Bug#480059: marked as done (vorbis-tools vulnerable to CVE-2008-1686)

Debian Bug Tracking System Tue, 20 May 2008 08:53:10 -0700

Your message dated Tue, 20 May 2008 15:32:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#480059: fixed in vorbis-tools 1.2.0-2
has caused the Debian Bug report #480059,
regarding vorbis-tools vulnerable to CVE-2008-1686
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
480059: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480059
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: vorbis-tools
Version: 1.2.0-1.1
Severity: grave
Tags: patch security
Justification: user security hole
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu hardy ubuntu-patch

vorbis-tools contains embedded speex code, and although vorbis-tools is linked
to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu
is using in its 1.1.1 versions of vorbis-tools (fuzz removed).

Here is a suggested changelog entry:

  * SECURITY UPDATE: array index vulnerability 
  * debian/patches/CVE-2008-1686.diff: fix for ogg123/speex_format.c to
    properly validate its input
  * References
    CVE-2008-1686

diff -u vorbis-tools-1.2.0/debian/changelog vorbis-tools-1.2.0/debian/changelog
diff -u vorbis-tools-1.2.0/debian/patches/series 
vorbis-tools-1.2.0/debian/patches/series
--- vorbis-tools-1.2.0/debian/patches/series
+++ vorbis-tools-1.2.0/debian/patches/series
@@ -5,0 +6 @@
+CVE-2008-1686.patch
only in patch2:
unchanged:
--- vorbis-tools-1.2.0.orig/debian/patches/CVE-2008-1686.patch
+++ vorbis-tools-1.2.0/debian/patches/CVE-2008-1686.patch
@@ -0,0 +1,12 @@
+diff -Nur vorbis-tools-1.2.0/ogg123/speex_format.c 
vorbis-tools-1.2.0.new/ogg123/speex_format.c
+--- vorbis-tools-1.2.0/ogg123/speex_format.c   2008-03-03 00:37:26.000000000 
-0500
++++ vorbis-tools-1.2.0.new/ogg123/speex_format.c       2008-05-07 
17:34:31.000000000 -0400
+@@ -475,7 +475,7 @@
+            cb->printf_error(callback_arg, ERROR, _("Cannot read header"));
+      return NULL;
+    }
+-   if ((*header)->mode >= SPEEX_NB_MODES) {
++   if ((*header)->mode >= SPEEX_NB_MODES || (*header)->mode < 0) {
+      cb->printf_error(callback_arg, ERROR, 
+                     _("Mode number %d does not (any longer) exist in this 
version"),
+             (*header)->mode);

--- End Message ---

--- Begin Message ---

Source: vorbis-tools
Source-Version: 1.2.0-2

We believe that the bug you reported is fixed in the latest version of
vorbis-tools, which is due to be installed in the Debian FTP archive:

vorbis-tools_1.2.0-2.diff.gz
  to pool/main/v/vorbis-tools/vorbis-tools_1.2.0-2.diff.gz
vorbis-tools_1.2.0-2.dsc
  to pool/main/v/vorbis-tools/vorbis-tools_1.2.0-2.dsc
vorbis-tools_1.2.0-2_amd64.deb
  to pool/main/v/vorbis-tools/vorbis-tools_1.2.0-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Adams <[EMAIL PROTECTED]> (supplier of updated vorbis-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 20 May 2008 10:49:09 -0400
Source: vorbis-tools
Binary: vorbis-tools
Architecture: source amd64
Version: 1.2.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Xiph.org Maintainers <[EMAIL PROTECTED]>
Changed-By: Clint Adams <[EMAIL PROTECTED]>
Description: 
 vorbis-tools - several Ogg Vorbis tools
Closes: 470133 480059
Changes: 
 vorbis-tools (1.2.0-2) unstable; urgency=medium
 .
   [ Adeodato Simó ]
   * Install upstream CHANGES file as changelog.gz. Thanks Bastian Kleineidam.
     (Closes: #470133)
 .
   [ Clint Adams ]
   * Add upstream_r14728-speex_format_validation.diff. closes: #480059.
   * Loosen libflac-dev build dependency to (>> 1.1.4) to facilitate
     backports.
Checksums-Sha1: 
 4c6c2743f628316457b41e9a0ea42bd69c892a22 1298 vorbis-tools_1.2.0-2.dsc
 0b0223dd06780b8a5d227dd8e74c2f4df7e3430c 32260 vorbis-tools_1.2.0-2.diff.gz
 cdd9734334d6b50c7fedd05e902f8a912c8bd4d4 200814 vorbis-tools_1.2.0-2_amd64.deb
Checksums-Sha256: 
 030e62fc523aa3cfa2e344dd464e799cd5ba3a96f67356acc94286cc56e0e62b 1298 
vorbis-tools_1.2.0-2.dsc
 0dabd53464a83a4e7c94243e1613d7b221301e21285e955d86e84644a745c699 32260 
vorbis-tools_1.2.0-2.diff.gz
 07a692d0597c3ef3756f9c9148b5934a80ddc86860ba880f8e59093c884842ac 200814 
vorbis-tools_1.2.0-2_amd64.deb
Files: 
 2fc93fb3ef660944d757a64e91df5523 1298 sound optional vorbis-tools_1.2.0-2.dsc
 c303256c3cd0a884916a758b2187bbff 32260 sound optional 
vorbis-tools_1.2.0-2.diff.gz
 7ad7236ac1385e654c49d3ebd96d4752 200814 sound optional 
vorbis-tools_1.2.0-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Debian!

iD8DBQFIMu155m0u66uWM3ARAuREAJsHERj7qOzjLiSRXzYF1Bo4oqsXXwCg3PV+
xj/cWoFLkIvejwEG7j/yOvI=
=fPIq
-----END PGP SIGNATURE-----

--- End Message ---

Bug#480059: marked as done (vorbis-tools vulnerable to CVE-2008-1686)

Reply via email to