Public bug reported:
Please sync flac 1.3.0-3 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: arbitrary code execution via crafted .flac file
- debian/patches/CVE-2014-8962.patch: validate id in
src/libFLAC/stream_decoder.c.
- CVE-2014-8962
* SECURITY UPDATE: arbitrary code execution via crafted .flac file
- debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
in src/libFLAC/stream_decoder.c.
- CVE-2014-9028
This security fixes were done in Debian.
Changelog entries since current vivid version 1.3.0-2ubuntu1:
flac (1.3.0-3) unstable; urgency=high
* Fixes for CVE-2014-8962 and CVE-2014-9028:
+ Backport three patches from upstream GIT repository:
- CVE-2014-8962.patch: Fix a buffer read overflow.
- CVE-2014-9028.patch: Avoid a heap overflow.
- CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
the former fix, but strictly speaking not the same vulnerability.
+ Closes: #770918.
+ Thanks Erik de Castro Lopo for the bug report and the upstream fixes!
-- Fabian Greffrath <fabian+deb...@greffrath.com> Thu, 27 Nov 2014
16:52:51 +0100
** Affects: flac (Ubuntu)
Importance: Wishlist
Status: New
** Changed in: flac (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1398666
Title:
Sync flac 1.3.0-3 (main) from Debian unstable (main)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flac/+bug/1398666/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
