Your message dated Mon, 25 Jun 2012 16:33:36 +0000
with message-id <e1sjcek-0003uv...@franck.debian.org>
and subject line Bug#669196: fixed in libvorbisidec 1.0.2+svn18153-0.1
has caused the Debian Bug report #669196,
regarding libvorbisidec: multiple longstanding unfixed security issues in
libvorbis
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
669196: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669196
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: libvorbisidec
severity: grave
version: 1.0.2+svn16259-2
tag: security
libvorbisidec shares a large majority of its code with libvorbis.
There have been quite a few security issues fixed in libvorbis over
the past few years that have subsequently gone unfixed here. These
include:
CVE-2007-3106
CVE-2007-4029
CVE-2007-4065
CVE-2007-4066
CVE-2008-1419
CVE-2008-1420
CVE-2008-1423
CVE-2008-2009
CVE-2009-2663
CVE-2009-3379
CVE-2012-0444
I have only checked the 2009 and 2012 issues so far, but since all
issued after the 1.0 release, it is very likely that most are valid.
Anyway, these issues should be fixed or the package should be removed.
Best wishes,
Mike
--- End Message ---
--- Begin Message ---
Source: libvorbisidec
Source-Version: 1.0.2+svn18153-0.1
We believe that the bug you reported is fixed in the latest version of
libvorbisidec, which is due to be installed in the Debian FTP archive:
libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
to main/libv/libvorbisidec/libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
to main/libv/libvorbisidec/libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
libvorbisidec_1.0.2+svn18153-0.1.diff.gz
to main/libv/libvorbisidec/libvorbisidec_1.0.2+svn18153-0.1.diff.gz
libvorbisidec_1.0.2+svn18153-0.1.dsc
to main/libv/libvorbisidec/libvorbisidec_1.0.2+svn18153-0.1.dsc
libvorbisidec_1.0.2+svn18153.orig.tar.gz
to main/libv/libvorbisidec/libvorbisidec_1.0.2+svn18153.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 669...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luk Claes <l...@debian.org> (supplier of updated libvorbisidec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 23 Jun 2012 16:51:00 +0200
Source: libvorbisidec
Binary: libvorbisidec-dev libvorbisidec1
Architecture: source i386
Version: 1.0.2+svn18153-0.1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Changed-By: Luk Claes <l...@debian.org>
Description:
libvorbisidec-dev - Integer-only Ogg Vorbis decoder, AKA "tremor" (Development
Files)
libvorbisidec1 - Integer-only Ogg Vorbis decoder, AKA "tremor"
Closes: 669196
Changes:
libvorbisidec (1.0.2+svn18153-0.1) unstable; urgency=medium
.
* Non-maintainer upload by the Security Team.
* New upstream version to fix security issues.
* CVE-2008-1419: correctly handle codebook.dim==0 case
* CVE-2008-1423: check for absurdly huge codebooks
* CVE-2008-2009: sanity check for underpopulated Huffman trees
* CVE-2009-3379: multiple vulnerabilities MFSA 2009-63
* CVE-2012-0444: fix decoding memory corruption
Closes: #669196
* Add libogg-dev dependency to avoid FTBFS.
* Don't ship .la file.
Checksums-Sha1:
51a7c3e8d8a9f09728f79d5155099a01f748cb95 1343
libvorbisidec_1.0.2+svn18153-0.1.dsc
e1f8e5281a92029a1bb325ecb247a6d9c8bf7199 149060
libvorbisidec_1.0.2+svn18153.orig.tar.gz
eafa7d16b51ea2e6883487ebeec7a8f97713966d 5465
libvorbisidec_1.0.2+svn18153-0.1.diff.gz
455898f67321dfbb71d7c1bdd37726bdb29d6616 116296
libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
9d6ef49f6b48b8a6c562faf34c19e1b07cf22f71 84400
libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
Checksums-Sha256:
b09629aa10ac820645bea4f7feb6da94f2f0f7eca8547f80ab337059b0a653f3 1343
libvorbisidec_1.0.2+svn18153-0.1.dsc
4dc8c224289da3479fc10ce4e49ffbb85c790eb2fe55ef480934a265ee0a6782 149060
libvorbisidec_1.0.2+svn18153.orig.tar.gz
d8b2bdad174f5b8236c2a8345b657d350cea586a8f7523e2e4c0cf768be039e4 5465
libvorbisidec_1.0.2+svn18153-0.1.diff.gz
35e0f03c34a7239c47c74cfb018ec7c1bf6b159abdaa5dd14079e682a521866b 116296
libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
4761cf066fedfc04d63f58af21114ff3cfaf9da854e03c1032b8eedc73a76414 84400
libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
Files:
ff1aef0eab0c2837920c167775a28d41 1343 libs extra
libvorbisidec_1.0.2+svn18153-0.1.dsc
4190859414c5d6760e316b5cf00fe7c5 149060 libs extra
libvorbisidec_1.0.2+svn18153.orig.tar.gz
25e11d3c90bc9a50d79944a68234bcb8 5465 libs extra
libvorbisidec_1.0.2+svn18153-0.1.diff.gz
f64b9179344fac293be4f2403d904302 116296 libdevel extra
libvorbisidec-dev_1.0.2+svn18153-0.1_i386.deb
c68dc83e2febc085f3c499cbb03f44da 84400 libs extra
libvorbisidec1_1.0.2+svn18153-0.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/l6XEACgkQ5UTeB5t8Mo2X7QCeLvfeP4pTSDf25LXiLXy844it
lwoAn3ovau9ADDKo0uV69imFtcQhi6W5
=Qtwx
-----END PGP SIGNATURE-----
--- End Message ---
