Your message dated Thu, 19 Jan 2017 17:49:05 +0000
with message-id <e1cugpd-0001sr...@fasolo.debian.org>
and subject line Bug#851612: fixed in opus 1.2~alpha2-1
has caused the Debian Bug report #851612,
regarding opus: CVE-2017-0381: Memory corruption during media file and data
processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
851612: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851612
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: opus
Version: 1.1-2
Severity: grave
Tags: upstream security patch
Justification: user security hole
Hi,
the following vulnerability was published for opus.
CVE-2017-0381[0]:
Memory corruption during media file and data processing
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-0381
[1] https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: opus
Source-Version: 1.2~alpha2-1
We believe that the bug you reported is fixed in the latest version of
opus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 851...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ron Lee <r...@debian.org> (supplier of updated opus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 20 Jan 2017 02:48:31 +1030
Source: opus
Binary: libopus0 libopus-dev libopus-dbg libopus-doc
Architecture: source amd64 all
Version: 1.2~alpha2-1
Distribution: unstable
Urgency: medium
Maintainer: Ron Lee <r...@debian.org>
Changed-By: Ron Lee <r...@debian.org>
Description:
libopus-dbg - debugging symbols for libopus
libopus-dev - Opus codec library development files
libopus-doc - libopus API documentation
libopus0 - Opus codec runtime library
Closes: 851612
Changes:
opus (1.2~alpha2-1) unstable; urgency=medium
.
* Run the tonality analysis at 24 kHz, which reduces complexity while giving
better frequency resolution for the tonality estimate.
* Speech quality improvements especially in the 12-20 kbit/s range.
* Improved VBR encoding for hybrid mode.
* More aggressive use of wider speech bandwidth, including fullband speech
starting at 14 kbit/s.
* Music quality improvements in the 32-48 kb/s range.
* Generic and SSE CELT optimizations.
* Support for directly encoding packets up to 120 ms.
* DTX support for CELT mode.
* SILK CBR improvements.
* Ensure that NLSF cannot be negative when computing a min distance between
them. This was reported and fixed in July, and assessed as having only a
relatively minor impact (garbage output, from the garbage input needed to
trigger it), or at very worst, an assertion failure or simple crash from
a slightly out of bounds read. In December it was assigned CVE-2017-0381
by someone other than the upstream developers, with claims of it being a
'Critical' issue on Android, but we're yet to see any analysis to back
that up. Closes: #851612
Checksums-Sha1:
943e4d3250ef57f3214a4f330eaf32067069d08d 1967 opus_1.2~alpha2-1.dsc
ee80d7823dadea7036a7589d5a5faca182b9b87d 1021012 opus_1.2~alpha2.orig.tar.gz
5b19cc0c72dba9508a18640fef677705ae6c1db4 7445 opus_1.2~alpha2-1.diff.gz
5d751953518498d059cf26c1c40b2eb916251e80 350212
libopus-dbg_1.2~alpha2-1_amd64.deb
80c9564f2292584eae4ef0e669b7a57cf8d8548f 212298
libopus-dev_1.2~alpha2-1_amd64.deb
620237e051be6e3c6c4c687f0d76cbeb5b316c20 194618
libopus-doc_1.2~alpha2-1_all.deb
de3120acc49728d43140587bf16509fd394ed764 170836 libopus0_1.2~alpha2-1_amd64.deb
d593e09d1960621eac80da3057132b64eccc4b5b 7385 opus_1.2~alpha2-1_amd64.buildinfo
Checksums-Sha256:
1b281c14f23ff5336f2edfc07181ae9a6d358a72162598589fec609df83d9de6 1967
opus_1.2~alpha2-1.dsc
148d38cd0a19e0dde7f7e5491c19953025ff4e7e172e7b21fcf7ba3ff84fa06e 1021012
opus_1.2~alpha2.orig.tar.gz
0bc67d52b0d1de2836390e267240c4bd998c5985e34a71d03ba3f57d7668a219 7445
opus_1.2~alpha2-1.diff.gz
ad37c6b049bee74069be513f19a11747a40b5ab59a68f832452e5e14d664ad5d 350212
libopus-dbg_1.2~alpha2-1_amd64.deb
ec4273be54eef25193d5a5f17fc1413b161462d9daad0f6bfa12f8e0c2ec3dc8 212298
libopus-dev_1.2~alpha2-1_amd64.deb
4588a23de06f29621b97af247b5a5dfc9de8a2981873b7ffa56cb4444cfb4f4f 194618
libopus-doc_1.2~alpha2-1_all.deb
56727cc3d0b893d483509cd897e85cce421cd8b7edcd99efb23eed4af717bd3b 170836
libopus0_1.2~alpha2-1_amd64.deb
e858a03c72cd45a9c056e091e22a9a0a5e718ba35fcf39652074ee17dff888e6 7385
opus_1.2~alpha2-1_amd64.buildinfo
Files:
1d103f17752fec206e0ef81a7d22c234 1967 sound optional opus_1.2~alpha2-1.dsc
96c5f6cbf8431e568e22c8153a2fded5 1021012 sound optional
opus_1.2~alpha2.orig.tar.gz
e4f97b932afc702054a11f307cab8206 7445 sound optional opus_1.2~alpha2-1.diff.gz
2ab4c51a870a2ea90827c4a00ef5ac4b 350212 debug extra
libopus-dbg_1.2~alpha2-1_amd64.deb
31ef4633d0faa3fbf6bf4a7a76737625 212298 libdevel optional
libopus-dev_1.2~alpha2-1_amd64.deb
0b36d84269898f35605d91e9323fec2b 194618 doc optional
libopus-doc_1.2~alpha2-1_all.deb
6b40f87cf45b36c82669643f14690e64 170836 libs optional
libopus0_1.2~alpha2-1_amd64.deb
6b1309d78c9f0b2e0f12cde5104adb73 7385 sound optional
opus_1.2~alpha2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJYgPUoAAoJECSWn9pgwHEsPJ0P/07XvQQQGWTRLzr/Q3Vk9WQB
ulRee7XCRDBrfiI4Jj/M5CtMxuaFqOq9x/aA/yGn/3ZzHr48PufMcZStdzRlf/iq
fiLjTH/DcCxe2axsm22a7kUKpZAqqGvz2gJ1PFu6tlN4WuJlz3oMbmsg8qA4F68A
pXD2+lJPAdXdxLzl4YEriHfS8g77YErNZ3Jv5EyCXN3ws4i5AQMpA9WxkslAUlQn
Vru1rqpS86mYANeMM4HSim26+YygW6dGRIrS5slBZofXYmelZqePlRxHjyIHMXzz
9yC15rlIsI4Hi98hSN8cPCVINkNLkOn5s7EZxqn8QR+6+pEN2isv28JOr0d+CnC0
6LyQ9sTWzD5l8MmvmsJYYRgspuOWfC5eNvKc4Ya/CeDUVfAKojWCaQTG3dqE3G6z
mniAS3mkJMnJQ1zUMN0oTEbBrl+tr58I3lH3MdUQkcs4CVhIknB590NQyLziZbcC
vLb7oBZ18GHC76dd/RvrhuzuDNaonl9Q8cu16Zly5+6ZYX+nlpOI49bACIxMpNsE
hq0XuEOhAzops3UP+QYI2CAgxeHbA5r/tPB4uDz9heUzFje1rS/LG7+Xw6qCBgq4
IW55ReEHeA3RoF3kzHU65yzen2SkJE5pF8+Y7guoVNWMXGfztk7ey4r0yXTcA6r8
7pSh3FM++av9Y14OEOFD
=MwWg
-----END PGP SIGNATURE-----
--- End Message ---