group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1674005] Re: audiofile: Multiple security issues from March 2017

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1674005@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Mar 2017 15:47:31 -0000
Reply-to: Bug 1674005 <1674005@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package audiofile - 0.3.3-2ubuntu0.3

---------------
audiofile (0.3.3-2ubuntu0.3) precise-security; urgency=medium

  * SECURITY UPDATE: multiple vulnerabilities (LP: #1674005)
    - Apply patches backported from Debian 0.3.6-4:
      + 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
      + 05_Always-check-the-number-of-coefficients.patch
      + 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch
      + 07_Check-for-multiplication-overflow-in-sfconvert.patch
      + 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch
      + 09_Actually-fail-when-error-occurs-in-parseFormat.patch
      + 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch
    - CVE-2017-6827, CVE-2017-6828, CVE-2017-6829, CVE-2017-6830,
      CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, CVE-2017-6834,
      CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838,
      CVE-2017-6839
  * debian/patches/sfconvert_error_handling.patch: improve sfconvert error
    handling so we can test the reproducers.

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 22 Mar 2017
10:39:00 -0400

** Changed in: audiofile (Ubuntu Trusty)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1674005

Title:
  audiofile: Multiple security issues from March 2017

Status in audiofile package in Ubuntu:
  New
Status in audiofile source package in Precise:
  Fix Released
Status in audiofile source package in Trusty:
  Fix Released
Status in audiofile source package in Xenial:
  Fix Released
Status in audiofile source package in Yakkety:
  Fix Released

Bug description:
  https://security-tracker.debian.org/tracker/source-package/audiofile
  http://openwall.com/lists/oss-security/2017/02/26/
  https://github.com/mpruett/audiofile/issues/32
  https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp
  https://github.com/mpruett/audiofile/commit/c48e4c6503

  
  Fixed in Debian unstable 0.3.6-4 and synced to zesty.

  debdiffs attached for 14.04 LTS and up. For 12.04 LTS, audiofile was
  in main so someone should probably try to apply the patches there too.

  I've done no testing of these packages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1674005/+subscriptions