Bug#704870: marked as done (opus: cve-2013-0899)

[Debian Bug Tracking System]

Your message dated Sat, 13 Apr 2013 15:17:48 +0000
with message-id <e1ur2d6-0000kt...@franck.debian.org>
and subject line Bug#704870: fixed in opus 0.9.14+20120615-1+nmu1
has caused the Debian Bug report #704870,
regarding opus: cve-2013-0899
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
704870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704870
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: opus
Severity: serious
Version: 0.9.14+20120615-1
Tags: security

Hi,
the following vulnerability was published for opus.

CVE-2013-0899[0]:
| Integer overflow in the padding implementation in the
| opus_packet_parse_impl function in src/opus_decoder.c in Opus before
| 1.0.2, as used in Google Chrome before 25.0.1364.97 on Windows and
| Linux and before 25.0.1364.99 on Mac OS X and other products, allows
| remote attackers to cause a denial of service (out-of-bounds read) via
| a long packet.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0899
    http://security-tracker.debian.org/tracker/CVE-2013-0899

--- End Message ---

--- Begin Message ---

Source: opus
Source-Version: 0.9.14+20120615-1+nmu1

We believe that the bug you reported is fixed in the latest version of
opus, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilb...@debian.org> (supplier of updated opus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 12 Apr 2013 01:40:52 +0000
Source: opus
Binary: libopus0 libopus-dev libopus-dbg libopus-doc
Architecture: source amd64 all
Version: 0.9.14+20120615-1+nmu1
Distribution: unstable
Urgency: medium
Maintainer: Ron Lee <r...@debian.org>
Changed-By: Michael Gilbert <mgilb...@debian.org>
Description: 
 libopus-dbg - debugging symbols for libopus
 libopus-dev - Opus codec library development files
 libopus-doc - libopus API documentation
 libopus0   - Opus codec runtime library
Closes: 704870
Changes: 
 opus (0.9.14+20120615-1+nmu1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix cve-2013-0899: integer overflow in src/opus_decoder.c (closes: 
#704870).
Checksums-Sha1: 
 e29d71587c6938b5c5fdac2efadfe088a0724301 2680 opus_0.9.14+20120615-1+nmu1.dsc
 e23d06d6448f0bbe505f6d73f04b0e84f5050007 5302 
opus_0.9.14+20120615-1+nmu1.diff.gz
 af9c4a50a9f6497cee712c0cce191044afa872e8 152914 
libopus0_0.9.14+20120615-1+nmu1_amd64.deb
 458eb56dcdee286c99077497218b41affd926698 199892 
libopus-dev_0.9.14+20120615-1+nmu1_amd64.deb
 6954d00d1491ed161f46bd97949e8332ae8ffee0 367362 
libopus-dbg_0.9.14+20120615-1+nmu1_amd64.deb
 43aea1fb659c75c719d1b2240d97e9db598ccdd8 166864 
libopus-doc_0.9.14+20120615-1+nmu1_all.deb
Checksums-Sha256: 
 ef8a58d91ee59d5849266f530e7b382f6c3947b8788502ae4b6f2d73d861cb5c 2680 
opus_0.9.14+20120615-1+nmu1.dsc
 1b788915eedd695d2dd2cc838fc25e8338fa7034944746b0d2eb59f55635892c 5302 
opus_0.9.14+20120615-1+nmu1.diff.gz
 c110f5a4118ef6399ce7953bc53ec62eb649c073e6b614ea4c1bf73ff86d1602 152914 
libopus0_0.9.14+20120615-1+nmu1_amd64.deb
 b8cf0422bcf34a3e55ba1b8b1bd681792002b87db02b9f540eeea4486b80def8 199892 
libopus-dev_0.9.14+20120615-1+nmu1_amd64.deb
 23f1739e2db40358660c8c5c8bdbb143b82786314fda93849fd6c6c8aa3fbb5a 367362 
libopus-dbg_0.9.14+20120615-1+nmu1_amd64.deb
 bb76d32211ea98b760dec1eb4d2045475aabbe41e8d56bde15c87884552d3adc 166864 
libopus-doc_0.9.14+20120615-1+nmu1_all.deb
Files: 
 f3b9fcae29e7f570462750f15d4831a7 2680 sound optional 
opus_0.9.14+20120615-1+nmu1.dsc
 e8f6a68c03eeadc37f5b2441a517075b 5302 sound optional 
opus_0.9.14+20120615-1+nmu1.diff.gz
 a536ee2479074ddc05d3914fd34a43fe 152914 libs optional 
libopus0_0.9.14+20120615-1+nmu1_amd64.deb
 e5eb17b477acf2da50632e480ea42e7f 199892 libdevel optional 
libopus-dev_0.9.14+20120615-1+nmu1_amd64.deb
 0c1d6f12c11384a4c8aa2c9acf5d939b 367362 debug extra 
libopus-dbg_0.9.14+20120615-1+nmu1_amd64.deb
 a026546a20749c2ccd19289f8e956950 166864 doc optional 
libopus-doc_0.9.14+20120615-1+nmu1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJRZ2cmAAoJELjWss0C1vRzmjkf/1FpOpIOn6NAWpx/IUPjGnbi
66ovrecmzmUcEFNJp0IyDvLMragulbA7tBGmnirYB47tSd6uDaXX9S9KI6NWe406
BVGuxNH5l+1CLwwwjnVvuUyhAZ2S5V8nMKmXiRqIgyNRuMn92NP5R1l8CNgmEe6/
ucT5COhur9E74oTVtoG4F8fH0wXBqBOvnGxFNPNK4Swx+Fidv9rEexTNywDx48fY
PYG2quX55vbsNC+1ab4FHTFm/uNUrABAMtd4x5jNrEnGAL+hknx1sPq92IlgSyBv
jxt7DMyU3wWdArf4vWgE4OOeheBC6ChqJXB/co8dK3heZE9bA3KrKf7PzyFLDpXa
Tsi7kgSvpGT7+xfcqHmBG71kCnY8szMjIt18X4ZDDw78or+NkZXsBF2OJCZX/BiK
CvZWqQmPiDn43GYS8UEkn+5aI/q7gpzzIUK7Q+iMsG/YAcATDPxol8p9nkfXpjhS
Vtxb6yJxbkoz+8bip2ydhIordbjwtMRzagTSMqyFYFWkoDwk8MMfMaRSlA5Ep3z7
LnG6iWPQVYsK2/DCRzCeRu/wUo7EeQuBYv0XznaBvV3GdMc0V15s659/q3kmY+ip
Kjv7/PKpMnacvSGrD+ke8upbF4g4lFvZLYFZrTqD8J2zNOXYRi+0OcVZpVjtYG27
3fZj+DdyszjlwbNGvNeWOv/bccFpDsznL7RoBtKqr8UXEKNLKSLxVJdstDBE0SEQ
7eiTcuaTjq5OYyJvG0vDV4uZ+Yw0wrTJEE3eLPwkPs+gCUMQVGHGwUKEEZGAhsBM
wsdmm0gqenbP6//SdRPaGncg2hBzH1X+9S/9J2fRge6fIYYUSg3FWr7QXEALx/L1
sOG+M9V/g5zAcn4eitqBUUyIa3HdiI8YOCd2A0dgYPc9g6mB9zESyAmP89cOfiYJ
zHXQAkIDQE7Kx67H4lnLPnl6nxEiLYff+I9ff6rl/vLgF45Ap0wgM5U8kax93a7/
4Qs34nfT+6FfK8hU5UjocHtoxMe9q98S+E0sBmpnS33pzu8sq9bu/xTTLaC164LJ
BG+r8z7lHpjgRvYc0OBMfA1MBhd193IuoY9jM0oScq43NHv9UX028tZdSHadoVzQ
UbDJRaJKQpNVtHFnYj1FX5VXmemwUAMNZtW85w/tswnmfH2R7uF6wu+MoJFeDFx9
7iI7VG/SLBWlaEz7mDE45ltF6fScBratMx5O17rpxfHzNlyEvVZh4H70exLTiGnw
sTQPKK6JdvdGtYJGlyokLVsfwW3/vGa/O1db7DjgTLJ81zcnspW/bOrUMfRFZ+04
mj0d4NrJPweYP/ZyP1WOkTqjwAPSZkxWj4l7EZmcXD7esR6kfKOvYTIE9hQGU8E=
=gDz1
-----END PGP SIGNATURE-----

--- End Message ---