← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #38804

[Bug 1398666] [NEW] Sync flac 1.3.0-3 (main) from Debian unstable (main)

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Please sync flac 1.3.0-3 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: arbitrary code execution via crafted .flac file
    - debian/patches/CVE-2014-8962.patch: validate id in
      src/libFLAC/stream_decoder.c.
    - CVE-2014-8962
  * SECURITY UPDATE: arbitrary code execution via crafted .flac file
    - debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
      in src/libFLAC/stream_decoder.c.
    - CVE-2014-9028
This security fixes were done in Debian.

Changelog entries since current vivid version 1.3.0-2ubuntu1:

flac (1.3.0-3) unstable; urgency=high

  * Fixes for CVE-2014-8962 and CVE-2014-9028:
    + Backport three patches from upstream GIT repository:
      - CVE-2014-8962.patch: Fix a buffer read overflow.
      - CVE-2014-9028.patch: Avoid a heap overflow.
      - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
        the former fix, but strictly speaking not the same vulnerability.
    + Closes: #770918.
    + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

 -- Fabian Greffrath <fabian+debian@xxxxxxxxxxxxx>  Thu, 27 Nov 2014
16:52:51 +0100

** Affects: flac (Ubuntu)
     Importance: Wishlist
         Status: New

** Changed in: flac (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to flac in Ubuntu.
https://bugs.launchpad.net/bugs/1398666

Title:
  Sync flac 1.3.0-3 (main) from Debian unstable (main)

Status in flac package in Ubuntu:
  New

Bug description:
  Please sync flac 1.3.0-3 (main) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: arbitrary code execution via crafted .flac file
      - debian/patches/CVE-2014-8962.patch: validate id in
        src/libFLAC/stream_decoder.c.
      - CVE-2014-8962
    * SECURITY UPDATE: arbitrary code execution via crafted .flac file
      - debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
        in src/libFLAC/stream_decoder.c.
      - CVE-2014-9028
  This security fixes were done in Debian.

  Changelog entries since current vivid version 1.3.0-2ubuntu1:

  flac (1.3.0-3) unstable; urgency=high

    * Fixes for CVE-2014-8962 and CVE-2014-9028:
      + Backport three patches from upstream GIT repository:
        - CVE-2014-8962.patch: Fix a buffer read overflow.
        - CVE-2014-9028.patch: Avoid a heap overflow.
        - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
          the former fix, but strictly speaking not the same vulnerability.
      + Closes: #770918.
      + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

   -- Fabian Greffrath <fabian+debian@xxxxxxxxxxxxx>  Thu, 27 Nov 2014
  16:52:51 +0100

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flac/+bug/1398666/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next