group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1737364@xxxxxxxxxxxxxxxxxx>
Date: Mon, 05 Feb 2018 20:28:48 -0000
Reply-to: Bug 1737364 <1737364@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package brotli - 0.3.0+dfsg-2ubuntu1

---------------
brotli (0.3.0+dfsg-2ubuntu1) xenial-security; urgency=medium

  * SECURITY UPDATE: integer underflow in dec/decode.c (LP: #1737364)
    - debian/patches/fix-integer-underflow.patch: upstream patch via Debian
    - CVE-2016-1624
    - CVE-2016-1968

 -- Jeremy Bicha <jbicha@xxxxxxxxxx>  Sat, 09 Dec 2017 17:45:50 -0500

** Changed in: brotli (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1737364

Title:
  16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

Status in brotli package in Ubuntu:
  Fix Released
Status in brotli source package in Xenial:
  Fix Released

Bug description:
  Impact
  ------
  Integer underflow could be targeted as a buffer overflow
  https://security-tracker.debian.org/tracker/source-package/brotli

  Debdiff attached.

  Because brotli is embedded in web browsers for WOFF2 support (to be
  somewhat fixed by the proposed brotli MIR), this issue was already
  mentioned in

  https://usn.ubuntu.com/usn/USN-2917-1/ (Firefox)
  Luke Li discovered a buffer overflow during Brotli decompression in some
  circumstances. If a user were tricked in to opening a specially crafted
  website, an attacker could potentially exploit this to cause a denial of
  service via application crash, or execute arbitrary code with the
  privileges of the user invoking Firefox. (CVE-2016-1968)

  https://usn.ubuntu.com/usn/USN-2895-1/ (Oxide)
  An integer underflow was discovered in Brotli. If a user were tricked in
  to opening a specially crafted website, an attacker could potentially
  exploit this to cause a denial of service via application crash, or
  execute arbitrary code with the privileges of the user invoking the
  program. (CVE-2016-1624)

  Regression Potential
  --------------------
  This update was published in Debian unstable/testing as 0.3.0+dfsg-3 from late March to mid June 2016 when it was superseded by a newer version. The Ubuntu security sync tool wasn't able to retrieve this version now.

  brotli has no reverse dependencies in Ubuntu and is in universe.

  Testing Done
  ------------
  Only a simple build test.

  There is a build test to ensure basic functionality of brotli with
  both python2 and python3.

  Other Info
  ----------
  The main purpose of this security update is to clear up the security history section of MIR LP: #1737053.

  It is mentioned in the MIR bug that it is intended for brotli 1.0.2 to
  be backported to Ubuntu 16.04 and 17.10 as a security update (and
  promoted to main there), after 17.04 reaches End of Life.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+subscriptions