Source: wavpack Version: 5.0.0-1 Severity: important Tags: security upstream patch fixed-upstream
Hi, the following vulnerabilities were published for wavpack. CVE-2016-10169[0]: global buffer overread in read_code / read_words.c CVE-2016-10170[1]: heap out of bounds read in WriteCaffHeader / caff.c CVE-2016-10171[2]: heap out of bounds read in unreorder_channels / wvunpack.c CVE-2016-10172[3]: heap oob read in read_new_config_info / open_utils.c They are all fixed by the same commit [4] upstream. Unless I'm wrong, I think those issues would not warrant a DSA for jessie, but could you please make the fix be included in stretch so that we do not ship wavpack affected by these? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10169 [1] https://security-tracker.debian.org/tracker/CVE-2016-10170 [2] https://security-tracker.debian.org/tracker/CVE-2016-10171 [3] https://security-tracker.debian.org/tracker/CVE-2016-10172 [4] https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc Please adjust the affected versions in the BTS as needed. _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
