Your message dated Sun, 13 Apr 2008 19:52:14 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#446034: fixed in alsaplayer 0.99.76-9+etch1
has caused the Debian Bug report #446034,
regarding CVE-2007-5301 buffer overflow in vorbis input plugin
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
446034: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446034
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: alsaplayer
Severity: grave
Tags: security
Hi,
The following was released on:
http://secunia.com/advisories/27117/
| Some vulnerabilities have been reported in AlsaPlayer, which potentially can
be
| exploited by malicious people to compromise a user's system.
|
| The vulnerabilities are caused due to boundary errors in the vorbis input
| plug-in when processing .OGG files. These can be exploited to cause buffer
| overflows via a specially crafted .OGG file with overly long comments.
|
| Successful exploitation may allow execution of arbitrary code.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp36bsDfvdHP.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: alsaplayer
Source-Version: 0.99.76-9+etch1
We believe that the bug you reported is fixed in the latest version of
alsaplayer, which is due to be installed in the Debian FTP archive:
alsaplayer-alsa_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_i386.deb
alsaplayer-common_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_i386.deb
alsaplayer-daemon_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_i386.deb
alsaplayer-esd_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_i386.deb
alsaplayer-gtk_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_i386.deb
alsaplayer-jack_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_i386.deb
alsaplayer-nas_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_i386.deb
alsaplayer-oss_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_i386.deb
alsaplayer-text_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_i386.deb
alsaplayer-xosd_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_i386.deb
alsaplayer_0.99.76-9+etch1.diff.gz
to pool/main/a/alsaplayer/alsaplayer_0.99.76-9+etch1.diff.gz
alsaplayer_0.99.76-9+etch1.dsc
to pool/main/a/alsaplayer/alsaplayer_0.99.76-9+etch1.dsc
libalsaplayer-dev_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_i386.deb
libalsaplayer0_0.99.76-9+etch1_i386.deb
to pool/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Devin Carraway <[EMAIL PROTECTED]> (supplier of updated alsaplayer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 30 Mar 2008 07:35:43 +0000
Source: alsaplayer
Binary: alsaplayer-daemon alsaplayer-xosd libalsaplayer-dev alsaplayer-jack
alsaplayer-esd alsaplayer-text alsaplayer-nas alsaplayer-oss alsaplayer-alsa
alsaplayer-gtk libalsaplayer0 alsaplayer-common
Architecture: source i386
Version: 0.99.76-9+etch1
Distribution: stable-security
Urgency: high
Maintainer: Hubert Chan <[EMAIL PROTECTED]>
Changed-By: Devin Carraway <[EMAIL PROTECTED]>
Description:
alsaplayer-alsa - PCM player designed for ALSA (ALSA output module)
alsaplayer-common - PCM player designed for ALSA (common files)
alsaplayer-daemon - PCM player designed for ALSA (non-interactive version)
alsaplayer-esd - PCM player designed for ALSA (EsounD output module)
alsaplayer-gtk - PCM player designed for ALSA (GTK version)
alsaplayer-jack - PCM player designed for ALSA (JACK output module)
alsaplayer-nas - PCM player designed for ALSA (NAS output module)
alsaplayer-oss - PCM player designed for ALSA (OSS output module)
alsaplayer-text - PCM player designed for ALSA (text version)
alsaplayer-xosd - PCM player designed for ALSA (osd version)
libalsaplayer-dev - PCM player designed for ALSA (interface library,
development file
libalsaplayer0 - PCM player designed for ALSA (interface library)
Closes: 446034
Changes:
alsaplayer (0.99.76-9+etch1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* 32_security_CVE-2007-5301: patch from upstream for CVE-2007-5301,
correcting a buffer overflow vulnerability in the Vorbis plugin.
Closes: #446034
Files:
f1cef8ce08af0bc84cc18f45bf54774b 1411 sound optional
alsaplayer_0.99.76-9+etch1.dsc
ff78654c9ab74d14ad218dfb226db0a4 795398 sound optional
alsaplayer_0.99.76.orig.tar.gz
f2af0197803ce618482ecdc6c78b420e 179628 sound optional
alsaplayer_0.99.76-9+etch1.diff.gz
c35adec287030905bf0db4e27ab81d63 158866 sound optional
alsaplayer-common_0.99.76-9+etch1_i386.deb
902924f6ef4f2e63b66b183dc0c35334 115288 sound optional
alsaplayer-gtk_0.99.76-9+etch1_i386.deb
f1ef493cd0e41107102a7d552b83563c 28100 sound optional
alsaplayer-text_0.99.76-9+etch1_i386.deb
9d0e04a29f76e31f8b076ab3a689a23f 26996 sound optional
alsaplayer-daemon_0.99.76-9+etch1_i386.deb
122a2eaf526f4566d7a7486900bf31b3 27682 sound optional
alsaplayer-xosd_0.99.76-9+etch1_i386.deb
2b54d8b1f00a371d22b59d83e5cde354 25102 sound optional
alsaplayer-oss_0.99.76-9+etch1_i386.deb
a4c34cf4a0ab302a9ec079830bc078a5 26732 sound optional
alsaplayer-alsa_0.99.76-9+etch1_i386.deb
1a43a121d1a49ca6873ba5095d859e62 24994 sound optional
alsaplayer-esd_0.99.76-9+etch1_i386.deb
9fd4b50433e0e8059e841156d89265c8 26938 sound optional
alsaplayer-nas_0.99.76-9+etch1_i386.deb
9153f6bcfa7b63b15a48f28a599bbc72 28900 sound optional
alsaplayer-jack_0.99.76-9+etch1_i386.deb
152b14037ca04c15f98d61da207d8d46 30404 libs optional
libalsaplayer0_0.99.76-9+etch1_i386.deb
63d46351fcfaf549e0602289d9fd7139 81112 libdevel optional
libalsaplayer-dev_0.99.76-9+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR++awGz0hbPcukPfAQIfeggAnRSB3v6raymKD3lJ6agZ0tBcsPhtoIU8
jDxYMTsyNLamvd9yEztpa7zHdbTlOU0BRWjJ/hLIS8XKg4O5P6zYBUFDkR8eNFJc
wSSmK23rbnh+4oV/qR+AOJ3RyTwfOPeLpgQ6lKxLzu8+em3tvpoZ504M6mcegqtB
Z9vuK5R1NXLUrXPuk67FIxDD05CtwXjWLjGworc9h7IWKnRYg8871Tz28jqr4Re5
v74dSiXKVZubH3iSe3X4UbsT23dlAWF3vsYh9uANzA7WU+gmzjk/IWEQ7yK8aRB4
zJoWuErwxncVEKDh68XpS02pOSZbPJwu+IGTqnb1K4uF/TEQkfBHyQ==
=6eML
-----END PGP SIGNATURE-----
--- End Message ---
