Your message dated Mon, 03 Jul 2017 19:34:01 +0000 with message-id <e1ds76f-000blj...@fasolo.debian.org> and subject line Bug#866860: fixed in mpg123 1.25.1-1 has caused the Debian Bug report #866860, regarding mpg123: CVE-2017-10683 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 866860: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866860 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mpg123 Version: 1.25.0-1 Severity: important Tags: upstream security Hi, the following vulnerability was published for mpg123. CVE-2017-10683[0]: | In mpg123 1.25.0, there is a heap-based buffer over-read in the | convert_latin1 function in libmpg123/id3.c. A crafted input will lead | to a remote denial of service attack. This was reported at [1], but Hanno Boeck recently reported [2] as well. Looking at both cases i think those should be the same issues, and upstream has a patch for the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10683 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465819 [2] https://sourceforge.net/p/mpg123/bugs/252/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mpg123 Source-Version: 1.25.1-1 We believe that the bug you reported is fixed in the latest version of mpg123, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 866...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Ramacher <sramac...@debian.org> (supplier of updated mpg123 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 03 Jul 2017 21:13:06 +0200 Source: mpg123 Binary: mpg123 libmpg123-0 libout123-0 libmpg123-dev Architecture: source Version: 1.25.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org> Changed-By: Sebastian Ramacher <sramac...@debian.org> Description: libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library) libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files) libout123-0 - MPEG layer 1/2/3 audio decoder (libout123 shared library) mpg123 - MPEG layer 1/2/3 audio player Closes: 866860 Changes: mpg123 (1.25.1-1) unstable; urgency=medium . * Team upload. * New upstream release. - Fix heap-based buffer over-read (CVE-2017-10683) (Closes: #866860) * debian/control: Bump Standards-Version. Checksums-Sha1: 5deac5e889a95e074f279e461ac446ccb32fe97a 2282 mpg123_1.25.1-1.dsc 66239b257801df70d4618b82405d038a78f7c5c8 917500 mpg123_1.25.1.orig.tar.bz2 cc43c907b58bcd4478db2f893310fd1e34a9d0db 23332 mpg123_1.25.1-1.debian.tar.xz fcd74acc0a5ee326430e9e7c6ae8f36d8dbef0d3 8653 mpg123_1.25.1-1_amd64.buildinfo Checksums-Sha256: 7dc995e3165c5d36188dfcee567d95be80b05b74fbb51cf4625e99c7a27aaf0b 2282 mpg123_1.25.1-1.dsc 0fe7270a4071367f97a7c1fb45fb2ef3cfef73509c205124e080ea569217b05f 917500 mpg123_1.25.1.orig.tar.bz2 46e05e5e61ebd27d300ed682414ec72809249d06cce43105bf7888c08b1b8fab 23332 mpg123_1.25.1-1.debian.tar.xz 24a5bdf94a59bacc5fbb608331e0aa5e79b21191b69938a26fb947d55c7ed7ef 8653 mpg123_1.25.1-1_amd64.buildinfo Files: 84e8feee04418ddf70751d845d22394a 2282 sound optional mpg123_1.25.1-1.dsc 89a388221d281b9e9a1a875a0fb3f3f1 917500 sound optional mpg123_1.25.1.orig.tar.bz2 955470b679e0e4060db1c150bf89116d 23332 sound optional mpg123_1.25.1-1.debian.tar.xz 87c34fcde029a0fc8706f3cabaf96f82 8653 sound optional mpg123_1.25.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAllamBgACgkQafL8UW6n GZNVIRAAnYW0OYxcE34rObZhjijosHqBpX82TGOTgTAJI27tRIboIEi4KeyGe7Be z9ixKazPwmISyuRr0AOvk4tfcpuubUKTj1tN2HG2PFmxJqqb95jJGECBWU4SA66U CEPlRVbUAbw+LQ6YFwUWtUfmCR6H0Dn/9w/Tbk8prLSSldqXroghYs7eHXQEJIIO SdV0nI97hvlRah7LQPLgyMzsir7/b/sjFXWgsLQqEiIqE9oUF8k0qScgk1wVB1/6 04C7dw3SGKVx5CWbmjUt3WPXB3efCFMWHDC5+V+9TJSp7BMbW97ICnmrEHZ5B713 yB10dptMGxLdEnpbvmM4teM9iPOIaa2cwkblaGt5A3s/JTDJ+wLiSD4S/qfTyG5X GLQu4J/3wF19MXOS+b03AMjQ7IcApujw0tfVPr3SSHkSj9y9ii0kd8sE2Fyhm7dF nA0274EAQWia3+CmZ2CQvSc0h8hPdJA+hpE9kDP8kpIsWeMsH8Yg7J0nkpXAp4lW DL0CRfj7V2vl5txAL+yJLTuSW1xlP3wlv/xifdynf5NATKA3BL3qVjcRHyBhyrDx nczuNzqB+5S2vIL9lAoo7XuPU4ZlCaQTABBEH/xwVdO1woeV4dbpcpiCDje/mv2m BxbtFI//i2v1gDDQf6ZVyIAZjtg7azy1W64ORXZRjb2NCYDIT7I= =XN71 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
