Your message dated Thu, 16 Jul 2020 10:07:51 +0200
with message-id <[email protected]>
and subject line Re: Bug#931488: Fixed upstream in jack2 1.9.13
has caused the Debian Bug report #931488,
regarding jackd2: CVE-2019-13351
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931488
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jackd2
Version: 1.9.12~dfsg-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for jackd2.
CVE-2019-13351[0]:
| posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as
| distributed with alsa-plugins 1.1.7 and later) has a "double file
| descriptor close" issue during a failed connection attempt when jackd2
| is not running. Exploitation success depends on multithreaded timing
| of that double close, which can result in unintended information
| disclosure, crashes, or file corruption due to having the wrong file
| associated with the file descriptor.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13351
[1] https://github.com/jackaudio/jack2/pull/480
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 1.9.14~dfsg-0.1
On 2020-01-11 12:26:12, Joseph Yasi wrote:
> This was marked fixed in NMU, but no NMU update was ever pushed. This
> bug causes other programs (e.g. kodi) to crash that aren't even using
> the jack daemon when they scan ALSA devices due to ALSA including the
> jack plugin.
>
> On Wed, Oct 30, 2019 at 10:40 AM Joseph Yasi <[email protected]> wrote:
> >
> > This was fixed upstream in jack2 1.9.13. Pushing a new release will
> > take care of this.
jack2 1.9.14 is now available in the archive.
Cheers
--
Sebastian Ramacher
--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
