Your message dated Sun, 13 Sep 2009 18:32:57 +0000 with message-id <e1mmtsf-0000ta...@ries.debian.org> and subject line Bug#528650: fixed in libsndfile 1.0.18-2+squeeze1 has caused the Debian Bug report #528650, regarding libsndfile1: Potential heap overflow in all versions <= 1.0.19 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 528650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528650 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libsndfile1 Severity: normal Tags: patch Potential heap overflow as described here: http://www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html The blog post also links to patches for all versions of libsndfile from 1.0.15 to 1.0.19 inclusive. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to POSIX) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Source: libsndfile Source-Version: 1.0.18-2+squeeze1 We believe that the bug you reported is fixed in the latest version of libsndfile, which is due to be installed in the Debian FTP archive: libsndfile1-dev_1.0.18-2+squeeze1_i386.deb to pool/main/libs/libsndfile/libsndfile1-dev_1.0.18-2+squeeze1_i386.deb libsndfile1_1.0.18-2+squeeze1_i386.deb to pool/main/libs/libsndfile/libsndfile1_1.0.18-2+squeeze1_i386.deb libsndfile_1.0.18-2+squeeze1.diff.gz to pool/main/libs/libsndfile/libsndfile_1.0.18-2+squeeze1.diff.gz libsndfile_1.0.18-2+squeeze1.dsc to pool/main/libs/libsndfile/libsndfile_1.0.18-2+squeeze1.dsc sndfile-programs_1.0.18-2+squeeze1_i386.deb to pool/main/libs/libsndfile/sndfile-programs_1.0.18-2+squeeze1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 528...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Raphael Geissert <geiss...@debian.org> (supplier of updated libsndfile package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 11 Sep 2009 21:50:21 -0500 Source: libsndfile Binary: libsndfile1-dev libsndfile1 sndfile-programs Architecture: source i386 Version: 1.0.18-2+squeeze1 Distribution: testing-security Urgency: high Maintainer: Samuel Mimram <smim...@debian.org> Changed-By: Raphael Geissert <geiss...@debian.org> Description: libsndfile1 - Library for reading/writing audio files libsndfile1-dev - Library for reading/writing audio files sndfile-programs - Sample programs that use libsndfile Closes: 528650 Changes: libsndfile (1.0.18-2+squeeze1) testing-security; urgency=high . * Non-maintainer upload by the Testing Security Team. * Upload to testing due to several issues blocking migration of new release * The following issues are fixed: - CVE-2009-1788: heap-based buffer overflow in voc_read_header leading to arbitrary code execution via crafted VOC headers. - CVE-2009-1791: heap-based buffer overflow in aiff_read_header leading to arbitrary code execution via crafted AIFF headers. (Closes: #528650). - CVE-2009-0186: integer overflow leading to a heap-based buffer overflow via a crafted CAF file by limiting the number of channels per frame. Checksums-Sha1: 2278339cd19bb4dcad5c27a27de1803c43cb2e24 1220 libsndfile_1.0.18-2+squeeze1.dsc d0fb643dc5b1030cf769e06d1260c70320fc877e 923666 libsndfile_1.0.18.orig.tar.gz 90be2336e0001c85074d068c9e72717564f3b134 10519 libsndfile_1.0.18-2+squeeze1.diff.gz 73f58df9e2f38fe95909d4d19ef107f8d84bc6b6 340352 libsndfile1-dev_1.0.18-2+squeeze1_i386.deb 3c6f2831fe5f5b66afa2a95c6e2ca8a60dadd2f5 213524 libsndfile1_1.0.18-2+squeeze1_i386.deb 1d15863ff01bb577729d6adc692b0ae5768b8dfb 90824 sndfile-programs_1.0.18-2+squeeze1_i386.deb Checksums-Sha256: 9c221254341720591d995a373cfb26663446df5ea5143c26f6024ebedc587f36 1220 libsndfile_1.0.18-2+squeeze1.dsc c0821534a8510982d26b3085b148d9091dede53780733515eb49c99a65da293a 923666 libsndfile_1.0.18.orig.tar.gz ef79b645082d4a7935b9b461dde214d2ef971dccfd9cf3a3950b27945c086290 10519 libsndfile_1.0.18-2+squeeze1.diff.gz f0df48aec7def082c4272773da1d6aeb3b4c7cd62fa55c4b2f3579557f4aba6b 340352 libsndfile1-dev_1.0.18-2+squeeze1_i386.deb b674d9d36892d0a9e48fee8e7123e01b522d46b7e4894d8d392c97ac838e0830 213524 libsndfile1_1.0.18-2+squeeze1_i386.deb cae6bd9aa2c716549065e7cb6082afd2fdaaf9c02b99a8211c9cd7733d603c3c 90824 sndfile-programs_1.0.18-2+squeeze1_i386.deb Files: bfcd0eb037b3cd061ee1473d867fe1d7 1220 devel optional libsndfile_1.0.18-2+squeeze1.dsc 9fde6efb1b75ef38398acf856f252416 923666 devel optional libsndfile_1.0.18.orig.tar.gz 3ea60755d2a68a97c16feb7e18f31cc6 10519 devel optional libsndfile_1.0.18-2+squeeze1.diff.gz 17ceb59ccc83d69cfb0f65ea4fd7cabb 340352 libdevel optional libsndfile1-dev_1.0.18-2+squeeze1_i386.deb 1c7e5608d63ff78d6a048230013e70b7 213524 libs optional libsndfile1_1.0.18-2+squeeze1_i386.deb 589c79f46d544d49bf85a2d933781ec8 90824 utils optional sndfile-programs_1.0.18-2+squeeze1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqseaYACgkQYy49rUbZzlqFDwCglXHTwjynXI5rGYqVW26Sfz0p +YgAnjra5YgoWKk77T/2cHAxUk7XsvEv =9hMo -----END PGP SIGNATURE-----
--- End Message ---
