Bug#893132: marked as done (libvorbisidec: CVE-2018-5147: out-of-bounds memory write)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 17 Mar 2018 21:42:25 +0000
with message-id <E1exJar-0004aC-9A@fasolo.debian.org>
and subject line Bug#893132: fixed in libvorbisidec 1.0.2+svn18153-1+deb9u1
has caused the Debian Bug report #893132,
regarding libvorbisidec: CVE-2018-5147: out-of-bounds memory write
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
893132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893132
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libvorbisidec: CVE-2018-5147: out-of-bounds memory write
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 16 Mar 2018 19:31:14 +0100
• Message-id: <[🔎] 152122507468.11310.18417636145722045781.reportbug@eldamar.local>

Source: libvorbisidec
Version: 1.0.2+svn18153-0.2
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerability was published for libvorbisidec.

CVE-2018-5147[0]:
out-of-bounds memory write

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5147
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5147
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 893132-close@bugs.debian.org
• Subject: Bug#893132: fixed in libvorbisidec 1.0.2+svn18153-1+deb9u1
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 17 Mar 2018 21:42:25 +0000
• Message-id: <E1exJar-0004aC-9A@fasolo.debian.org>

Source: libvorbisidec
Source-Version: 1.0.2+svn18153-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
libvorbisidec, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvorbisidec package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 16 Mar 2018 21:00:34 +0100
Source: libvorbisidec
Binary: libvorbisidec-dev libvorbisidec1
Architecture: source
Version: 1.0.2+svn18153-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 893132
Description: 
 libvorbisidec-dev - Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files)
 libvorbisidec1 - Integer-only Ogg Vorbis decoder, AKA "tremor"
Changes:
 libvorbisidec (1.0.2+svn18153-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Prevent out-of-bounds write in codebook decoding (CVE-2018-5147)
     (Closes: #893132)
Checksums-Sha1: 
 8a37a9da1b2f3accc1232c4210b97e8350fa8bf1 2178 libvorbisidec_1.0.2+svn18153-1+deb9u1.dsc
 4a76cde3464f9489b058e9a33a2030f0d94b5980 6200 libvorbisidec_1.0.2+svn18153-1+deb9u1.diff.gz
Checksums-Sha256: 
 cd6aacaa49906b670205b1dd5ead312fd18fe95ace60f7a8037dd8f9538cef38 2178 libvorbisidec_1.0.2+svn18153-1+deb9u1.dsc
 9546b0b71df8a07e0680a7d713c5a969e862ee715f61045804ce2b46fd52267e 6200 libvorbisidec_1.0.2+svn18153-1+deb9u1.diff.gz
Files: 
 29657243bfc545c4238d48eca8c5b67c 2178 libs extra libvorbisidec_1.0.2+svn18153-1+deb9u1.dsc
 29b2b0cd76669fa75d0cbce3320dad0d 6200 libs extra libvorbisidec_1.0.2+svn18153-1+deb9u1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsIy5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E6McP/2tY6RURYvJ7My3XE/ealH80MksFRTTH
iPrX6QVK/6r7ALpmkPsLSHt5hVhPVaV6xtlPgtDwzDJdZ2PindBiVVKbz4NpKdVF
Z71JxnNqMCJJnLYj8nZ0JH2kP9Q9Gg0f600EqQVzuf5mG1dGqIBhjyJkpAZA4cPa
AnXZ5OLbqonhuQ1e54peTwS/tWLLLixQpyiRNzoyEadew0GxVYVHFZ0hMYjUCXI5
YixaE6ql28IgEJTtM6zh0ejIFgfNKx9BBOmez6gebGasOMFF2nI2aSgnn8e1E9c1
rC/uKh8Rexo4DrXrdMu+JXjzpEOYqlEB4Hl3scT3OjESdZjoYI+x5xDOQPfLEuNS
fsCp/9GgKJsaezuPrJRWv19b6olPhHJVZlC98bbvGVwA3oH44BGwgwNr7hiwAqvT
S73V+bl5ACBakaDheJE8wFUgyJYXPNYHzvW1yvgYlHi+ZZsSdE52IIL9torL4ltH
KJXBUOKwJRJQXtMsL/9NtUK0PrJI4xp9WquMrE40KBC/l6BnD1YRPmlHx28AMEHa
Kmj2+OPpmXxdtRJP0vMblZ/KXkuoYU1HtJvmvhPRrsbDJHBEZ3FXQSUXd9NlkIZO
kBwHdeY4PFh64H5e1A+7NW68Ptjz500Yl0M7wrpgMgK+tsQSqXZsHER+7CnMrWVS
h3REqj46SjkA
=7gTl
-----END PGP SIGNATURE-----

--- End Message ---