/ouFXBmlZf9NDJMbENtwBNBlWU7BpQNQ5yjXSZCfoNTVFgooymq+ZyR
WMf9AA7J2kJyGRjjqYSglgL9b1U7vv907iX4YY1m5fkkJds3e9qWdw9z90jVEVDL
IKYbv1cFwXAs/h+h6iKw+IJ7Y5xQU6y5b4tf+1MbTNGK8TasBXxMppYF21HgAfDi
9cemwz0YdvGVflY0vz9AOH5A4B4/EGf0cUVAJkiXDLSBqgSO1VPEKrzj1Sa9xFAb
X/Gs/nNUsATovhlW3LtWiVCaqsziBbqPLG8q62irNZHx6Y68wFXKix7oiQOwPawK
XSsUoNFtLA1n5oT7AZLO5zuvnukUN3ka8h9M0d2uSz5pm5tjrKaWeje+l5QFG9hG
DASk2yRVxlZWU4JFWQlgoZO6gXLAiXMpSfYe64X1WhRiVdtZgvVDIqMQvnX2WIXs
LjES41Q2vrHvBVLH0I62JdfEDsa2HU29i+EpePtPCTmC2hfusfXMmmj7RFbK6Xl/
bDTs7g3copJeWL9rhlVDLRDIMkundX7wE0etXmSCj1IXnTMEubO51QBGGiHyHDKc
R9G6NJs+0bd1FxdfoQRhMWCnDda82rWbS5ohdXccM1nA8Z3oV38=
=+elt
-----END PGP SIGNATURE-----
pgpW8uunJwIEI.pgp
Description: PGP signature
--- End Message ---
