Your message dated Fri, 20 Sep 2019 03:19:31 +0000 with message-id <e1ib9sf-000avb...@fasolo.debian.org> and subject line Bug#934966: fixed in libstb 0.0~git20190817.1.052dce1-1 has caused the Debian Bug report #934966, regarding libstb: CVE-2019-13217 CVE-2019-13218 CVE-2019-13219 CVE-2019-13220 CVE-2019-13221 CVE-2019-13222 CVE-2019-13223 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 934966: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934966 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libstb Version: 0.0~git20190617.5.c72a95d-2 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole Hi, The following vulnerabilities were published for libstb. CVE-2019-13217[0]: | A heap buffer overflow in the start_decoder function in stb_vorbis | through 2019-03-04 allows an attacker to cause a denial of service or | execute arbitrary code by opening a crafted Ogg Vorbis file. CVE-2019-13218[1]: | Division by zero in the predict_point function in stb_vorbis through | 2019-03-04 allows an attacker to cause a denial of service by opening | a crafted Ogg Vorbis file. CVE-2019-13219[2]: | A NULL pointer dereference in the get_window function in stb_vorbis | through 2019-03-04 allows an attacker to cause a denial of service by | opening a crafted Ogg Vorbis file. CVE-2019-13220[3]: | Use of uninitialized stack variables in the start_decoder function in | stb_vorbis through 2019-03-04 allows an attacker to cause a denial of | service or disclose sensitive information by opening a crafted Ogg | Vorbis file. CVE-2019-13221[4]: | A stack buffer overflow in the compute_codewords function in | stb_vorbis through 2019-03-04 allows an attacker to cause a denial of | service or execute arbitrary code by opening a crafted Ogg Vorbis | file. CVE-2019-13222[5]: | An out-of-bounds read of a global buffer in the draw_line function in | stb_vorbis through 2019-03-04 allows an attacker to cause a denial of | service or disclose sensitive information by opening a crafted Ogg | Vorbis file. CVE-2019-13223[6]: | A reachable assertion in the lookup1_values function in stb_vorbis | through 2019-03-04 allows an attacker to cause a denial of service by | opening a crafted Ogg Vorbis file. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13217 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13217 [1] https://security-tracker.debian.org/tracker/CVE-2019-13218 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13218 [2] https://security-tracker.debian.org/tracker/CVE-2019-13219 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13219 [3] https://security-tracker.debian.org/tracker/CVE-2019-13220 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13220 [4] https://security-tracker.debian.org/tracker/CVE-2019-13221 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13221 [5] https://security-tracker.debian.org/tracker/CVE-2019-13222 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13222 [6] https://security-tracker.debian.org/tracker/CVE-2019-13223 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13223 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libstb Source-Version: 0.0~git20190817.1.052dce1-1 We believe that the bug you reported is fixed in the latest version of libstb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 934...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yangfl <mmyan...@gmail.com> (supplier of updated libstb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 20 Sep 2019 08:31:51 +0800 Source: libstb Architecture: source Version: 0.0~git20190817.1.052dce1-1 Distribution: unstable Urgency: medium Maintainer: Yangfl <mmyan...@gmail.com> Changed-By: Yangfl <mmyan...@gmail.com> Closes: 932660 934966 Changes: libstb (0.0~git20190817.1.052dce1-1) unstable; urgency=medium . [ Boyuan Yang ] * New upstream snapshot + Include upstream CVE fixes: - CVE-2019-13217: heap buffer overflow in start_decoder() - CVE-2019-13218: stack buffer overflow in compute_codewords() - CVE-2019-13219: uninitialized memory in vorbis_decode_packet_rest() - CVE-2019-13220: out-of-range read in draw_line() - CVE-2019-13221: issue with large 1D codebooks in lookup1_values() - CVE-2019-13222: unchecked NULL returned by get_window() - CVE-2019-13223: division by zero in predict_point() (Closes: #934966) * debian/rules, Makefile: Make sure the package cross-builds correctly (Closes: #932660) * debian/libstb0.symbols: Add new symbols Checksums-Sha1: fba07136b497cb3cb4947818ac2876bb34b03e5a 2054 libstb_0.0~git20190817.1.052dce1-1.dsc e9e3b566bd563f149a5f2543decd8e5a09d43898 1357962 libstb_0.0~git20190817.1.052dce1.orig.tar.gz c4eb8cd8561ba443d430d2fa0acabd6978dacc2c 10440 libstb_0.0~git20190817.1.052dce1-1.debian.tar.xz 3be243110fda26a693e5c104c380c8f5049be5f3 6327 libstb_0.0~git20190817.1.052dce1-1_amd64.buildinfo Checksums-Sha256: b0277b679de6f73afe8e1397d36420247b97d26e6fd8545a2a4751e43342e374 2054 libstb_0.0~git20190817.1.052dce1-1.dsc 466e7af7c4c8c435e5270d3b7aabf15bc580bf231a3e1fb84655c7a252e75ea2 1357962 libstb_0.0~git20190817.1.052dce1.orig.tar.gz 3c860e90ec67d5d6b0f1eaa303ab552a8b933d5868e122eec5f5c7912db54631 10440 libstb_0.0~git20190817.1.052dce1-1.debian.tar.xz 18443309de815dc00454495f87cdb3e85561e5ecb9a7ce82da4664b813f5254f 6327 libstb_0.0~git20190817.1.052dce1-1_amd64.buildinfo Files: b8a38f171c973487a10184f3d395929e 2054 libs optional libstb_0.0~git20190817.1.052dce1-1.dsc 3fbf7d65d6755bc4c55c8dbcef57273d 1357962 libs optional libstb_0.0~git20190817.1.052dce1.orig.tar.gz 265e5eca14584889087f6ab72c4727de 10440 libs optional libstb_0.0~git20190817.1.052dce1-1.debian.tar.xz 76d4e08067750fa94d1532579d07485c 6327 libs optional libstb_0.0~git20190817.1.052dce1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAl2EP7kACgkQwpPntGGC Ws7F+A/+IZbLe3Y95MMAwFiPa06PNo5SRJitNw81DdK/hDt4dSIrM7fp+T6zxtpm vmJrgIeRm+icBjGa/zQAG6P6GB5dSH9hMPJaP4LaPgCroiKn/7oNrZzFlw/gqTEy ArddaOjgo2bvPJN7JPHNiiz8s4AFbQVj/Na9pPORqqSlad8exHJ94QP1KbvC+BSf cs0L495ABaQb49IsUtrJ6gcqfsdVljuypMU//yoO5hAubM1JqzLNafObNnAz8QeF KpRGD7nDot/Hx4yG661nlitOUMvjtoFe3lZEBPklpb4bGNv1okthx3iAI0FDCNut 0Ns5DLZbl8rxCmYsFA3QdUweMLUenHmQ8wfsszY2v+fOEmg2oER+zW0eF+zNOWwL 2urqsI7GBXl66Vw9yZxYIMouQeWKgQ65O+L5rtXlmr3emNhIQFl4cSQH4eb3sJvT g6d9vtpY6XjA3y91IqOTeWQOsYANdTGOuo70lKhJaWlVjt+wpHcNtBxMSc5quVyl Nbnx49fTTQ2gcarvaGSszsi1CbBRhMSCKMrdYQzpPft/zO6RggYoeBnZC6+H/u9d 7KZxMFmKX2LlAqVOCJzNy7hAfh4JIKe6sDQ7pacvXGhw7fVZnGmPgc8M53w+UXZ2 ba8zzrXnDXThinP7Y6bndxQrgSYpJMC70fWsInNvKrDHWFCPaQ8= =cOXB -----END PGP SIGNATURE-----
--- End Message ---
