touch-packages team mailing list archive

Thread
Date

[Bug 1398666] Re: Sync flac 1.3.0-3 (main) from Debian unstable (main)

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Daniel Holbach <daniel.holbach@xxxxxxxxxx>
Date: Wed, 03 Dec 2014 16:22:40 -0000
Reply-to: Bug 1398666 <1398666@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package flac - 1.3.0-3
Sponsored for Logan Rosen (logan)

---------------
flac (1.3.0-3) unstable; urgency=high

  * Fixes for CVE-2014-8962 and CVE-2014-9028:
    + Backport three patches from upstream GIT repository:
      - CVE-2014-8962.patch: Fix a buffer read overflow.
      - CVE-2014-9028.patch: Avoid a heap overflow.
      - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
        the former fix, but strictly speaking not the same vulnerability.
    + Closes: #770918.
    + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

 -- Fabian Greffrath <fabian+debian@xxxxxxxxxxxxx>  Thu, 27 Nov 2014
16:52:51 +0100

** Changed in: flac (Ubuntu)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-8962

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9028

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to flac in Ubuntu.
https://bugs.launchpad.net/bugs/1398666

Title:
  Sync flac 1.3.0-3 (main) from Debian unstable (main)

Status in flac package in Ubuntu:
  Fix Released

Bug description:
  Please sync flac 1.3.0-3 (main) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: arbitrary code execution via crafted .flac file
      - debian/patches/CVE-2014-8962.patch: validate id in
        src/libFLAC/stream_decoder.c.
      - CVE-2014-8962
    * SECURITY UPDATE: arbitrary code execution via crafted .flac file
      - debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
        in src/libFLAC/stream_decoder.c.
      - CVE-2014-9028
  This security fixes were done in Debian.

  Changelog entries since current vivid version 1.3.0-2ubuntu1:

  flac (1.3.0-3) unstable; urgency=high

    * Fixes for CVE-2014-8962 and CVE-2014-9028:
      + Backport three patches from upstream GIT repository:
        - CVE-2014-8962.patch: Fix a buffer read overflow.
        - CVE-2014-9028.patch: Avoid a heap overflow.
        - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
          the former fix, but strictly speaking not the same vulnerability.
      + Closes: #770918.
      + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

   -- Fabian Greffrath <fabian+debian@xxxxxxxxxxxxx>  Thu, 27 Nov 2014
  16:52:51 +0100

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flac/+bug/1398666/+subscriptions

References

[Bug 1398666] [NEW] Sync flac 1.3.0-3 (main) from Debian unstable (main)
From: Logan Rosen, 2014-12-03