Bug#915763: marked as done (faac: CVE-2018-19886 CVE-2018-19887 CVE-2018-19889 CVE-2018-19890 CVE-2018-19891)
Your message dated Thu, 17 Oct 2019 19:19:34 +0000
with message-id <E1iLBJ8-0006Ro-NK@fasolo.debian.org>
and subject line Bug#915763: fixed in faac 1.30-1
has caused the Debian Bug report #915763,
regarding faac: CVE-2018-19886 CVE-2018-19887 CVE-2018-19889 CVE-2018-19890 CVE-2018-19891
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
915763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915763
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: faac: CVE-2018-19886 CVE-2018-19887 CVE-2018-19889 CVE-2018-19890 CVE-2018-19891
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 06 Dec 2018 17:24:13 +0100
- Message-id: <154411345377.6939.14246943827122887082.reportbug@eldamar.local>
Source: faac
Version: 1.29.9.2-2
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for faac.
CVE-2018-19886[0]:
| An invalid memory address dereference was discovered in the huffcode
| function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC)
| 1.29.9.2. The vulnerability causes a segmentation fault and application
| crash, which leads to denial of service in the book 8 case.
CVE-2018-19887[1]:
| An invalid memory address dereference was discovered in the huffcode
| function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC)
| 1.29.9.2. The vulnerability causes a segmentation fault and application
| crash, which leads to denial of service in the book 4 case.
CVE-2018-19889[2]:
| An invalid memory address dereference was discovered in the huffcode
| function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC)
| 1.29.9.2. The vulnerability causes a segmentation fault and application
| crash, which leads to denial of service in the book 6 case.
CVE-2018-19890[3]:
| An invalid memory address dereference was discovered in the huffcode
| function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC)
| 1.29.9.2. The vulnerability causes a segmentation fault and application
| crash, which leads to denial of service in the book 2 case.
CVE-2018-19891[4]:
| An invalid memory address dereference was discovered in the huffcode
| function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC)
| 1.29.9.2. The vulnerability causes a segmentation fault and application
| crash, which leads to denial of service in the book 10 case.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19886
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19886
[1] https://security-tracker.debian.org/tracker/CVE-2018-19887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19887
[2] https://security-tracker.debian.org/tracker/CVE-2018-19889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19889
[3] https://security-tracker.debian.org/tracker/CVE-2018-19890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19890
[4] https://security-tracker.debian.org/tracker/CVE-2018-19891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19891
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: faac
Source-Version: 1.30-1
We believe that the bug you reported is fixed in the latest version of
faac, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 915763@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated faac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 17 Oct 2019 20:58:54 +0200
Source: faac
Architecture: source
Version: 1.30-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Closes: 915763 928038
Changes:
faac (1.30-1) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/watch: Use https protocol
* Use debhelper-compat instead of debian/compat
.
[ Fabian Greffrath ]
* Upstream moved to GitHub, adapt Homepage field
and debian/watch file accordingly.
* New upstream version 1.30
+ Check index ranges before dereferencing book arrays
(CVE-2018-19886, CVE-2018-19887, CVE-2018-19889,
CVE-2018-19890 CVE-2018-19891) Closes: #915763.
+ Add stdint.h header inclusions, Closes: #928038.
* Remove all patches, applied upstream.
* Bump debhelper-compat to 12.
* Bump Standards-Version to 4.4.1.
* Rules-Requires-Root: no.
* Add Build-Depends-Package lines to the symbols file.
* Add "usr/lib/*/*.la" to the debian/not-installed file.
Checksums-Sha1:
36d39b6a964a3aaa2f9432b9e05cc851b3f8ea98 2077 faac_1.30-1.dsc
a07f7f5d700f9aa15fb70276c9ae2199c4cfc2cb 241750 faac_1.30.orig.tar.gz
246c9101ae5523f4793595ba079adca3bae31dbc 6596 faac_1.30-1.debian.tar.xz
03e25dbdec89b432bb693ef7f5022f65c0e7a77b 6309 faac_1.30-1_amd64.buildinfo
Checksums-Sha256:
7883fa031dfaae6f66401ede9a14340c5136f3a98aba81700a42fe0f4943fd55 2077 faac_1.30-1.dsc
adc387ce588cca16d98c03b6ec1e58f0ffd9fc6eadb00e254157d6b16203b2d2 241750 faac_1.30.orig.tar.gz
907549e0fe858277839f3f6a7626abe20a172b4490e8a03724587a5a52ee047e 6596 faac_1.30-1.debian.tar.xz
fe230212c07c32bf9ed8af6ab697668b03ce626bb494064f408e6fc10bf3fd8b 6309 faac_1.30-1_amd64.buildinfo
Files:
5d0d2c6d68862ac002f6117d6d0a6fa3 2077 non-free/sound optional faac_1.30-1.dsc
8d61e6d55088e599aa91532d5e6995b0 241750 non-free/sound optional faac_1.30.orig.tar.gz
f9946523d21cb143ddfb56e687b3a912 6596 non-free/sound optional faac_1.30-1.debian.tar.xz
a7527f081957b0781518bfdfcf3cf7be 6309 non-free/sound optional faac_1.30-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAl2ouuISHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfkKEP/3TzBNvbiR9Grp8D/VJGtzaRBfzj/XHl
Dw0J50Md4Xery26QLnPrnjg2RHxJCWOeMuGZRI+jQPYRdH6R1dRtdhTJQnbT2Xjv
Wlln2FOZHgdS2jU/eUmexKTfeR8okRxWC/7b/+uSrh/mkgxCJc0/YbyLHZsCW31m
Z/oDseO2qyL5K3SzltUMa/Kh/UfxgUyofxGFhGWay/+vwSqfXq0tdyoR5EZCkefR
AkK0BxITkuDEbjFGMNkQNDJ2NykmjYx8oScwAd9Fefdj31kiD4dCfLbPh0zxLHyo
lVwM+pfG1+Y4OpU3Is+HUIa6hnGB9gmS1BCzTmMDdSQzImxFOz1mkWgQ+86ZltJr
7jgSQvxF1dK+kM4ea+4jEuByO41sSL5lb3isvgulSfmZoJyoax77M6ztiIZC0YpK
C2nCn6J9gLdfTGondzCRBhYAZe2KaZIBsNBA5r3EPaKWobaAS/OxM2GEsJRspqH6
nUgSiqCL/5kVjsd1JwVoekFV4BZvUp9gGEeZG8E0dbDAkC/D74aZgFi21ImA3hTY
a2IYOgbuBvNO5DWyftJzmYK1WCKgroMjaA5zZoRi9j9OYwN+7HYbIg1cLDcOZKuy
FlNLItI/t6Jg/ZTwNf/HO3yMf69mviYr7x8LiI3l5wYsPaohEhujvscKpZQyijzq
z3xnLqLLBT92
=paXO
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: