[Bug 1398666] Re: Sync flac 1.3.0-3 (main) from Debian unstable (main)

Daniel Holbach daniel.holbach at ubuntu.com
Wed Dec 3 16:22:40 UTC 2014 

This bug was fixed in the package flac - 1.3.0-3
Sponsored for Logan Rosen (logan)

---------------
flac (1.3.0-3) unstable; urgency=high

  * Fixes for CVE-2014-8962 and CVE-2014-9028:
    + Backport three patches from upstream GIT repository:
      - CVE-2014-8962.patch: Fix a buffer read overflow.
      - CVE-2014-9028.patch: Avoid a heap overflow.
      - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
        the former fix, but strictly speaking not the same vulnerability.
    + Closes: #770918.
    + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

 -- Fabian Greffrath <fabian+debian at greffrath.com>  Thu, 27 Nov 2014
16:52:51 +0100

** Changed in: flac (Ubuntu)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-8962

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9028

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1398666

Title:
  Sync flac 1.3.0-3 (main) from Debian unstable (main)

Status in flac package in Ubuntu:
  Fix Released

Bug description:
  Please sync flac 1.3.0-3 (main) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: arbitrary code execution via crafted .flac file
      - debian/patches/CVE-2014-8962.patch: validate id in
        src/libFLAC/stream_decoder.c.
      - CVE-2014-8962
    * SECURITY UPDATE: arbitrary code execution via crafted .flac file
      - debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
        in src/libFLAC/stream_decoder.c.
      - CVE-2014-9028
  This security fixes were done in Debian.

  Changelog entries since current vivid version 1.3.0-2ubuntu1:

  flac (1.3.0-3) unstable; urgency=high

    * Fixes for CVE-2014-8962 and CVE-2014-9028:
      + Backport three patches from upstream GIT repository:
        - CVE-2014-8962.patch: Fix a buffer read overflow.
        - CVE-2014-9028.patch: Avoid a heap overflow.
        - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
          the former fix, but strictly speaking not the same vulnerability.
      + Closes: #770918.
      + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

   -- Fabian Greffrath <fabian+debian at greffrath.com>  Thu, 27 Nov 2014
  16:52:51 +0100

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flac/+bug/1398666/+subscriptions

More information about the Ubuntu-sponsors mailing list