[Bug 1398666] Re: Sync flac 1.3.0-3 (main) from Debian unstable (main)
Daniel Holbach
daniel.holbach at ubuntu.com
Wed Dec 3 16:22:40 UTC 2014
This bug was fixed in the package flac - 1.3.0-3
Sponsored for Logan Rosen (logan)
---------------
flac (1.3.0-3) unstable; urgency=high
* Fixes for CVE-2014-8962 and CVE-2014-9028:
+ Backport three patches from upstream GIT repository:
- CVE-2014-8962.patch: Fix a buffer read overflow.
- CVE-2014-9028.patch: Avoid a heap overflow.
- CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
the former fix, but strictly speaking not the same vulnerability.
+ Closes: #770918.
+ Thanks Erik de Castro Lopo for the bug report and the upstream fixes!
-- Fabian Greffrath <fabian+debian at greffrath.com> Thu, 27 Nov 2014
16:52:51 +0100
** Changed in: flac (Ubuntu)
Status: New => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-8962
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9028
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1398666
Title:
Sync flac 1.3.0-3 (main) from Debian unstable (main)
Status in flac package in Ubuntu:
Fix Released
Bug description:
Please sync flac 1.3.0-3 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: arbitrary code execution via crafted .flac file
- debian/patches/CVE-2014-8962.patch: validate id in
src/libFLAC/stream_decoder.c.
- CVE-2014-8962
* SECURITY UPDATE: arbitrary code execution via crafted .flac file
- debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
in src/libFLAC/stream_decoder.c.
- CVE-2014-9028
This security fixes were done in Debian.
Changelog entries since current vivid version 1.3.0-2ubuntu1:
flac (1.3.0-3) unstable; urgency=high
* Fixes for CVE-2014-8962 and CVE-2014-9028:
+ Backport three patches from upstream GIT repository:
- CVE-2014-8962.patch: Fix a buffer read overflow.
- CVE-2014-9028.patch: Avoid a heap overflow.
- CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
the former fix, but strictly speaking not the same vulnerability.
+ Closes: #770918.
+ Thanks Erik de Castro Lopo for the bug report and the upstream fixes!
-- Fabian Greffrath <fabian+debian at greffrath.com> Thu, 27 Nov 2014
16:52:51 +0100
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flac/+bug/1398666/+subscriptions
More information about the Ubuntu-sponsors
mailing list