Your message dated Sat, 12 Apr 2008 11:47:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#475152: fixed in libfishsound 0.7.0-2.2
has caused the Debian Bug report #475152,
regarding libfishsound: CVE-2008-1686 code execution via crafted header 
containing negative offsets
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
475152: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475152
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libfishsound1
Version: 0.7.0-2
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libfishsound1.


CVE-2008-1686[0]:
| Uncontrolled array index in Speex 1.1.12 and earlier, as used in
| libfishsound 0.9.0 and earlier, including Illiminable DirectShow
| Filters and Annodex Plugins for Firefox, allows remote attackers to
| execute arbitrary code via a header structure containing a negative
| offset, which is used to dereference a function pointer.

A patch is on:
http://trac.annodex.net/changeset/3536

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
    http://security-tracker.debian.net/tracker/CVE-2008-1686

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpsiDk7SRcqz.pgp
Description: PGP signature


--- End Message ---
--- Begin Message ---
Source: libfishsound
Source-Version: 0.7.0-2.2

We believe that the bug you reported is fixed in the latest version of
libfishsound, which is due to be installed in the Debian FTP archive:

libfishsound1-dbg_0.7.0-2.2_amd64.deb
  to pool/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2.2_amd64.deb
libfishsound1-dev_0.7.0-2.2_amd64.deb
  to pool/main/libf/libfishsound/libfishsound1-dev_0.7.0-2.2_amd64.deb
libfishsound1_0.7.0-2.2_amd64.deb
  to pool/main/libf/libfishsound/libfishsound1_0.7.0-2.2_amd64.deb
libfishsound_0.7.0-2.2.diff.gz
  to pool/main/libf/libfishsound/libfishsound_0.7.0-2.2.diff.gz
libfishsound_0.7.0-2.2.dsc
  to pool/main/libf/libfishsound/libfishsound_0.7.0-2.2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated libfishsound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Apr 2008 14:57:28 +0200
Source: libfishsound
Binary: libfishsound1 libfishsound1-dev libfishsound1-dbg
Architecture: source amd64
Version: 0.7.0-2.2
Distribution: unstable
Urgency: high
Maintainer: Jamie Wilkinson <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 libfishsound1 - simple programming interface that wraps Xiph.Org audio codecs
 libfishsound1-dbg - simple programming interface that wraps Xiph.Org audio 
codecs (de
 libfishsound1-dev - simple programming interface that wraps Xiph.Org audio 
codecs (de
Closes: 475152
Changes: 
 libfishsound (0.7.0-2.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update fixes the following security issue:
     - CVE-2008-1686: insufficient boundary checks on a header structure
       of a speex stream due to missing check for a negative value
       might lead to arbitrary code execution (Closes: #475152).
Checksums-Sha1: 
 8874b32ebe27bbe21032d9ebd01cdfd7dd381ec5 1058 libfishsound_0.7.0-2.2.dsc
 7904b22eeb338923e31b32703e7dcb071abfcb96 204804 libfishsound_0.7.0-2.2.diff.gz
 bfef41420ed98c80787a1f80b5f657253c2c17a5 14746 
libfishsound1_0.7.0-2.2_amd64.deb
 29f3e727dd3b795531c3e079abcaabc56e98b490 31028 
libfishsound1-dev_0.7.0-2.2_amd64.deb
 1f85641f6bfeb578784df4f5e271ae3f446d54ae 23018 
libfishsound1-dbg_0.7.0-2.2_amd64.deb
Checksums-Sha256: 
 b3c56bc9f710f216215f11ad0103efee1275375f1826ef68c04f65bf673e03fb 1058 
libfishsound_0.7.0-2.2.dsc
 213433557ac85019d81a799ec7840d289a4fcd11fc5297bc0b5667d5ad45c1dd 204804 
libfishsound_0.7.0-2.2.diff.gz
 de7be7882135def617a700d8244fc4e030cb7f2327a87f0209a04d9c4ddad29d 14746 
libfishsound1_0.7.0-2.2_amd64.deb
 f84059914e2144d83ee12bc1259351444668c150cd41a79c790082c1b85c7fa8 31028 
libfishsound1-dev_0.7.0-2.2_amd64.deb
 e94227facc312d0a7d99c175590312cd44aa18c6a5fe1856b07bb19de40bc46f 23018 
libfishsound1-dbg_0.7.0-2.2_amd64.deb
Files: 
 ce9e5d27f954dbbf69be38759b7f6e12 1058 unknown optional 
libfishsound_0.7.0-2.2.dsc
 8d268f649d641599078e78e652039569 204804 unknown optional 
libfishsound_0.7.0-2.2.diff.gz
 3e113fd64115b681241093f69e625c48 14746 libs optional 
libfishsound1_0.7.0-2.2_amd64.deb
 b98597fd334c8e864204d02c63486aa3 31028 libdevel optional 
libfishsound1-dev_0.7.0-2.2_amd64.deb
 af6c52838ff9220c4202a9aa379ab437 23018 libdevel optional 
libfishsound1-dbg_0.7.0-2.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIAJ9EHYflSXNkfP8RAnV1AKCkUvVl85ddIW/gYV/nXvNF3rVs2gCfdNbs
IK+5UD/tv66AjiYlcNelCXg=
=uQDo
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to