Your message dated Tue, 01 May 2018 09:10:08 +0000 with message-id <e1fdriw-0004k2...@fasolo.debian.org> and subject line Bug#897271: fixed in wavpack 5.1.0-3 has caused the Debian Bug report #897271, regarding wavpack: CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539 CVE-2018-10540 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 897271: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897271 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wavpack Version: 5.0.0-1 Severity: serious Tags: security upstream Justification: regression from stable, once DSA released Control: fixed -1 5.0.0-2+deb9u2 Hi, The following vulnerabilities were published for wavpack, a fixed version (5.0.0-2+deb9u2) was uploaded to security-master by Moritz Muehlenhoff to be issues as a DSA. CVE-2018-10536[0]: | An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser | component contains a vulnerability that allows writing to memory | because ParseRiffHeaderConfig in riff.c does not reject multiple format | chunks. CVE-2018-10537[1]: | An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser | component contains a vulnerability that allows writing to memory | because ParseWave64HeaderConfig in wave64.c does not reject multiple | format chunks. CVE-2018-10538[2]: | An issue was discovered in WavPack 5.1.0 and earlier for WAV input. | Out-of-bounds writes can occur because ParseRiffHeaderConfig in riff.c | does not validate the sizes of unknown chunks before attempting memory | allocation, related to a lack of integer-overflow protection within a | bytes_to_copy calculation and subsequent malloc call, leading to | insufficient memory allocation. CVE-2018-10539[3]: | An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. | Out-of-bounds writes can occur because ParseDsdiffHeaderConfig in | dsdiff.c does not validate the sizes of unknown chunks before | attempting memory allocation, related to a lack of integer-overflow | protection within a bytes_to_copy calculation and subsequent malloc | call, leading to insufficient memory allocation. CVE-2018-10540[4]: | An issue was discovered in WavPack 5.1.0 and earlier for W64 input. | Out-of-bounds writes can occur because ParseWave64HeaderConfig in | wave64.c does not validate the sizes of unknown chunks before | attempting memory allocation, related to a lack of integer-overflow | protection within a bytes_to_copy calculation and subsequent malloc | call, leading to insufficient memory allocation. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-10536 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10536 [1] https://security-tracker.debian.org/tracker/CVE-2018-10537 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10537 [2] https://security-tracker.debian.org/tracker/CVE-2018-10538 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10538 [3] https://security-tracker.debian.org/tracker/CVE-2018-10539 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10539 [4] https://security-tracker.debian.org/tracker/CVE-2018-10540 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10540 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wavpack Source-Version: 5.1.0-3 We believe that the bug you reported is fixed in the latest version of wavpack, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 897...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Ramacher <sramac...@debian.org> (supplier of updated wavpack package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 01 May 2018 09:52:12 +0200 Source: wavpack Binary: libwavpack1 libwavpack-dev wavpack Architecture: source Version: 5.1.0-3 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multime...@lists.debian.org> Changed-By: Sebastian Ramacher <sramac...@debian.org> Description: libwavpack-dev - audio codec (lossy and lossless) - development files libwavpack1 - audio codec (lossy and lossless) - library wavpack - audio codec (lossy and lossless) - encoder and decoder Closes: 889274 889276 889559 897271 Changes: wavpack (5.1.0-3) unstable; urgency=medium . [ Ondřej Nový ] * d/control: Set Vcs-* to salsa.debian.org * d/rules: Remove trailing whitespaces . [ Felipe Sateler ] * Change maintainer address to debian-multime...@lists.debian.org . [ Sebastian Ramacher ] * debian/control: Bump Standards-Version. * debian/patches: - Cherry-pick upstream patches for multiple CVEs (CVE-2018-7254, CVE-2018-7253, CVE-2018-6767, CVE-2018-10540, CVE-2018-10539, CVE-2018-10538, CVE-2018-10537, CVE-2018-10536). (Closes: #889274, #889276, #889559, #897271) - Fix a memory leak. Checksums-Sha1: 3fd2f99fd4216fd9246e34b98dd247d5e0131b88 2066 wavpack_5.1.0-3.dsc 533c336dff6f4088a750bd3e85b0b4a9089a6702 9148 wavpack_5.1.0-3.debian.tar.xz Checksums-Sha256: ade22011f0aad8bc95e76380e292e0f29e73ab2d4fa34980e8c802fdb3cd97ab 2066 wavpack_5.1.0-3.dsc 9f108ff985b240ab79c67a6ed73d890cd6a2cb5ed0e06fe08fd892941b63f18e 9148 wavpack_5.1.0-3.debian.tar.xz Files: 16f16f4ef00a3c8c0d66eae7b3b62e69 2066 sound optional wavpack_5.1.0-3.dsc 133792f50af7af58b8de73c33da6670c 9148 sound optional wavpack_5.1.0-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIyBAEBCAAcBQJa6B8dFRxzcmFtYWNoZXJAZGViaWFuLm9yZwAKCRBp8vxRbqcZ kx1DD/4qdJYQ4p5UpluCTkh8czUijMCxrMsi9Vz3JerSLgDFT72mDJRG1ayMGp2M BbnXZUt1EdaBt5YNp18uFCX77x7yENn5IchzrrgkWWfPIBkHShqv4c/6P522KCDM tzkp54YtRldlfevt1axPC9/0NLBHFYE410pd+KBQLRBJY/bp4vNruSYrspvauvNS HBQrIo14YlbX/O90o2/LB/lLeyZPeUi5Z2o7dWwJg9jzCT8CrZgPukRE05JOg6Kg FLodtxIF6ehZMNH7+5FuxtVBPxl0C2Mz1ZkvmpFyk9TUNOvEqkAhjBf7ajXa4gLR OjpBhPyFmkW92euV/lrK0C44xb2PX94fP9lC/yQjJ1S2Et6/UwyomDCZLLt2xEx8 pz26wTSMWIVqa/wpVTVvGxhxkN/Tbh5BL0NhsnjozGyIHmACQEO41Qoh/qKKOSY2 3zd8P10DvrMTnx20b6yPmDt9D/oX9AVWuaqGys95UeUU4hfxJ7XucpUrrZxEzvL1 xUi9ojUa9SCYykwgbse9cZc2865FT4iFda70jaAAfqxALp5NhQXMfRXJQs3PorDK uguEnzyag20IyIyNpCx/FXd0uIQeJUMAypDmmRm1GDKRXcawZvdRtCeuuDTDJRuj SzwMc+4aYgNqTW7CYyg42wNsIgBOtAQy8d1mqvoRTppX2hT3Yg== =QFww -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
