Bug#445889: marked as done (CVE-2007-4974 heap overflow in libsndfile included in libs/)

To: Nico Golde <nion@debian.org>
Subject: Bug#445889: marked as done (CVE-2007-4974 heap overflow in libsndfile included in libs/)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 04 Dec 2007 18:57:24 +0000
Message-id: <[🔎] handler.445889.D445889.11967944511421.ackdone@bugs.debian.org>
References: <E1IzcYu-0005l0-OE@ries.debian.org> <20071008224743.GA29880@ngolde.de>

Your message dated Tue, 04 Dec 2007 18:32:04 +0000
with message-id <E1IzcYu-0005l0-OE@ries.debian.org>
and subject line Bug#445889: fixed in ardour 1:2.1-1.1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: submit@bugs.debian.org
Subject: CVE-2007-4974 heap overflow in libsndfile included in libs/
From: Nico Golde <nion@debian.org>
Date: Tue, 9 Oct 2007 00:47:43 +0200
Message-id: <20071008224743.GA29880@ngolde.de>

Package: ardour
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ardour.

CVE-2007-4974[0]:
| Heap-based buffer overflow in libsndfile 1.0.17 and earlier might
| allow remote attackers to execute arbitrary code via a FLAC file with
| crafted PCM data containing a block with a size that exceeds the
| previous block size.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

As ardour has a code copy of libsndfile which is affected by 
this, ardour is vulnerable. I looked at ardours build log 
and this library is at least built. If it is not used to 
link against please close this bug.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4974

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgptxZxxdXsRQ.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 445889-close@bugs.debian.org
Subject: Bug#445889: fixed in ardour 1:2.1-1.1
From: Nico Golde <nion@debian.org>
Date: Tue, 04 Dec 2007 18:32:04 +0000
Message-id: <E1IzcYu-0005l0-OE@ries.debian.org>

Source: ardour
Source-Version: 1:2.1-1.1

We believe that the bug you reported is fixed in the latest version of
ardour, which is due to be installed in the Debian FTP archive:

ardour-i686_2.1-1.1_i386.deb
  to pool/main/a/ardour/ardour-i686_2.1-1.1_i386.deb
ardour_2.1-1.1.diff.gz
  to pool/main/a/ardour/ardour_2.1-1.1.diff.gz
ardour_2.1-1.1.dsc
  to pool/main/a/ardour/ardour_2.1-1.1.dsc
ardour_2.1-1.1_i386.deb
  to pool/main/a/ardour/ardour_2.1-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 445889@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated ardour package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 04 Dec 2007 17:37:42 +0100
Source: ardour
Binary: ardour ardour-i686 ardour-altivec
Architecture: source i386
Version: 1:2.1-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Team <debian-multimedia@lists.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 ardour     - digital audio workstation (graphical gtk2 interface)
 ardour-i686 - digital audio workstation (graphical gtk2 interface) [i686]
Closes: 445889 446597
Changes: 
 ardour (1:2.1-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by testing-security team.
   * Fix FTBFS caused by type casting by adding a patch by
     Thiemo Seufer (90_fix-ftbfs-for-abs.patch; Closes: #446597).
   * Fix heap-based buffer overflow possibly leading to arbitrary code
     execution in embedded copy of libsndfile (CVE-2007-4974; Closes: #445889).
Files: 
 29a916c8c7a488722bdaa915016a518a 1231 sound optional ardour_2.1-1.1.dsc
 122d569283770d6b3132046a131e7e77 50543 sound optional ardour_2.1-1.1.diff.gz
 997d6455cbf814cc3512e16c04680a2b 6494112 sound optional ardour_2.1-1.1_i386.deb
 65c1f2f8179e3c25074bb217fb6cd77f 5393072 sound optional ardour-i686_2.1-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHVZd1HYflSXNkfP8RAu0JAKCFf9kgUy5EnKjgfT1XSyuJMc24rwCePEPJ
rdTG+Z5Gffrf+KDQtH6CSnQ=
=CQtW
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: ardour_2.1-1.1_i386.changes ACCEPTED
Next by Date: Bug#446597: marked as done (FTBFS after checking for pkg-config and 'call of overloaded 'abs(nframes64_t)' is ambiguous')
Previous by thread: ardour_2.1-1.1_i386.changes ACCEPTED
Next by thread: Bug#446597: marked as done (FTBFS after checking for pkg-config and 'call of overloaded 'abs(nframes64_t)' is ambiguous')
Index(es):
- Date
- Thread