[Bug 1398666] [NEW] Sync flac 1.3.0-3 (main) from Debian unstable (main)
Launchpad Bug Tracker
1398666 at bugs.launchpad.net
Wed Dec 3 04:06:18 UTC 2014
You have been subscribed to a public bug by Logan Rosen (logan):
Please sync flac 1.3.0-3 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: arbitrary code execution via crafted .flac file
- debian/patches/CVE-2014-8962.patch: validate id in
src/libFLAC/stream_decoder.c.
- CVE-2014-8962
* SECURITY UPDATE: arbitrary code execution via crafted .flac file
- debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
in src/libFLAC/stream_decoder.c.
- CVE-2014-9028
This security fixes were done in Debian.
Changelog entries since current vivid version 1.3.0-2ubuntu1:
flac (1.3.0-3) unstable; urgency=high
* Fixes for CVE-2014-8962 and CVE-2014-9028:
+ Backport three patches from upstream GIT repository:
- CVE-2014-8962.patch: Fix a buffer read overflow.
- CVE-2014-9028.patch: Avoid a heap overflow.
- CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
the former fix, but strictly speaking not the same vulnerability.
+ Closes: #770918.
+ Thanks Erik de Castro Lopo for the bug report and the upstream fixes!
-- Fabian Greffrath <fabian+debian at greffrath.com> Thu, 27 Nov 2014
16:52:51 +0100
** Affects: flac (Ubuntu)
Importance: Wishlist
Status: New
--
Sync flac 1.3.0-3 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/1398666
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list