subject:"\[Bug 1737364\] Re\: 16.04\: Fix CVE\-2016\-1968 and CVE\-2016\-1624 for brotli"

[Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

2018-02-05 Thread Launchpad Bug Tracker

This bug was fixed in the package brotli - 0.3.0+dfsg-2ubuntu1

---
brotli (0.3.0+dfsg-2ubuntu1) xenial-security; urgency=medium

  * SECURITY UPDATE: integer underflow in dec/decode.c (LP: #1737364)
- debian/patches/fix-integer-underflow.patch: upstream patch via Debian
- CVE-2016-1624
- CVE-2016-1968

 -- Jeremy Bicha   Sat, 09 Dec 2017 17:45:50 -0500

** Changed in: brotli (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1737364

Title:
  16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

2018-02-05 Thread Marc Deslauriers

ACK on the debdiff in comment #1. Package is building now and will be
released as a security update. Thanks!

** Also affects: brotli (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: brotli (Ubuntu)
   Status: New => Fix Released

** Changed in: brotli (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1737364

Title:
  16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

2017-12-09 Thread Jeremy Bicha

** Patch added: "brotli-xenial-lp1737364.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+attachment/5020748/+files/brotli-xenial-lp1737364.debdiff

** Tags added: patch

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1624

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1968

** Description changed:

  Impact
  --
  Integer underflow could be targeted as a buffer overflow
  https://security-tracker.debian.org/tracker/source-package/brotli
  
  Debdiff attached.
+ 
+ Because brotli is embedded in web browsers for WOFF2 support (to be
+ somewhat fixed by the proposed brotli MIR), this issue was already
+ mentioned in
+ 
+ https://usn.ubuntu.com/usn/USN-2917-1/ (Firefox)
+ Luke Li discovered a buffer overflow during Brotli decompression in some
+ circumstances. If a user were tricked in to opening a specially crafted
+ website, an attacker could potentially exploit this to cause a denial of
+ service via application crash, or execute arbitrary code with the
+ privileges of the user invoking Firefox. (CVE-2016-1968)
+ 
+ https://usn.ubuntu.com/usn/USN-2895-1/ (Oxide)
+ An integer underflow was discovered in Brotli. If a user were tricked in
+ to opening a specially crafted website, an attacker could potentially
+ exploit this to cause a denial of service via application crash, or
+ execute arbitrary code with the privileges of the user invoking the
+ program. (CVE-2016-1624)
  
  Regression Potential
  
  This update was published in Debian unstable/testing as 0.3.0+dfsg-3 from 
late March to mid June 2016 when it was superseded by a newer version. The 
Ubuntu security sync tool wasn't able to retrieve this version now.
  
  brotli has no reverse dependencies in Ubuntu and is in universe.
  
  Testing Done
  
  Only a simple build test.
  
  There is a build test to ensure basic functionality of brotli with both
  python2 and python3.
  
  Other Info
  --
  The main purpose of this security update is to clear up the security history 
section of MIR LP: #1737053.
  
  It is mentioned in the MIR bug that it is intended for brotli 1.0.2 to
  be backported to Ubuntu 16.04 and 17.10 as a security update (and
  promoted to main there), after 17.04 reaches End of Life.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1737364

Title:
  16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

[Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

[Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

3 matches

Site Navigation

Mail list logo

Footer information