[Bug 1398666] [NEW] Sync flac 1.3.0-3 (main) from Debian unstable (main)

Launchpad Bug Tracker 1398666 at bugs.launchpad.net
Wed Dec 3 04:06:18 UTC 2014


You have been subscribed to a public bug by Logan Rosen (logan):

Please sync flac 1.3.0-3 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: arbitrary code execution via crafted .flac file
    - debian/patches/CVE-2014-8962.patch: validate id in
      src/libFLAC/stream_decoder.c.
    - CVE-2014-8962
  * SECURITY UPDATE: arbitrary code execution via crafted .flac file
    - debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
      in src/libFLAC/stream_decoder.c.
    - CVE-2014-9028
This security fixes were done in Debian.

Changelog entries since current vivid version 1.3.0-2ubuntu1:

flac (1.3.0-3) unstable; urgency=high

  * Fixes for CVE-2014-8962 and CVE-2014-9028:
    + Backport three patches from upstream GIT repository:
      - CVE-2014-8962.patch: Fix a buffer read overflow.
      - CVE-2014-9028.patch: Avoid a heap overflow.
      - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
        the former fix, but strictly speaking not the same vulnerability.
    + Closes: #770918.
    + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

 -- Fabian Greffrath <fabian+debian at greffrath.com>  Thu, 27 Nov 2014
16:52:51 +0100

** Affects: flac (Ubuntu)
     Importance: Wishlist
         Status: New

-- 
Sync flac 1.3.0-3 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/1398666
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.



More information about the Ubuntu-sponsors mailing list