Your message dated Wed, 18 Sep 2019 10:19:40 +0200 with message-id <d8ce79db-559d-46ac-d06f-bd0690ae40d3@umlaeute.mur.at> and subject line Re: Bug#914381: libsndfile: CVE-2018-19432 has caused the Debian Bug report #914381, regarding libsndfile: CVE-2018-19432 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 914381: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914381 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libsndfile: CVE-2018-19432
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 22 Nov 2018 21:19:57 +0100
- Message-id: <154291799730.3153.16769312570447053767.reportbug@eldamar.local>
Source: libsndfile Version: 1.0.28-4 Severity: important Tags: security upstream Forwarded: https://github.com/erikd/libsndfile/issues/427 Hi, The following vulnerability was published for libsndfile. CVE-2018-19432[0]: | An issue was discovered in libsndfile 1.0.28. There is a NULL pointer | dereference in the function sf_write_int in sndfile.c, which will lead | to a denial of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19432 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19432 [1] https://github.com/erikd/libsndfile/issues/427 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 914381-done@bugs.debian.org
- Subject: Re: Bug#914381: libsndfile: CVE-2018-19432
- From: IOhannes m zmölnig <zmoelnig@umlaeute.mur.at>
- Date: Wed, 18 Sep 2019 10:19:40 +0200
- Message-id: <d8ce79db-559d-46ac-d06f-bd0690ae40d3@umlaeute.mur.at>
- In-reply-to: <20190816061041.GA21024@hjemme.reinholdtsen.name>
- References: <154291799730.3153.16769312570447053767.reportbug@eldamar.local> <20190102102304.GA10800@eldamar.local> <20190816061041.GA21024@hjemme.reinholdtsen.name> <20190816061041.GA21024@hjemme.reinholdtsen.name>
Version; 1.0.28-5 Thanks. libsndfile_1.0.28-5 contains a fix for the problem, but does not mention neither #914381 nor CVE-2018-19432. Instead it simply says: > * Patch to ensure that maxnum channels is not exceeded. > Thanks to Brett T. Warden <brett.t.warden@intel.com> fgmdsr IOhannes On Fri, 16 Aug 2019 08:10:41 +0200 Petter Reinholdtsen <pere@hungry.com> wrote: > According to <URL:https://security-tracker.debian.org/tracker/CVE-2018-19432 >, > this security issue is only fixed in the jessie (oldoldstable) security > repository. Why is it not fixed in unstable, stable and oldstable? > > -- > Happy hacking > Petter Reinholdtsen > >Attachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---