Bug#922372: marked as done (libsndfile: CVE-2019-3832: incomplete fix for CVE-2018-19758 still allow to read beyond buffer limits)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 08 Mar 2019 20:35:50 +0000
with message-id <E1h2MDe-000C0D-Tm@fasolo.debian.org>
and subject line Bug#922372: fixed in libsndfile 1.0.28-6
has caused the Debian Bug report #922372,
regarding libsndfile: CVE-2019-3832: incomplete fix for CVE-2018-19758 still allow to read beyond buffer limits
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
922372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922372
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libsndfile: CVE-2019-3832: incomplete fix for CVE-2018-19758 still allow to read beyond buffer limits
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 15 Feb 2019 08:26:53 +0100
• Message-id: <155021561341.32446.16969966770517327444.reportbug@eldamar.local>

Source: libsndfile
Version: 1.0.28-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/erikd/libsndfile/issues/456

Hi,

The following vulnerability was published for libsndfile.

CVE-2019-3832[0]:
incomplete fix for CVE-2018-19758

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3832
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3832
[1] https://github.com/erikd/libsndfile/issues/456
[2] https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 922372-close@bugs.debian.org
• Subject: Bug#922372: fixed in libsndfile 1.0.28-6
• From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
• Date: Fri, 08 Mar 2019 20:35:50 +0000
• Message-id: <E1h2MDe-000C0D-Tm@fasolo.debian.org>

Source: libsndfile
Source-Version: 1.0.28-6

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 08 Mar 2019 20:35:07 +0100
Source: libsndfile
Architecture: source
Version: 1.0.28-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Closes: 922372
Changes:
 libsndfile (1.0.28-6) unstable; urgency=medium
 .
   * Backported fix for out-of-bound reading (CVE-2019-3832) (Closes: #922372)
Checksums-Sha1:
 8acede486d6aee889aec91447bbba4b61f10952a 2195 libsndfile_1.0.28-6.dsc
 c43e98dbfde8d64e97cdb190c4c054eeb1a5de91 16332 libsndfile_1.0.28-6.debian.tar.xz
 f6cfacb606ab5a1fa7bcb6effeca68131b490490 6848 libsndfile_1.0.28-6_amd64.buildinfo
Checksums-Sha256:
 91d5bd81cb4e8ebc01e54ec7398f47aa0ff78330640c599c046ad019b240ee45 2195 libsndfile_1.0.28-6.dsc
 25ae11e5742ef808cf9e74dbfb905323b9aa31941f35847e939380818c98e5cc 16332 libsndfile_1.0.28-6.debian.tar.xz
 431a2da22ea7882859ad72cc41bd423e91b67859bbcdd09e0750558ea6b6dc94 6848 libsndfile_1.0.28-6_amd64.buildinfo
Files:
 40e6dfaddb002f851411a87d9e28732f 2195 devel optional libsndfile_1.0.28-6.dsc
 80298beb16d7c9ea0c4b9f90d9c8db54 16332 devel optional libsndfile_1.0.28-6.debian.tar.xz
 f3d8f34897a107cdd9ce29717fe4a69a 6848 devel optional libsndfile_1.0.28-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlyCxWUACgkQtlAZxH96
NvhZrQ/8Cm4ha2CWTiw6b5lyLehOENFg1G2U/mx9fx+7kia9kmjwBqs5VqjrG4RN
XP6xX66z+v1uz9qaxcRx+DlwV6M0Eikzaur9QqyFVvzTaSpuJdgelF9JPx2TAe/K
N8+qLBEE6Om88vcJeiwfL1t0p/mpKrwCUMiJa50d36YUaQn966iQgawqjth1hecE
276iAxFC5UuPloLjyIjouhbtb15irg5eLl0/oM2QamyoiTyRBh82llF9ROGW862+
/xa14iaT8OVlK0GhXoTQ1Z+JIEiB52J00a7lWBpXs8S3pCjJ3uzfQIJyl8K0iJX6
f3W1F5NzX+LCxU9HhI27/c36UEGUhjr4dQUMrCP8aCru/JEB9kB+h9Ed3wOAxa9l
HHcTX32aKigfhaR0Ifo294cm5pefQnH4J0mjuNo3ac/RhQMYW0kSKdgKP0nV0ihl
JxraI35mga7umMNLOQhWLvfjR4sSry6ntZb2vx8XORnAlYVf7WUr48BnPA28HZ4+
uBb3618LMHZ9tyGhjELYfih2gYMADM/7aGWDdflPbv0Fkpm7lhI83EURZualQSKC
zlcuiUBsv41qIp1LEaVtGfEzian0XWQtgV4dzEn/sqLllnnMz0nWHJaPq1JcyzNa
2BHt7u3vW+QGKEHS+AkK63YdlbjFWF+Dvn1YVXncQnErjCXKGHY=
=wdSj
-----END PGP SIGNATURE-----

--- End Message ---