from:"Salvatore Bonaccorso"

Bug#893544: mp4v2: CVE-2018-7339

2018-03-19 Thread Salvatore Bonaccorso

Source: mp4v2
Version: 2.0.0~dfsg0-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for mp4v2.

CVE-2018-7339[0]:
| The MP4Atom class in mp4atom.cpp in MP4v2 through 2.0.0 mishandles
| Entry Number validation for the MP4 Table Property, which allows remote
| attackers to cause a denial of service (overflow, insufficient memory
| allocation, and segmentation fault) or possibly have unspecified other
| impact via a crafted mp4 file.

Not clear, is there still an upstream active? If so has the report
been make aware to the developers?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7339
[1] https://github.com/pingsuewim/libmp4_bof

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#892526: gpac: CVE-2018-7752: Stack buffer overflow in av_parsers.c

2018-03-10 Thread Salvatore Bonaccorso

Source: gpac
Version: 0.5.2-426-gc5ad4e4+dfsg5-3
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/gpac/gpac/issues/997

Hi,

the following vulnerability was published for gpac.

CVE-2018-7752[0]:
| GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps
| function in media_tools/av_parsers.c, a different vulnerability than
| CVE-2018-1000100.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7752
[1] https://github.com/gpac/gpac/issues/997
[2] https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#889915: libfaad2 in Wheezy contains patches for some security bugs. They were not backported to Jessie.

2018-02-09 Thread Salvatore Bonaccorso

Hi Fabian,

On Fri, Feb 09, 2018 at 08:26:10AM +0100, Fabian Greffrath wrote:
> tags 889915 +security +jessie
> thanks
> 
> Forwarding this to the security team.

The current issues which were fixed in DLA-1077-1 are all no-dsa, so
thei did not warrant a DSA via security.d.o. Can you fix those issues
via upcoming point releases?

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#888654: mpv: CVE-2018-6360

2018-01-28 Thread Salvatore Bonaccorso

Source: mpv
Version: 0.23.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/mpv-player/mpv/issues/5456

Hi,

the following vulnerability was published for mpv.

CVE-2018-6360[0]:
| mpv through 0.28.0 allows remote attackers to execute arbitrary code
| via a crafted web site, because it reads HTML documents containing
| VIDEO elements, and accepts arbitrary URLs in a src attribute without a
| protocol whitelist in player/lua/ytdl_hook.lua. For example, an
| av://lavfi:ladspa=file= URL signifies that the product should call
| dlopen on a shared object file located at an arbitrary local pathname.
| The issue exists because the product does not consider that youtube-dl
| can provide a potentially unsafe URL.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-6360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
[1] https://github.com/mpv-player/mpv/issues/5456

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Re: ffmpeg 3.2.10 update

2018-01-27 Thread Salvatore Bonaccorso

Hi James,

On Sat, Jan 27, 2018 at 10:19:19AM +, James Cowgill wrote:
> Hi,
> 
> On 26/01/18 17:53, Moritz Mühlenhoff wrote:
> > On Fri, Jan 26, 2018 at 05:13:54PM +, James Cowgill wrote:
> >> Hi,
> >>
> >> I've pushed ffmpeg 3.2.10 here:
> >> https://salsa.debian.org/multimedia-team/ffmpeg/tree/debian/stretch
> >>
> >> Since I've not been doing these updates before, what is the correct
> >> procedure. Do I just upload it to security-master, or should I contact
> >> the security team first?
> > 
> > For ffmpeg (since it's following the 3.2.x series) uploading to
> > security-master is fine (unless some update happens to provide
> > changes in debian/ beyond the changelog, then please send us a
> > debdiff).
> 
> I've uploaded it and attached the debdiff. There are some minor
> modifications to debian/ outside the changelog, but I don't think
> they'll be controversial.

Something whent wrong, presumably the upload interupted?

The upload is missing the orig.tar.xz:

[...]
Jan 27 10:20:39 processing /ffmpeg_3.2.10-1~deb9u1_source.changes
Jan 27 10:20:39 ffmpeg_3.2.10.orig.tar.xz doesn't exist (ignored for now)
Jan 27 10:25:39 processing /ffmpeg_3.2.10-1~deb9u1_source.changes
Jan 27 10:25:39 ffmpeg_3.2.10.orig.tar.xz doesn't exist (ignored for now)
[...]

You should be able to just push ffmpeg_3.2.10.orig.tar.xz in the next
few hours, and the upload beeing processed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#884735: libsndfile: CVE-2017-17456 CVE-2017-17457

2017-12-18 Thread Salvatore Bonaccorso

Source: libsndfile
Version: 1.0.28-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/erikd/libsndfile/issues/344

Hi,

the following vulnerabilities were published for libsndfile.

CVE-2017-17456[0]:
| The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead
| to a remote DoS attack (SEGV on unknown address 0x), a
| different vulnerability than CVE-2017-14245.

CVE-2017-17457[1]:
| The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead
| to a remote DoS attack (SEGV on unknown address 0x), a
| different vulnerability than CVE-2017-14246.

Note, as mentioned in the CVE assingments, that are different from
CVE-2017-14245 and CVE-2017-14246, crash poc files are attaced to
upstream bug report and demostrable with e.g. an ASAN build of
libsndfile.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17456
[1] https://security-tracker.debian.org/tracker/CVE-2017-17457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17457

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#884232: ffmpeg: CVE-2017-17555

2017-12-12 Thread Salvatore Bonaccorso

Control: reassign -1 src:aubio 0.4.5-1

Hi Carl,

On Tue, Dec 12, 2017 at 11:20:42PM +0100, Carl Eugen Hoyos wrote:
> This is not a bug in FFmpeg:
> aubio initializes libswresample with 2 channels and then passes data
> that contains just one channel.
> 
> That cant really work or how could it ?
> swresample has no knowledge about what is in the array except what it
> is told
> There are multiple ways to provide this information to swr
> 
> (Answer from Michael on ffmpeg-security)

Thanks for your's and MIchael's analysis/comment. So let's reassign
this to src:aubio since it would need to be fixed there.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#884232: ffmpeg: CVE-2017-17555

2017-12-12 Thread Salvatore Bonaccorso

Source: ffmpeg
Version: 7:3.4-4
Severity: normal
Tags: security upstream
Control: found -1 7:3.4.1-1

Hi,

the following vulnerability was published for ffmpeg.

CVE-2017-17555[0]:
| The swri_audio_convert function in audioconvert.c in FFmpeg
| libswresample through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6,
| and other products, allows remote attackers to cause a denial of
| service (NULL pointer dereference and application crash) via a crafted
| audio file.

The issue is triggerable/demostrable with the POC attached to [1]:

$ ./aubio/build/examples/aubiomfcc ./crash-2-null-ptr
[mp3 @ 0x61b00080] Format mp3 detected only with low score of 1, 
misdetection possible!
[mp3 @ 0x61b00080] Skipping 3350 bytes of junk at 0.
[mp3 @ 0x61b00080] Estimating duration from bitrate, this may be inaccurate
0.00-18.015953 -0.012183 -0.867832 -0.616462 0.813869 -1.063807 
-0.276262 -0.236723 -1.673019 1.016008 -0.041898 0.450148 -0.699137
ASAN:DEADLYSIGNAL
=
==13255==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 
0x7fd18a85df33 bp 0x0004 sp 0x7ffec8afd8e8 T0)
==13255==The signal is caused by a READ memory access.
==13255==Hint: address points to the zero page.
#0 0x7fd18a85df32  (/usr/lib/x86_64-linux-gnu/libswresample.so.2+0x11f32)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
(/usr/lib/x86_64-linux-gnu/libswresample.so.2+0x11f32)
==13255==ABORTING

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x72af0f33 in ff_int16_to_float_a_sse2.next ()
at src/libswresample/x86/audio_convert.asm:656
656 src/libswresample/x86/audio_convert.asm: No such file or directory.
(gdb) bt
#0  0x72af0f33 in ff_int16_to_float_a_sse2.next ()
at src/libswresample/x86/audio_convert.asm:656
#1  0x72ae78de in swri_audio_convert (ctx=0x60701740, 
out=out@entry=0x632037d0, in=in@entry=0x632035b0, len=len@entry=384) at 
src/libswresample/audioconvert.c:226
#2  0x72aee190 in swr_convert_internal (s=s@entry=0x63200800, 
out=out@entry=0x63203e30, out_count=out_count@entry=384, 
in=in@entry=0x632035b0, in_count=in_count@entry=384)
at src/libswresample/swresample.c:633
#3  0x72aef252 in swr_convert_internal (in_count=384, 
in=0x632035b0, out_count=384, out=0x63203e30, s=0x63200800) at 
src/libswresample/swresample.c:470
#4  0x72aef252 in swr_convert (s=0x63200800, out_arg=, out_count=, in_arg=, in_count=)
at src/libswresample/swresample.c:800
#5  0x76c08af5 in aubio_source_avcodec_readframe ()
at /usr/lib/x86_64-linux-gnu/libaubio.so.5
#6  0x76c08c65 in aubio_source_avcodec_do () at 
/usr/lib/x86_64-linux-gnu/libaubio.so.5
#7  0x9db4 in examples_common_process (process_func=0x91fb 
, print=0x9266 ) at 
../examples/utils.c:160
#8  0x9875 in main (argc=2, argv=0x7fffeb88) at 
../examples/aubiomfcc.c:66


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17555
[1] 
https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference(DoS)%20Vulnerability%20was%20found%20in%20function%20swri_audio_convert%20of%20ffmpeg%20libswresample.md

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#876783: libsndfile: CVE-2017-14634

2017-11-25 Thread Salvatore Bonaccorso

Hi

On Mon, Sep 25, 2017 at 10:24:01PM +0200, Salvatore Bonaccorso wrote:
> Forwarded: https://github.com/erikd/libsndfile/issues/318

Upstream fix: 
https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#878809: closed by Jaromír Mikeš <mira.mi...@seznam.cz> (Bug#878809: fixed in sox 14.4.2-1)

2017-11-19 Thread Salvatore Bonaccorso

Source: sox
Source-Version: 14.4.2-1

Hi Jaromir,

On Sun, Nov 19, 2017 at 10:23:01PM +0100, Jaromír Mikeš wrote:
> 2017-11-19 21:11 GMT+01:00 Salvatore Bonaccorso <car...@debian.org>:
> 
> > Control: reopen -1
> > Control: found -1 14.4.1-5
> > Control: found -1 14.4.2-1
> > Control: tags -1 + moreinfo
> >
> > Hi Jaromir,
> >
> > Are you sure #878809 is yet fixed?
> >
> > With the patches applied on top of 14.4.2 we see still that sox aborts
> > with:
> >
> > $ ./sox-14.4.2/src/sox 03-abort out.wav
> > sox: formats.c:227: sox_append_comment: Assertion `comment' failed.
> > Aborted
> >
> > So the assertion is still reachable, so at least
> > 0005-CVE-2017-15371.patch did not solve the problem?
> >
> > What am I missing here? Note, I'm just reopening the bug as
> > safetymeasure to double-check. If I turn to be wrong (likely) we can
> > reclose it, but I wanted to be sure.
> >
> 
> Hi Salvatore,
> 
> can you provide some more details please. Upstream developers claims that
> issue should be solved
> by 0005-CVE-2017-15371.patch

sure, but all I have is basically the above with the poc attached in
the initial message. But I just reverified and I got probably an error
in my initial retest.

The assertion is not reached anymore with the experimental version:

$ sox --version
sox:  SoX v14.4.2
$ sox 03-abort out.vaw
sox FAIL formats: can't open input file `03-abort': FLAC ERROR whilst decoding 
metadata

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#876783: libsndfile: CVE-2017-14634

2017-09-25 Thread Salvatore Bonaccorso

Source: libsndfile
Version: 1.0.28-4
Severity: normal
Tags: upstream security
Forwarded: https://github.com/erikd/libsndfile/issues/318
Control: found -1 1.0.25-9.1

Hi,

the following vulnerability was published for libsndfile.

CVE-2017-14634[0]:
| In libsndfile 1.0.28, a divide-by-zero error exists in the function
| double64_init() in double64.c, which may lead to DoS when playing a
| crafted audio file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14634
[1] https://github.com/erikd/libsndfile/issues/318

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#873718: Fixes for security vulnerabilities on libgig?

2017-08-30 Thread Salvatore Bonaccorso


On Wed, Aug 30, 2017 at 04:34:44PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> All, but not CVE-2017-12951 are probably fixed already with the
> 4.0.0-4 upload to unstable today.

Might actually just uncover another problem after the fix.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#873718: Fixes for security vulnerabilities on libgig?

2017-08-30 Thread Salvatore Bonaccorso

Hi

All, but not CVE-2017-12951 are probably fixed already with the
4.0.0-4 upload to unstable today.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#871931: libvpx: CVE-2017-0641

2017-08-12 Thread Salvatore Bonaccorso

Hi

On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote:
> Hi,
> 
> we are already using:
> 
> --size-limit=16384x16384

Yupp, I know that, I added that comment to the tracker. It's not clear
to me if we need to limit it quite further. The android approach is to
limit it to 4k frames. Mabe inded we shoult mark it as fixed for that
version where the size-limit was added (which should be 1.4.0-4. But
the size-limit to 16384x16384  was back in 2015 added to
mitigate/workaround CVE-2015-1258. So I suspect we will need to limit
it further.

*but*

cc'ing Moritz, who added libvpx to our DSA needed list on that
purpose.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#871931: libvpx: CVE-2017-0641

2017-08-12 Thread Salvatore Bonaccorso

Source: libvpx
Version: 1.6.1-3
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libvpx.

CVE-2017-0641[0]:
| A remote denial of service vulnerability in libvpx in Mediaserver
| could enable an attacker to use a specially crafted file to cause a
| device hang or reboot. This issue is rated as High severity due to the
| possibility of remote denial of service. Product: Android. Versions:
| 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID:
| A-34360591.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-0641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0641

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#870809: lame: CVE-2017-11720: duplicate, already fixed in all versions

2017-08-08 Thread Salvatore Bonaccorso

Control: notfound -1 3.99.5+repack1-7
Control: found -1 3.99.5+repack1-3
Control: fixed -1 3.99.5+repack1-3+deb7u1
Control: fixed -1 3.99.5+repack1-6

Hi

On Tue, Aug 08, 2017 at 03:53:35PM -0400, Hugo Lefeuvre wrote:
> Hi,
> 
> This bug is a duplicate of #777159, which is already fixed in all debian
> versions of lame.

In meanwhile the reporter indeed has provided the password for the
report_poc.zip in public (was unfortunately not the case until 2 days
ago ...), so that could be verified and you are correct.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#870856: soundtouch: CVE-2017-9259

2017-08-05 Thread Salvatore Bonaccorso

Source: soundtouch
Version: 1.9.2-2
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for soundtouch.

CVE-2017-9259[0]:
| The TDStretch::acceptNewOverlapLength function in
| source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote
| attackers to cause a denial of service (memory allocation error and
| application crash) via a crafted wav file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9259
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9259

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#870857: soundtouch: CVE-2017-9260

2017-08-05 Thread Salvatore Bonaccorso

Source: soundtouch
Version: 1.9.2-2
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for soundtouch.

CVE-2017-9260[0]:
| The TDStretchSSE::calcCrossCorr function in
| source/SoundTouch/sse_optimized.cpp in SoundTouch 1.9.2 allows remote
| attackers to cause a denial of service (heap-based buffer over-read and
| application crash) via a crafted wav file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9260

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#870854: soundtouch: CVE-2017-9258

2017-08-05 Thread Salvatore Bonaccorso

Source: soundtouch
Version: 1.9.2-2
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for soundtouch. There is as
well CVE-2017-9259 and CVE-2017-9260, but since I have not verified if
the issues are all commont back to jessie, fill individual bugs. OTOH
I do not think they deserve a DSA, let us know though if you disagree.

CVE-2017-9258[0]:
| The TDStretch::processSamples function in
| source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote
| attackers to cause a denial of service (infinite loop and CPU
| consumption) via a crafted wav file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9258

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#870809: lame: CVE-2017-11720

2017-08-05 Thread Salvatore Bonaccorso

Source: lame
Version: 3.99.5+repack1-7
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/lame/bugs/460/

Hi,

the following vulnerability was published for lame.

CVE-2017-11720[0]:
| There is a division-by-zero vulnerability in LAME 3.99.5, caused by a
| malformed input file.

This should be/is almost surely a the same as reported in [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11720
[1] https://sourceforge.net/p/lame/bugs/460/
[2] 
https://blogs.gentoo.org/ago/2017/06/17/lame-divide-by-zero-in-parse_wave_header-get_audio-c/

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#870799: mpg123: CVE-2017-9545

2017-08-05 Thread Salvatore Bonaccorso

Source: mpg123
Version: 1.23.8-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for mpg123.

CVE-2017-9545[0]:
| The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows
| remote attackers to cause a denial of service (buffer over-read) via a
| crafted mp3 file.

Not sure if the reporter has reported that upstream. 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9545
[1] http://seclists.org/fulldisclosure/2017/Jul/65

Please adjust the affected versions in the BTS as needed, checked only
versions back to 1.23.8-1 in stretch.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#866860: mpg123: CVE-2017-10683

2017-07-02 Thread Salvatore Bonaccorso

Control: tags -1 + patch

On Sun, Jul 02, 2017 at 11:12:36AM +0200, Salvatore Bonaccorso wrote:
> Source: mpg123
> Version: 1.25.0-1
> Severity: important
> Tags: upstream security
> 
> Hi,
> 
> the following vulnerability was published for mpg123.
> 
> CVE-2017-10683[0]:
> | In mpg123 1.25.0, there is a heap-based buffer over-read in the
> | convert_latin1 function in libmpg123/id3.c. A crafted input will lead
> | to a remote denial of service attack.
> 
> This was reported at [1], but Hanno Boeck recently reported [2] as
> well.
> 
> Looking at both cases i think those should be the same issues, and
> upstream has a patch for the issue.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10683
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465819
> [2] https://sourceforge.net/p/mpg123/bugs/252/

Attaching the extracted patch.

Regards,
Salvatore
Index: NEWS
===
--- NEWS	(revision 4251)
+++ NEWS	(revision 4252)
@@ -2,6 +2,9 @@
 ---
 - libmpg123:
 -- Avoid memset(NULL, 0, 0) to calm down the paranoid.
+-- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten
+   offset from the frame flag bytes (unnoticed in practice for a long
+   time).
 
 1.25.0: MP3 now patent-free worldwide!
 ---
Index: src/libmpg123/id3.c
===
--- src/libmpg123/id3.c	(revision 4251)
+++ src/libmpg123/id3.c	(revision 4252)
@@ -700,6 +700,8 @@
 
 	/* length-10 or length-20 (footer present); 4 synchsafe integers == 28 bit number  */
 	/* we have already read 10 bytes, so left are length or length+10 bytes belonging to tag */
+	/* Note: This is an 28 bit value in 32 bit storage, plenty of space for */
+	/* length+x for reasonable x. */
 	if(!synchsafe_to_long(buf+2,length))
 	{
 		if(NOQUIET) error4("Bad tag length (not synchsafe): 0x%02x%02x%02x%02x; You got a bad ID3 tag here.", buf[2],buf[3],buf[4],buf[5]);
@@ -764,13 +766,16 @@
 	char id[5];
 	unsigned long framesize;
 	unsigned long fflags; /* need 16 bits, actually */
+	/* bytes of frame title and of framesize value */
+	int head_part = fr->id3v2.version > 2 ? 4 : 3;
+	int flag_part = fr->id3v2.version > 2 ? 2 : 0;
 	id[4] = 0;
 	/* pos now advanced after ext head, now a frame has to follow */
-	while(tagpos < length-10) /* I want to read at least a full header */
+	/* I want to read at least one full header now. */
+	while(tagpos <= length-head_part-head_part-flag_part)
 	{
 		int i = 0;
 		unsigned long pos = tagpos;
-		int head_part = fr->id3v2.version == 2 ? 3 : 4; /* bytes of frame title and of framesize value */
 		/* level 1,2,3 - 0 is info from lame/info tag! */
 		/* rva tags with ascending significance, then general frames */
 		enum frame_types tt = unknown;
@@ -801,7 +806,7 @@
 			}
 			if(VERBOSE3) fprintf(stderr, "Note: ID3v2 %s frame of size %lu\n", id, framesize);
 			tagpos += head_part + framesize; /* the important advancement in whole tag */
-			if(tagpos > length)
+			if(tagpos > length-flag_part)
 			{
 if(NOQUIET) error("Whoa! ID3v2 frame claims to be larger than the whole rest of the tag.");
 break;
Index: .
===
--- .	(revision 4251)
+++ .	(revision 4252)

Property changes on: .
___
Modified: svn:mergeinfo
## -0,0 +0,1 ##
   Merged /trunk:r4249
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#866860: mpg123: CVE-2017-10683

2017-07-02 Thread Salvatore Bonaccorso

Source: mpg123
Version: 1.25.0-1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for mpg123.

CVE-2017-10683[0]:
| In mpg123 1.25.0, there is a heap-based buffer over-read in the
| convert_latin1 function in libmpg123/id3.c. A crafted input will lead
| to a remote denial of service attack.

This was reported at [1], but Hanno Boeck recently reported [2] as
well.

Looking at both cases i think those should be the same issues, and
upstream has a patch for the issue.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1465819
[2] https://sourceforge.net/p/mpg123/bugs/252/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#865909: faac: CVE-2017-9129 CVE-2017-9130

2017-06-25 Thread Salvatore Bonaccorso

Source: faac
Version: 1.28+cvs20151130-1
Severity: important
Tags: security upstream

Hi,

the following vulnerabilities were published for faac.

CVE-2017-9129[0]:
| The wav_open_read function in frontend/input.c in Freeware Advanced
| Audio Coder (FAAC) 1.28 allows remote attackers to cause a denial of
| service (large loop) via a crafted wav file.

CVE-2017-9130[1]:
| The faacEncOpen function in libfaac/frame.c in Freeware Advanced Audio
| Coder (FAAC) 1.28 allows remote attackers to cause a denial of service
| (invalid memory read and application crash) via a crafted wav file.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9129
[1] https://security-tracker.debian.org/tracker/CVE-2017-9130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9130
[2] https://www.exploit-db.com/exploits/42207/

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#863230: kodi: malicious subtitle zip files vulnerability

2017-05-24 Thread Salvatore Bonaccorso

Control: retitle -1 kodi: CVE-2017-8314: malicious subtitle zip files 
vulnerability
Control: tags -1 + upstream security

On Wed, May 24, 2017 at 09:35:29AM +0200, Jonatan Nyberg wrote:
> Package: kodi
> severity: important
> 
> Dear Maintainer,
> 
> Kodi 17.2 have an important fix for the malicious subtitles
> vulnerability that has the potential to compromise your machine. It is
> important to update to this version as soon as possible.
> 
> http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

This got a CVE assigned (CVE-2017-8314)

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#857651: Multiple security issues

2017-03-14 Thread Salvatore Bonaccorso

On Mon, Mar 13, 2017 at 07:59:34PM +0100, Moritz Muehlenhoff wrote:
> Source: audiofile
> Severity: grave
> Tags: security
> 
> Hi,
> please see these security tracker entries for details, which
> have all the links to the reports, github issues and patches:
> 
> https://security-tracker.debian.org/tracker/CVE-2017-6829
> https://security-tracker.debian.org/tracker/CVE-2017-6831
> https://security-tracker.debian.org/tracker/CVE-2017-6832
> https://security-tracker.debian.org/tracker/CVE-2017-6833
> https://security-tracker.debian.org/tracker/CVE-2017-6834
> https://security-tracker.debian.org/tracker/CVE-2017-6835
> https://security-tracker.debian.org/tracker/CVE-2017-6836
> https://security-tracker.debian.org/tracker/CVE-2017-6837
> https://security-tracker.debian.org/tracker/CVE-2017-6838
> https://security-tracker.debian.org/tracker/CVE-2017-6839

Two more were assigned:

https://security-tracker.debian.org/tracker/CVE-2017-6827

and

https://security-tracker.debian.org/tracker/CVE-2017-6828

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#840338: libass: CVE-2016-7971: large allocation leading to crash

2017-03-04 Thread Salvatore Bonaccorso

Control: notfound -1 0.13.4-1

Hi

On Tue, Nov 01, 2016 at 08:13:56PM +0100, Salvatore Bonaccorso wrote:
> Control: severity -1 minor
> 
> After feedback from MITRE marked it as unimportant, and lowering the
> severity. Reasoning in
> http://www.openwall.com/lists/oss-security/2016/11/01/10

This CVE has now explicitly been rejected, we can close the bug.

Tracker already updated from libass  (unimporant) to not
track it for libass.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#855225: kodi: CVE-2017-5982: Unrestricted file download

2017-02-15 Thread Salvatore Bonaccorso

Source: kodi
Severity: important
Tags: upstream security
Forwarded: http://trac.kodi.tv/ticket/17314

Hi,

the following vulnerability was published for kodi. I did not had the
time to verify if 17.0 is affected. Could you please check and add
according found versions to this bug please or otherwise close after
checking?

CVE-2017-5982[0]:
local file inclusion

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5982

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#855099: libquicktime: CVE-2016-2399

2017-02-13 Thread Salvatore Bonaccorso

Source: libquicktime
Version: 2:1.2.4-7
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libquicktime.

CVE-2016-2399[0]:
| Integer overflow in the quicktime_read_pascal function in libquicktime
| 1.2.4 and earlier allows remote attackers to cause a denial of service
| or possibly have other unspecified impact via a crafted hdlr MP4 atom.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-2399

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#853076: wavpack: CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172

2017-01-29 Thread Salvatore Bonaccorso

Source: wavpack
Version: 5.0.0-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerabilities were published for wavpack.

CVE-2016-10169[0]:
global buffer overread in read_code / read_words.c

CVE-2016-10170[1]:
heap out of bounds read in WriteCaffHeader / caff.c

CVE-2016-10171[2]:
heap out of bounds read in unreorder_channels / wvunpack.c

CVE-2016-10172[3]:
heap oob read in read_new_config_info / open_utils.c

They are all fixed by the same commit [4] upstream.

Unless I'm wrong, I think those issues would not warrant a DSA for
jessie, but could you please make the fix be included in stretch so
that we do not ship wavpack affected by these?

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10169
[1] https://security-tracker.debian.org/tracker/CVE-2016-10170
[2] https://security-tracker.debian.org/tracker/CVE-2016-10171
[3] https://security-tracker.debian.org/tracker/CVE-2016-10172
[4] 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc

Please adjust the affected versions in the BTS as needed.

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Re: Bug#842093: embedded copies of libupnp

2016-12-10 Thread Salvatore Bonaccorso

Hi Sebastian,

On Fri, Dec 09, 2016 at 11:28:53AM +0100, Sebastian Ramacher wrote:
> On 2016-12-09 10:16:25, James Cowgill wrote:
> > Hi,
> > 
> > On 09/12/16 09:27, Uwe Kleine-König wrote:
> > > Hello,
> > > 
> > > there are two source packages (in sid, found via codesearch.d.n) that
> > > include embedded copies of libupnp: djmount and mediatomb (maintainers
> > > on Cc:).
> > > 
> > > djmount build-depends on libupnp-dev and calls configure with
> > > --with-external-libupnp, so fixing libupnp should be good enough here.
> > > 
> > > mediatomb doesn't build-depend on libupnp-dev and looking at
> > > https://buildd.debian.org/status/fetch.php?pkg=mediatomb=armhf=0.12.1-47-g7ab7616-1%2Bb4=1460993907
> > > it seems that the embedded copy is used, so mediatomb needs additional
> > > handling to fix the bug. Also the copy is vulnerable.
> > 
> > The Fedora maintainer asked upstream about it a while back:
> > https://sourceforge.net/p/mediatomb/bugs/114/
> > 
> > I have not checked how extensive the patching is, but I expect
> > unbundling libupnp from mediatomb would be a lot of work which noone
> > has volunteered to do.
> > 
> > Upstream appears to be dead which is why they haven't fixed it.
> 
> Maybe it's time to get mediatomb removed. It was not part of jessie and in its
> current state it will not be part of stretch.

I think this makes sense. Can you request the removal from unstable?

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#840338: libass: CVE-2016-7971: large allocation leading to crash

2016-11-01 Thread Salvatore Bonaccorso

Control: severity -1 minor

After feedback from MITRE marked it as unimportant, and lowering the
severity. Reasoning in
http://www.openwall.com/lists/oss-security/2016/11/01/10

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#840338: libass: CVE-2016-7971: large allocation leading to crash

2016-10-27 Thread Salvatore Bonaccorso

Hi,

On Wed, Oct 26, 2016 at 09:46:57PM +0200, Ola Lundqvist wrote:
> Hi
> 
> I had a quick look at libass today regarding CVE-2016-7971.
> 
> When I read the discussion thread about this issue it looks like the
> problem is not only disputed upstream, but actually disputed by the person
> reporting the issue. Or rather the person reporting the issue has carified
> that the problem is not in libass but rather in the application using
> libass.
> 
> So if you do not mind I think we should both claim that the libass is not
> vulnerable and also close #840338.
> 
> If I do not hear an objection about this I will do so.

I asked for clarification here:

http://www.openwall.com/lists/oss-security/2016/10/27/5

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#840434: ffmpeg: CVE-2016-7122 CVE-2016-7450 CVE-2016-7502 CVE-2016-7555 CVE-2016-7562 CVE-2016-7785 CVE-2016-7905

2016-10-11 Thread Salvatore Bonaccorso

Source: ffmpeg
Version: 7:3.1.3-2
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerabilities were published for ffmpeg.

CVE-2016-7122[0], CVE-2016-7450[1], CVE-2016-7502[2],
CVE-2016-7555[3], CVE-2016-7562[4], CVE-2016-7785[5],
CVE-2016-7905[6].

The upstream commits are referenced on the security-tracker pages and
updating to 3.1.4 would fix all of them.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-7122
[1] https://security-tracker.debian.org/tracker/CVE-2016-7450
[2] https://security-tracker.debian.org/tracker/CVE-2016-7502
[3] https://security-tracker.debian.org/tracker/CVE-2016-7555
[4] https://security-tracker.debian.org/tracker/CVE-2016-7562
[5] https://security-tracker.debian.org/tracker/CVE-2016-7785
[6] https://security-tracker.debian.org/tracker/CVE-2016-7905

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#840338: libass: CVE-2016-7971: large allocation leading to crash

2016-10-10 Thread Salvatore Bonaccorso

Source: libass
Version: 0.13.4-1
Severity: normal
Tags: security upstream

Hi,

the following vulnerability was published for libass. This is to help
tracking the issue in the BTS. This CVE is for the issue which
remained unfixed in the recent upstream version, and so far has no
good solution at the time of writing.

CVE-2016-7971[0]:
large allocation leading to crash

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-7971
[1] http://www.openwall.com/lists/oss-security/2016/10/05/2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

2016-10-05 Thread Salvatore Bonaccorso

Hi Thomas,

On Fri, Sep 30, 2016 at 08:05:14AM +0200, Thomas Orgis wrote:
> Am Thu, 29 Sep 2016 01:20:05 +0200
> schrieb Thomas Orgis : 
> 
> > Still nothing. I don't expect anything to arrive anymore. Perhaps that
> > Google Docs form was a joke anyway. So, please let's just get a number
> > via Debian and get on with it.
> 
> Nope, eh … yes. I got a reply now from the distributed weakness
> reporting project and probably a CVE will follow. Sorry if I'm causing
> a mess with this. It is my first time getting involved in this directly.

Any news from the DWF project on the assigned CVE?

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Re: Wheezy update of vlc?

2016-08-21 Thread Salvatore Bonaccorso

Hi,

On Sun, May 29, 2016 at 10:10:20PM -0400, Reinhard Tartler wrote:
> Also note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5108
> doesn't provide and useful information about this issue. Is that issue also
> known by a different identifier?

MITRE has just not yet updated their description for the issue.
CVE-2016-5108 was assigned here:

https://marc.info/?l=oss-security=146436956931554=2

Cf. https://security-tracker.debian.org/tracker/CVE-2016-5108

HTH,

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#801102: Fix for security issue in audiofile (CVE-2015-7747)?

2016-06-14 Thread Salvatore Bonaccorso

Hi,

On Tue, Jun 14, 2016 at 03:00:08PM +0100, James Cowgill wrote:
> On Tue, 2016-06-14 at 15:43 +0200, Petter Reinholdtsen wrote:
> > [James Cowgill]
> > > I can fix it right now in Debian (along with a few other things). Hold
> > > on a moment...
> > 
> > Very good.  Via the upstream github pull request I discovered that
> > Ubuntu already uploaded a fix, available as a rather messy patch from
> > .
> > 
> > I look forward to seeing the fix in Debian unstable.  Do you plan to fix
> > it in stable too?
> 
> After I've fixed it in unstable, I'll ping the security team and see
> what they have to say about stable updates. Jessie has 0.3.6 as well so
> the patch should be identical.

We marked the issue as no-dsa a while back. Could you (once the fix
landed in unstable) address this via a stable update via jessie-pu,
see
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
for documentation.

Thanks a lot for your work,

Regards,
Salvatore


signature.asc
Description: PGP signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#825728: vlc: CVE-2016-5108

2016-05-29 Thread Salvatore Bonaccorso

Source: vlc
Version: 2.2.3-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for vlc.

CVE-2016-5108[0]:
crash and potential code execution when processing QuickTime IMA files

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5108
[1] http://www.openwall.com/lists/oss-security/2016/05/27/3
[2] 
https://git.videolan.org/?p=vlc.git;a=commit;h=458ed62bbeb9d1bddf7b8df104e14936408a3db9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#823723: mplayer: CVE-2016-4352: Mplayer/Mencoder integer overflow parsing gif files

2016-05-07 Thread Salvatore Bonaccorso

Source: mplayer
Version: 2:1.0~rc4.dfsg1+svn34540-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://trac.mplayerhq.hu/ticket/2295
Control: found -1 2:1.3.0-1

Hi,

the following vulnerability was published for mplayer.

CVE-2016-4352[0]:
Mplayer/Mencoder integer overflow parsing gif files

The issue seems present sourcewise up to 2:1.3.0-1 in unstable.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-4352

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#806519: ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365

2015-11-28 Thread Salvatore Bonaccorso

Hi Andreas,

On Sat, Nov 28, 2015 at 11:34:57AM +0100, Andreas Cadhalpun wrote:
> Control: tag -1 pending
> 
> Hi Salvatore,
> 
> On 28.11.2015 11:28, Salvatore Bonaccorso wrote:
> > the following vulnerabilities were published for ffmpeg.
> > 
> > CVE-2015-8363[0]:
> > CVE-2015-8364[1]:
> > CVE-2015-8365[2]:
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> That's already fixed in git, see [3].

Thanks! I will update the security-tracker information with the fixed
version once it enters unstable.

Thanks for your work,

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#796255: vlc: CVE-2015-5949

2015-08-20 Thread Salvatore Bonaccorso

Source: vlc
Version: 2.2.0~rc2-2
Severity: grave
Tags: security upstream patch fixed-upstream
Justification: user security hole
Control: fixed -1 2.2.0~rc2-2+deb8u1

Hi,

the following vulnerability was published for vlc.

CVE-2015-5949[0]:
No description was found (try on a search engine)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-5949
[1] http://www.ocert.org/advisories/ocert-2015-009.html
[2] https://lists.debian.org/debian-security-announce/2015/msg00241.html

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

cloning 786688, reassign -1 to src:kodi, found -1 in 14.2+dfsg1-1, retitle -1 to kodi: CVE-2015-3885

2015-07-13 Thread Salvatore Bonaccorso

clone 786688 -1
reassign -1 src:kodi 
found -1 14.2+dfsg1-1
retitle -1 kodi: CVE-2015-3885
thanks


___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#781806: das-watchdog: diff for NMU version 0.9.0-3.1

2015-04-10 Thread Salvatore Bonaccorso

Control: tags 781806 + pending

Dear maintainer,

I've prepared an NMU for das-watchdog (versioned as 0.9.0-3.1) and
uploaded it due to the close Jessie release. Attached here is the used
debdiff for the upload.

Regards,
Salvatore
diff -Nru das-watchdog-0.9.0/debian/changelog das-watchdog-0.9.0/debian/changelog
--- das-watchdog-0.9.0/debian/changelog	2013-10-16 18:37:01.0 +0200
+++ das-watchdog-0.9.0/debian/changelog	2015-04-10 22:34:03.0 +0200
@@ -1,3 +1,13 @@
+das-watchdog (0.9.0-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix buffer overflow in the handling of the XAUTHORITY env variable
+(CVE-2015-2831) (Closes: #781806)
+  * Remove duplicate check for temp[i] == '\0' in das_watchdog.c
+  * Fix infinite loop on platforms where char is unsigned
+
+ -- Salvatore Bonaccorso car...@debian.org  Fri, 10 Apr 2015 22:19:18 +0200
+
 das-watchdog (0.9.0-3) unstable; urgency=low
 
   * Team upload.
diff -Nru das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch
--- das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch	1970-01-01 01:00:00.0 +0100
+++ das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch	2015-04-10 22:34:03.0 +0200
@@ -0,0 +1,41 @@
+From bd20bb02e75e2c0483832b52f2577253febfb690 Mon Sep 17 00:00:00 2001
+From: Kjetil Matheussen k.s.matheus...@usit.uio.no
+Date: Wed, 1 Apr 2015 16:06:48 +0200
+Subject: [PATCH] Fix memory overflow if the name of an environment is larger
+ than 500 characters. Bug found by Adam Sampson.
+
+---
+ das_watchdog.c | 10 +-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/das_watchdog.c b/das_watchdog.c
+index c98bbea..8473fe8 100644
+--- a/das_watchdog.c
 b/das_watchdog.c
+@@ -306,7 +306,9 @@ static int checksoftirq(int force){
+ 
+ 
+ static char *get_pid_environ_val(pid_t pid,char *val){
+-  char temp[500];
++  int temp_size = 500;
++  char *temp = malloc(temp_size);
++  
+   int i=0;
+   int foundit=0;
+   FILE *fp;
+@@ -319,6 +321,12 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+ 
+   
+   for(;;){
++
++if (i = temp_size) {
++  temp_size *= 2;
++  temp = realloc(temp, temp_size);
++}
++  
+ temp[i]=fgetc(fp);
+ 
+ if(foundit==1  (temp[i]==0 || temp[i]=='\0' || temp[i]==EOF)){
+-- 
+2.1.4
+
diff -Nru das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch
--- das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch	1970-01-01 01:00:00.0 +0100
+++ das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch	2015-04-10 22:34:03.0 +0200
@@ -0,0 +1,50 @@
+From 286489dd7dad59f8b5a9b9fdfececb95bcf5c570 Mon Sep 17 00:00:00 2001
+From: Kjetil Matheussen k.s.matheus...@usit.uio.no
+Date: Wed, 1 Apr 2015 16:12:39 +0200
+Subject: [PATCH] Fixed memory leak in bd20bb02e75e2c0483832b52f2577253febfb690
+
+---
+ das_watchdog.c | 13 ++---
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/das_watchdog.c b/das_watchdog.c
+index 8381d56..26385b2 100644
+--- a/das_watchdog.c
 b/das_watchdog.c
+@@ -316,9 +316,10 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+   sprintf(temp,/proc/%d/environ,pid);
+ 
+   fp=fopen(temp,r);
+-  if(fp==NULL)
++  if(fp==NULL){
++free(temp);
+ return NULL;
+-
++  }
+   
+   for(;;){
+ 
+@@ -330,17 +331,15 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+ temp[i]=fgetc(fp);
+ 
+ if(foundit==1  (temp[i]==0 || temp[i]=='\0' || temp[i]==EOF)){
+-  char *ret;
+-  temp[i]=0;
+-  ret=malloc(strlen(temp)+10);
+-  sprintf(ret,%s,temp);
+   fclose(fp);
+-  return ret;
++  temp[i]=0;
++  return temp;
+ }
+ 
+ switch(temp[i]){
+ case EOF:
+   fclose(fp);
++  free(temp);
+   return NULL;
+ case '=':
+   temp[i]=0;
+-- 
+2.1.4
+
diff -Nru das-watchdog-0.9.0/debian/patches/0001-Remove-duplicate-check-for-temp-i-0.patch das-watchdog-0.9.0/debian/patches/0001-Remove-duplicate-check-for-temp-i-0.patch
--- das-watchdog-0.9.0/debian/patches/0001-Remove-duplicate-check-for-temp-i-0.patch	1970-01-01 01:00:00.0 +0100
+++ das-watchdog-0.9.0/debian/patches/0001-Remove-duplicate-check-for-temp-i-0.patch	2015-04-10 22:34:03.0 +0200
@@ -0,0 +1,25 @@
+From b76e17f733bddb5295ef34eed4dd444b31c7b12f Mon Sep 17 00:00:00 2001
+From: Adam Sampson a...@offog.org
+Date: Wed, 1 Apr 2015 20:28:28 +0100
+Subject: [PATCH 1/3] Remove duplicate check for temp[i] == '\0'
+
+---
+ das_watchdog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git

Bug#775866: vlc: multiple vulnerabilities

2015-01-20 Thread Salvatore Bonaccorso

Hi!

On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote:
 CVEs should follow soon. Also, I guess Wheezy and Jessie are affected too, so 
 a
 DSA might be needed.

They were assigned now:
http://www.openwall.com/lists/oss-security/2015/01/20/11

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#747428: [xbmc] passwords are stored in plain xml file

2014-05-20 Thread Salvatore Bonaccorso


Hi,

CVE-2014-3800 was assigned now for the issue that mode 0644 is used
for the file containing the password, see [1].

 [1] http://www.openwall.com/lists/oss-security/2014/05/20/5

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#745301: libmms: CVE-2014-2892: heap-based buffer overflow

2014-04-20 Thread Salvatore Bonaccorso

Source: libmms
Version: 0.6-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for libmms.

CVE-2014-2892[0]:
heap-based buffer overflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2892
https://security-tracker.debian.org/tracker/CVE-2014-2892
[1] 
http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#736154: cantata: Information disclosure (no CVE assigned yet)

2014-01-20 Thread Salvatore Bonaccorso

Control: retitle -1  cantata: Information disclosure (CVE-2013-7300 
CVE-2013-7301)

Hi

On Mon, Jan 20, 2014 at 12:34:45PM +0100, Moritz Muehlenhoff wrote:
 Package: cantata
 Severity: grave
 Tags: security
 Justification: user security hole
 
 Hi,
 the following was reported on oss-security:
 https://code.google.com/p/cantata/issues/detail?id=356

Two CVEs were assigned: CVE-2013-7300 and CVE-2013-7301. See [1] for
details.

 [1] http://www.openwall.com/lists/oss-security/2014/01/20/5

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#672030: beast: FTBFS: birnetutils.cc:725:44: error: 'access' was not declared in this scope

2012-07-07 Thread Salvatore Bonaccorso

Hi

On Thu, Jun 21, 2012 at 09:54:15PM +0100, Steven Chamberlain wrote:
 # the fix for this seems finalised in VCS
 tags 672030 + patch

I tried to build beast in current state of the git repository, it
succeeds at least at the previous part but now the package FTBFS later
on (build segfaults). Attached is my log.

Regards,
Salvatore


beast_0.7.4-4.1_amd64.build.gz
Description: Binary data


signature.asc
Description: Digital signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#624666: vlc: security update breaks mp3 support

2011-05-16 Thread Salvatore Bonaccorso

Hi

Are there any news on this?

Bests
Salvatore


signature.asc
Description: Digital signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

50 matches

Mail list logo