Your message dated Sat, 07 Feb 2009 11:32:10 +0000
with message-id <[email protected]>
and subject line Bug#514138: fixed in audacity 1.3.5-2+lenny1
has caused the Debian Bug report #514138,
regarding audacity: buffer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
514138: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514138
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: audacity
Version: 1.3.5-2
Severity: grave
Tags: security
Justification: user security hole
There is a buffer overflow in audacity apparently affecting the etch
and lenny version. You can find a reproducer here[0].
However, I just took a random .gro file and when importing it under
Projects with import midi (I tested under etch), it produced a buffer
overflow. More information can be found here[1] or in the gentoo
bugreport[2]. I'll post the CVE id here, once it has been assigned.
Please check with upstream, whether they are aware of the issue and
working on a patch.
Cheers
Steffen
[0]: http://www.milw0rm.com/exploits/7634
[1]: http://secunia.com/advisories/33356/
[2]: https://bugs.gentoo.org/show_bug.cgi?id=253493
--- End Message ---
--- Begin Message ---
Source: audacity
Source-Version: 1.3.5-2+lenny1
We believe that the bug you reported is fixed in the latest version of
audacity, which is due to be installed in the Debian FTP archive:
audacity_1.3.5-2+lenny1.diff.gz
to pool/main/a/audacity/audacity_1.3.5-2+lenny1.diff.gz
audacity_1.3.5-2+lenny1.dsc
to pool/main/a/audacity/audacity_1.3.5-2+lenny1.dsc
audacity_1.3.5-2+lenny1_amd64.deb
to pool/main/a/audacity/audacity_1.3.5-2+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[email protected]> (supplier of updated audacity package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Feb 2009 22:11:20 +0100
Source: audacity
Binary: audacity
Architecture: source amd64
Version: 1.3.5-2+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Debian Multimedia Team <[email protected]>
Changed-By: Nico Golde <[email protected]>
Description:
audacity - A fast, cross-platform audio editor
Closes: 514138
Changes:
audacity (1.3.5-2+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix stack-based buffer overflow in String_parse::get_nonspace_quoted()
used when importing MIDI files leading to arbitrary code execution
(midi_parsing_overflow.patch; No CVE id yet; Closes: #514138).
Checksums-Sha1:
bc009737073117ee2585748d678ef409891f4074 1399 audacity_1.3.5-2+lenny1.dsc
35c1cf05fbc9408da1e751dff817870ded58be64 6445478 audacity_1.3.5.orig.tar.gz
f6098d5d3170ba273b90a450cf9fa4cce389609e 23294 audacity_1.3.5-2+lenny1.diff.gz
1af540b379ed570c6179947a873a01619be65139 3328198
audacity_1.3.5-2+lenny1_amd64.deb
Checksums-Sha256:
1a96b72a1a9e67750adb1ba236e270b56a1f9b50709ea4ed58bea4632b8f79af 1399
audacity_1.3.5-2+lenny1.dsc
6b79ad24c4e81b9e6c611c11ea0a520ef3fac446b32d40939064bda11e7452fa 6445478
audacity_1.3.5.orig.tar.gz
af82ec36e359bb0aa24f75b1a48fd0098eddeb9cd8cfebda6ae8eaea760949ba 23294
audacity_1.3.5-2+lenny1.diff.gz
e4e773ee0df9cbd4a3d7c386f2a0f1256cd8a943c42a5e313a6e8ecbefa3ebc2 3328198
audacity_1.3.5-2+lenny1_amd64.deb
Files:
3219107631974f3f6bff459ca386055e 1399 sound optional
audacity_1.3.5-2+lenny1.dsc
49fb288b0d8da28be53e06210fdc8521 6445478 sound optional
audacity_1.3.5.orig.tar.gz
594d1d2822f0d1482211fd8da3a2f125 23294 sound optional
audacity_1.3.5-2+lenny1.diff.gz
a42a9a968aa925fad762bead64d79fd3 3328198 sound optional
audacity_1.3.5-2+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmMq5MACgkQHYflSXNkfP8llACcCLiEgP8tOMKWjCdY4zdeWSVL
MhgAn2aqHR91pss/ZUwh/gEOjvt8Ahoi
=nqMZ
-----END PGP SIGNATURE-----
--- End Message ---
