Bug#804445: marked as done (libsndfile: CVE-2015-7805: Heap overflow vulnerability when parsing specially crafted AIFF header)

[Debian Bug Tracking System]

Your message dated Wed, 11 Nov 2015 01:50:53 +0000
with message-id <e1zwkyn-0000yv...@franck.debian.org>
and subject line Bug#804445: fixed in libsndfile 1.0.25-10
has caused the Debian Bug report #804445,
regarding libsndfile: CVE-2015-7805: Heap overflow vulnerability when parsing 
specially crafted AIFF header
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
804445: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804445
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libsndfile
Version: 1.0.25-5
Severity: grave
Tags: security upstream

Hi,

(Setting severity to grave for now, but not fully evaluated)

The following vulnerability was published for libsndfile.

CVE-2015-7805[0]:
| Heap overflow vulnerability when parsing specially crafted AIFF
| header

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-7805
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1277897
[2] https://bugzilla.novell.com/show_bug.cgi?id=953516

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libsndfile
Source-Version: 1.0.25-10

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 804...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Erik de Castro Lopo <er...@mega-nerd.com> (supplier of updated libsndfile 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Nov 2015 20:36:47 +1100
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs libsndfile1-dbg 
sndfile-programs-dbg
Architecture: source amd64
Version: 1.0.25-10
Distribution: unstable
Urgency: low
Maintainer: Erik de Castro Lopo <er...@mega-nerd.com>
Changed-By: Erik de Castro Lopo <er...@mega-nerd.com>
Description:
 libsndfile1 - Library for reading/writing audio files
 libsndfile1-dbg - debugging symbols for libsndfile
 libsndfile1-dev - Development files for libsndfile; a library for 
reading/writing a
 sndfile-programs - Sample programs that use libsndfile
 sndfile-programs-dbg - debugging symbols for sndfile-programs
Closes: 774162 804445 804447
Changes:
 libsndfile (1.0.25-10) unstable; urgency=low
 .
   * debian/patches :
     - Add 02_sd2_buffer_read_overflow.diff (CVE-2014-9496, closes: #774162).
     - Add 03_file_io_divide_by_zero.diff (CVE-2014-9756, closes: #804447).
     - Add 04_fix_aiff_heap_overflow.diff (CVE-2015-7805, closes: #804445).
   * debian/control: Standards version 3.9.6. No changes needed.
Checksums-Sha1:
 d934446abfa2c193b07dd8a0ebe923cd13643d2f 2105 libsndfile_1.0.25-10.dsc
 e95d9fca57f7ddace9f197071cbcfb92fa16748e 1060692 libsndfile_1.0.25.orig.tar.gz
 295b6d86cecd95217bea5c567a04578035f81acc 12352 
libsndfile_1.0.25-10.debian.tar.xz
 955b9bdd61600c700bcbd70767ce14ca682b6fcd 360730 
libsndfile1-dbg_1.0.25-10_amd64.deb
 c5b2a3026056de6f362cc0d6b9cfd5236384f7e5 723262 
libsndfile1-dev_1.0.25-10_amd64.deb
 286ad76177d34316cb61c594394582692487dfbf 214452 libsndfile1_1.0.25-10_amd64.deb
 5520fa0b2d70fbdf8d53848d321507aff794e16c 139390 
sndfile-programs-dbg_1.0.25-10_amd64.deb
 ef4a71eae9478ecc01627dd28a540ef00c5e3461 109642 
sndfile-programs_1.0.25-10_amd64.deb
Checksums-Sha256:
 22528941859174d0cf517fbb6791f3408087d750aa873aa102e6ca263a45529b 2105 
libsndfile_1.0.25-10.dsc
 59016dbd326abe7e2366ded5c344c853829bebfd1702ef26a07ef662d6aa4882 1060692 
libsndfile_1.0.25.orig.tar.gz
 5ffa6a5449cde6e8c4076066eb0cdac99acd9186744fbd000bbe854cc505e7ab 12352 
libsndfile_1.0.25-10.debian.tar.xz
 ca5808061ce025a074b447a5fb367dbea9a482db71a75d4acd1194abb5b6509a 360730 
libsndfile1-dbg_1.0.25-10_amd64.deb
 a2be7fb91b5b05ec7bd26b4df998df0783ec0658a7e4891be2b74a585eaba7d1 723262 
libsndfile1-dev_1.0.25-10_amd64.deb
 cc56434aeb5298d8c82cfe9fbbebe978f09580aa6b6e5161ad337064d5944fee 214452 
libsndfile1_1.0.25-10_amd64.deb
 d053b4fef815c358731936dbbc5c820de6300f1eb8dce0b3db845363fd06ac31 139390 
sndfile-programs-dbg_1.0.25-10_amd64.deb
 d514c5c5676dea2658b4c63929cd74992a90911414b74c527a5514183b682863 109642 
sndfile-programs_1.0.25-10_amd64.deb
Files:
 5425b5d95112c6856f7fde9178f5b988 2105 devel optional libsndfile_1.0.25-10.dsc
 e2b7bb637e01022c7d20f95f9c3990a2 1060692 devel optional 
libsndfile_1.0.25.orig.tar.gz
 80e0b31bab2e18565c05f0068762c7b1 12352 devel optional 
libsndfile_1.0.25-10.debian.tar.xz
 881aa240f1da7ab49100905c6e77bc1c 360730 debug extra 
libsndfile1-dbg_1.0.25-10_amd64.deb
 730b4114324b69efc3ffd936a9bb47b7 723262 libdevel optional 
libsndfile1-dev_1.0.25-10_amd64.deb
 b5415929db68755065a2a0f1ea0828e8 214452 libs optional 
libsndfile1_1.0.25-10_amd64.deb
 b57ab2473a42a1ba1c5665aa701a9f63 139390 debug extra 
sndfile-programs-dbg_1.0.25-10_amd64.deb
 9a16c05897c07e2df779e8e75315d9f0 109642 utils optional 
sndfile-programs_1.0.25-10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWQpq4AAoJENfPZGlqN0++OYUP/j0CZVb6n2oX6Y8Qd9bGG+D9
rLb/X+dPGfHA6kaJo80uzQtO7UD+/pCPYNMkbGQWdgNFy/MSMGB+x89FU64w0Dtu
BSx9B9/Udpe1JHOhf4TyNWoxaLQMUYBwT9T3mZM3KAO7aS3S/W+GKEmVkTXwFeqi
/RiX//RZf7ABtSggdsjBTEpDGbfQmDcNeJU4McOVyKcGjltzQYY7iOZ/uRFm2Oqb
Qj0T9CLK02PxajiaU4eCJ7MC6i8Tt205oJZ6H/EnvOBFSDD32fhES24XjNnNOGG8
dvJM2CBSP6m9NaaTk1IfU0EL1J3WIWzuf22TlBQflpCq2cGqsZW+5SQ6VNcOLJ4A
kuYOOGr1d+KH/+1VECrf4JyyHPA+KAP+T2yqYZ3DXwwrP3uacGaKO+j6Vjv1WwPM
Rb8zhOh9BJmNkmm4bWXK1AOkFpqtdEYWDn2z2fnOGM5im8YbT/+gqI78QPDn0xFe
4JITxR4bks2EhJwiPMisrRlSAZtgA8ejeEGcvDHmw/6CtuC/RV562mui1hP6Vd/I
Uen4y6Ibqj0yeTY5UfNgiipISHTUIWZcNCZ6ue5A2Yne7jE+6z0cNbq5HB1EULJt
wm8e/kQLjth1/g4CHSjHfPCgvoAlJr5Cm1I6O6ySgm/vsiCz6LhS0GkabvStXl61
3+EjfOWE440Y0FnhIYYc
=JDnR
-----END PGP SIGNATURE-----

--- End Message ---