Bug#528650: marked as done (libsndfile1: Potential heap overflow in all versions <= 1.0.19)

Debian Bug Tracking System Sat, 20 Jun 2009 07:09:47 -0700

Your message dated Sat, 20 Jun 2009 13:54:11 +0000
with message-id <e1mi11h-0003fb...@ries.debian.org>
and subject line Bug#528650: fixed in libsndfile 1.0.17-4+lenny2
has caused the Debian Bug report #528650,
regarding libsndfile1: Potential heap overflow in all versions <= 1.0.19
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
528650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528650
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libsndfile1
Severity: normal
Tags: patch


Potential heap overflow as described here:

    http://www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html

The blog post also links to patches for all versions of libsndfile from
1.0.15 to  1.0.19 inclusive.


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) 
(ignored: LC_ALL set to POSIX)
Shell: /bin/sh linked to /bin/bash

--- End Message ---

--- Begin Message ---

Source: libsndfile
Source-Version: 1.0.17-4+lenny2

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive:

libsndfile1-dev_1.0.17-4+lenny2_amd64.deb
  to pool/main/libs/libsndfile/libsndfile1-dev_1.0.17-4+lenny2_amd64.deb
libsndfile1_1.0.17-4+lenny2_amd64.deb
  to pool/main/libs/libsndfile/libsndfile1_1.0.17-4+lenny2_amd64.deb
libsndfile_1.0.17-4+lenny2.diff.gz
  to pool/main/libs/libsndfile/libsndfile_1.0.17-4+lenny2.diff.gz
libsndfile_1.0.17-4+lenny2.dsc
  to pool/main/libs/libsndfile/libsndfile_1.0.17-4+lenny2.dsc
sndfile-programs_1.0.17-4+lenny2_amd64.deb
  to pool/main/libs/libsndfile/sndfile-programs_1.0.17-4+lenny2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Jun 2009 11:49:42 +0000
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs
Architecture: source amd64
Version: 1.0.17-4+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Samuel Mimram <smim...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 libsndfile1 - Library for reading/writing audio files
 libsndfile1-dev - Library for reading/writing audio files
 sndfile-programs - Sample programs that use libsndfile
Closes: 528650
Changes: 
 libsndfile (1.0.17-4+lenny2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issues:
     - CVE-2009-1788: heap-based buffer overflow in voc_read_header
       leading to arbitrary code execution via crafted VOC headers.
     - CVE-2009-1791: heap-based buffer overflow in aiff_read_header
       leading to arbitrary code execution via crafted AIFF headers.
     (Closes: #528650).
Checksums-Sha1: 
 61b7b9243336d4c7e3734a8571954d6453a6db5c 1134 libsndfile_1.0.17-4+lenny2.dsc
 3c132f2280e27adca3d2050db1f6596ed64073c3 10627 
libsndfile_1.0.17-4+lenny2.diff.gz
 b380fe68022d7b9cbe3f41533e8abcdedecbed05 333800 
libsndfile1-dev_1.0.17-4+lenny2_amd64.deb
 f5187b5e2e5d89f38fe72edceb90e4baef4e5359 191352 
libsndfile1_1.0.17-4+lenny2_amd64.deb
 a53e274545b1d82e32387c4a2e49004901828858 73166 
sndfile-programs_1.0.17-4+lenny2_amd64.deb
Checksums-Sha256: 
 f3d79c734db14df77b15b26493db4ccb5e8ced8580b92443d39458758f513665 1134 
libsndfile_1.0.17-4+lenny2.dsc
 69e26930a332ad8d281a9d9bd3aa2d905bb417bf782dde46a8e0af5baeda5ff8 10627 
libsndfile_1.0.17-4+lenny2.diff.gz
 8b4819a0acd876558fc52f300c3c2d9bfc25d9ffd3d83518aeafa9129b78bd74 333800 
libsndfile1-dev_1.0.17-4+lenny2_amd64.deb
 dbe3b505d20dc02a74815d1a407205a41e610880c4fb090fb8aa9cebe1d368af 191352 
libsndfile1_1.0.17-4+lenny2_amd64.deb
 0f913ea508267f1803ac67c86307dddc6f510b46bd33dc40250daf115dc863f5 73166 
sndfile-programs_1.0.17-4+lenny2_amd64.deb
Files: 
 51d9eb65dd02a51f539d841417d49f1b 1134 devel optional 
libsndfile_1.0.17-4+lenny2.dsc
 2325910ddaba0afbdd7e317e38970bb8 10627 devel optional 
libsndfile_1.0.17-4+lenny2.diff.gz
 c082042884f8aa7d54456c7edda82505 333800 libdevel optional 
libsndfile1-dev_1.0.17-4+lenny2_amd64.deb
 a7fcfefe56bbe623aedf4c1a716fbd7c 191352 libs optional 
libsndfile1_1.0.17-4+lenny2_amd64.deb
 95ae8a7f7cc414b590492a5ccb8b54bb 73166 utils optional 
sndfile-programs_1.0.17-4+lenny2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoyQ78ACgkQHYflSXNkfP+8ZgCfYEU3Kne6PLRclqi4krgzCKxY
O0IAnjyMs48IJxQhaVCbp57UrE0tMeXO
=IWRP
-----END PGP SIGNATURE-----

--- End Message ---

Bug#528650: marked as done (libsndfile1: Potential heap overflow in all versions <= 1.0.19)

Reply via email to