Bug#914381: marked as done (libsndfile: CVE-2018-19432)

[Debian Bug Tracking System]

Your message dated Wed, 18 Sep 2019 10:19:40 +0200
with message-id <d8ce79db-559d-46ac-d06f-bd0690ae4...@umlaeute.mur.at>
and subject line Re: Bug#914381: libsndfile: CVE-2018-19432
has caused the Debian Bug report #914381,
regarding libsndfile: CVE-2018-19432
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
914381: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914381
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libsndfile
Version: 1.0.28-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/erikd/libsndfile/issues/427

Hi,

The following vulnerability was published for libsndfile.

CVE-2018-19432[0]:
| An issue was discovered in libsndfile 1.0.28. There is a NULL pointer
| dereference in the function sf_write_int in sndfile.c, which will lead
| to a denial of service.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19432
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19432
[1] https://github.com/erikd/libsndfile/issues/427

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Version; 1.0.28-5
Thanks.

libsndfile_1.0.28-5 contains a fix for the problem, but does not mention
neither #914381 nor CVE-2018-19432.
Instead it simply says:
>  * Patch to ensure that maxnum channels is not exceeded.
>    Thanks to Brett T. Warden <brett.t.war...@intel.com>

fgmdsr
IOhannes

On Fri, 16 Aug 2019 08:10:41 +0200 Petter Reinholdtsen <p...@hungry.com>
wrote:
> According to <URL:https://security-tracker.debian.org/tracker/CVE-2018-19432 
> >,
> this security issue is only fixed in the jessie (oldoldstable) security
> repository. Why is it not fixed in unstable, stable and oldstable?
> 
> -- 
> Happy hacking
> Petter Reinholdtsen
> 
> 

signature.asc
Description: OpenPGP digital signature

--- End Message ---