Your message dated Sat, 12 Apr 2008 11:47:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#475152: fixed in libfishsound 0.7.0-2.2
has caused the Debian Bug report #475152,
regarding libfishsound: CVE-2008-1686 code execution via crafted header
containing negative offsets
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
475152: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475152
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libfishsound1
Version: 0.7.0-2
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libfishsound1.
CVE-2008-1686[0]:
| Uncontrolled array index in Speex 1.1.12 and earlier, as used in
| libfishsound 0.9.0 and earlier, including Illiminable DirectShow
| Filters and Annodex Plugins for Firefox, allows remote attackers to
| execute arbitrary code via a header structure containing a negative
| offset, which is used to dereference a function pointer.
A patch is on:
http://trac.annodex.net/changeset/3536
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
http://security-tracker.debian.net/tracker/CVE-2008-1686
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpsiDk7SRcqz.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libfishsound
Source-Version: 0.7.0-2.2
We believe that the bug you reported is fixed in the latest version of
libfishsound, which is due to be installed in the Debian FTP archive:
libfishsound1-dbg_0.7.0-2.2_amd64.deb
to pool/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2.2_amd64.deb
libfishsound1-dev_0.7.0-2.2_amd64.deb
to pool/main/libf/libfishsound/libfishsound1-dev_0.7.0-2.2_amd64.deb
libfishsound1_0.7.0-2.2_amd64.deb
to pool/main/libf/libfishsound/libfishsound1_0.7.0-2.2_amd64.deb
libfishsound_0.7.0-2.2.diff.gz
to pool/main/libf/libfishsound/libfishsound_0.7.0-2.2.diff.gz
libfishsound_0.7.0-2.2.dsc
to pool/main/libf/libfishsound/libfishsound_0.7.0-2.2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated libfishsound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Apr 2008 14:57:28 +0200
Source: libfishsound
Binary: libfishsound1 libfishsound1-dev libfishsound1-dbg
Architecture: source amd64
Version: 0.7.0-2.2
Distribution: unstable
Urgency: high
Maintainer: Jamie Wilkinson <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libfishsound1 - simple programming interface that wraps Xiph.Org audio codecs
libfishsound1-dbg - simple programming interface that wraps Xiph.Org audio
codecs (de
libfishsound1-dev - simple programming interface that wraps Xiph.Org audio
codecs (de
Closes: 475152
Changes:
libfishsound (0.7.0-2.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update fixes the following security issue:
- CVE-2008-1686: insufficient boundary checks on a header structure
of a speex stream due to missing check for a negative value
might lead to arbitrary code execution (Closes: #475152).
Checksums-Sha1:
8874b32ebe27bbe21032d9ebd01cdfd7dd381ec5 1058 libfishsound_0.7.0-2.2.dsc
7904b22eeb338923e31b32703e7dcb071abfcb96 204804 libfishsound_0.7.0-2.2.diff.gz
bfef41420ed98c80787a1f80b5f657253c2c17a5 14746
libfishsound1_0.7.0-2.2_amd64.deb
29f3e727dd3b795531c3e079abcaabc56e98b490 31028
libfishsound1-dev_0.7.0-2.2_amd64.deb
1f85641f6bfeb578784df4f5e271ae3f446d54ae 23018
libfishsound1-dbg_0.7.0-2.2_amd64.deb
Checksums-Sha256:
b3c56bc9f710f216215f11ad0103efee1275375f1826ef68c04f65bf673e03fb 1058
libfishsound_0.7.0-2.2.dsc
213433557ac85019d81a799ec7840d289a4fcd11fc5297bc0b5667d5ad45c1dd 204804
libfishsound_0.7.0-2.2.diff.gz
de7be7882135def617a700d8244fc4e030cb7f2327a87f0209a04d9c4ddad29d 14746
libfishsound1_0.7.0-2.2_amd64.deb
f84059914e2144d83ee12bc1259351444668c150cd41a79c790082c1b85c7fa8 31028
libfishsound1-dev_0.7.0-2.2_amd64.deb
e94227facc312d0a7d99c175590312cd44aa18c6a5fe1856b07bb19de40bc46f 23018
libfishsound1-dbg_0.7.0-2.2_amd64.deb
Files:
ce9e5d27f954dbbf69be38759b7f6e12 1058 unknown optional
libfishsound_0.7.0-2.2.dsc
8d268f649d641599078e78e652039569 204804 unknown optional
libfishsound_0.7.0-2.2.diff.gz
3e113fd64115b681241093f69e625c48 14746 libs optional
libfishsound1_0.7.0-2.2_amd64.deb
b98597fd334c8e864204d02c63486aa3 31028 libdevel optional
libfishsound1-dev_0.7.0-2.2_amd64.deb
af6c52838ff9220c4202a9aa379ab437 23018 libdevel optional
libfishsound1-dbg_0.7.0-2.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIAJ9EHYflSXNkfP8RAnV1AKCkUvVl85ddIW/gYV/nXvNF3rVs2gCfdNbs
IK+5UD/tv66AjiYlcNelCXg=
=uQDo
-----END PGP SIGNATURE-----
--- End Message ---