Public bug reported: Please sync flac 1.3.0-3 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped: * SECURITY UPDATE: arbitrary code execution via crafted .flac file - debian/patches/CVE-2014-8962.patch: validate id in src/libFLAC/stream_decoder.c. - CVE-2014-8962 * SECURITY UPDATE: arbitrary code execution via crafted .flac file - debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow in src/libFLAC/stream_decoder.c. - CVE-2014-9028 This security fixes were done in Debian. Changelog entries since current vivid version 1.3.0-2ubuntu1: flac (1.3.0-3) unstable; urgency=high * Fixes for CVE-2014-8962 and CVE-2014-9028: + Backport three patches from upstream GIT repository: - CVE-2014-8962.patch: Fix a buffer read overflow. - CVE-2014-9028.patch: Avoid a heap overflow. - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to the former fix, but strictly speaking not the same vulnerability. + Closes: #770918. + Thanks Erik de Castro Lopo for the bug report and the upstream fixes! -- Fabian Greffrath <fabian+deb...@greffrath.com> Thu, 27 Nov 2014 16:52:51 +0100 ** Affects: flac (Ubuntu) Importance: Wishlist Status: New ** Changed in: flac (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1398666 Title: Sync flac 1.3.0-3 (main) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flac/+bug/1398666/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs