[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914641: marked as done (faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956)



Your message dated Tue, 17 Sep 2019 11:02:35 +0000
with message-id <E1iABFj-000Ig9-3x@fasolo.debian.org>
and subject line Bug#914641: fixed in faad2 2.8.0~cvs20161113-1+deb9u2
has caused the Debian Bug report #914641,
regarding faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
914641: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914641
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: faad2
Version: 2.8.8-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/faac/bugs/240/

Hi,

The following vulnerabilities were published for faad2.

CVE-2018-19502[0]:
| An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
| 2.8.1. There was a heap-based buffer overflow in the function
| excluded_channels() in libfaad/syntax.c.

CVE-2018-19503[1]:
| An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
| 2.8.1. There was a stack-based buffer overflow in the function
| calculate_gain() in libfaad/sbr_hfadj.c.

CVE-2018-19504[2]:
| An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
| 2.8.1. There is a NULL pointer dereference in ifilter_bank() in
| libfaad/filtbank.c.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19502
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19502
[1] https://security-tracker.debian.org/tracker/CVE-2018-19503
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19503
[2] https://security-tracker.debian.org/tracker/CVE-2018-19504
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19504

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: faad2
Source-Version: 2.8.0~cvs20161113-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
faad2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 914641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugo Lefeuvre <hle@debian.org> (supplier of updated faad2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Sep 2019 18:52:19 +0200
Source: faad2
Binary: faad faad2-dbg libfaad-dev libfaad2
Architecture: source amd64
Version: 2.8.0~cvs20161113-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Hugo Lefeuvre <hle@debian.org>
Description:
 faad       - freeware Advanced Audio Decoder player
 faad2-dbg  - freeware Advanced Audio Decoder - debugging symbols
 libfaad-dev - freeware Advanced Audio Decoder - development files
 libfaad2   - freeware Advanced Audio Decoder - runtime files
Closes: 914641
Changes:
 faad2 (2.8.0~cvs20161113-1+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-20357, CVE-2018-20359, CVE-2018-20197, CVE-2018-20194,
     CVE-2018-19503, CVE-2018-20361: multiple memory corruption vulnerabilities
     caused by insufficiently sanitized frequency band borders.
   * CVE-2018-20358, CVE-2018-20362, CVE-2018-19504, CVE-2018-20195,
     CVE-2018-20198: multiple memory corruption vulnerabilities caused by syntax
     element inconsistencies (implicit channel mapping reconfiguration).
   * CVE-2019-15296: buffer overflow in faad_resetbits.
   * CVE-2018-19502: heap based buffer overfow in excluded_channels
     (libfaad/syntax.c) (Closes: #914641).
Checksums-Sha1:
 b28902b110ce860c9157990e11823370ed312d8a 2089 faad2_2.8.0~cvs20161113-1+deb9u2.dsc
 847e7ed97108e26e226943e7d0a6d3ea8e488134 514680 faad2_2.8.0~cvs20161113.orig.tar.xz
 ec72760c3a51301c3856d73a6e8eef2259bdc320 20028 faad2_2.8.0~cvs20161113-1+deb9u2.debian.tar.xz
 5a11c0dd7268f3cda885c22b4b3c177699e22b8c 504518 faad2-dbg_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 aa50bd84e4da5b091a80a27908b88f62d67407a5 6599 faad2_2.8.0~cvs20161113-1+deb9u2_amd64.buildinfo
 88239931302f9996ad1e964bb766a5f3f78e3977 38856 faad_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 0685535056e11ee7868bc6ff46dddf49312387d7 183002 libfaad-dev_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 2d92c723e6669596454cec21c2f9b2a23eb864d3 167612 libfaad2_2.8.0~cvs20161113-1+deb9u2_amd64.deb
Checksums-Sha256:
 30f8c2f18fcb72c69453d95215db457816c313c05b0b76e096206dce90a27913 2089 faad2_2.8.0~cvs20161113-1+deb9u2.dsc
 de34bce327eac8a89cd58b7d44dfb58988033de6fda0ab9582ed0585fc3fd07e 514680 faad2_2.8.0~cvs20161113.orig.tar.xz
 30544dbfb514d347846e02483074c7a8c1595bd10bd12f99bb1f3c48670c1bf3 20028 faad2_2.8.0~cvs20161113-1+deb9u2.debian.tar.xz
 1a85775f9c880bdb63142915234a421ff7dc041642ed2673e3edc4ecddceaeff 504518 faad2-dbg_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 6877c0a49a4c5058d76fea41a5426980f271eb3da703c9f12126114c05a4b1ed 6599 faad2_2.8.0~cvs20161113-1+deb9u2_amd64.buildinfo
 810a15e0d973b0bffe5a62791a49a430b6466a1b44575284a998a84c36ae7db7 38856 faad_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 b725cb0e79c0abdd0e2c388f4dab0703bf4d2e115c1f7bc5e1c74b86389ee126 183002 libfaad-dev_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 3599e04124569c727728059babf065a72acf45bde32f4183dc3a972e57dc23eb 167612 libfaad2_2.8.0~cvs20161113-1+deb9u2_amd64.deb
Files:
 cf3efb1176116c2603c455be044b42c2 2089 libs optional faad2_2.8.0~cvs20161113-1+deb9u2.dsc
 bceecaced180cdeb9f73d7d04967ce46 514680 libs optional faad2_2.8.0~cvs20161113.orig.tar.xz
 f8c3046409c156cc450b14d3fed45968 20028 libs optional faad2_2.8.0~cvs20161113-1+deb9u2.debian.tar.xz
 52923116b30104c7e545bbe12f7a0442 504518 debug extra faad2-dbg_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 b772ecc0f442d2950481885bae1cc355 6599 libs optional faad2_2.8.0~cvs20161113-1+deb9u2_amd64.buildinfo
 165a25ea9a94731137f77500657b0eed 38856 sound optional faad_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 2c66a1b4fbbf1f277db23b20cc83da0f 183002 libdevel optional libfaad-dev_2.8.0~cvs20161113-1+deb9u2_amd64.deb
 90384d4f9b97ddf3798dc2e457ecc487 167612 libs optional libfaad2_2.8.0~cvs20161113-1+deb9u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl17xakACgkQEeMFjl5E
GkJCagv8DZekcn4bkrWtHXZ821iuwWfvXiuDLqzE3rMQtTEv1RUCbA5ZJyP7zepa
bl6dRTEWaZjaC6EHg53jxKEUGeHQBNDcYY9F+sfej6pQa8ckzv8/ziLgxSwned7R
uZSaDNLPWA6nhrETFFddtSDnQYv/rasYwjy5t2C/aXfoRq2KJwPLVKTig5DxwoMQ
+tOpU+EJcjTgHqBNJW+UVzBdO3hJM0ENOWUN73kWczEfXetjp1D75dZmQ4bJtHFr
hF+3AlN+e7ktStX3BZDJ1YOQK0YsikHj62oLGSF/eWxBTwX3iH1tEAMuo+NQCYJy
uCxaAKKDWzyBgiOJZmWXzFQyzQwTI1MB2yaz0/m5Xsbf0XGCpxqQvzFV1/A8GZCD
8yhzjVWcdTVGP+wMVg0REZh9YFfjMRvgvu0mW+m+elPNdXMbWJ5T0OpPyaCcY7lI
11bWDUJctwsv/vO21hze6nkSKWq30FboELg7stugXD/XXdhmVcme011QP5MPhwFn
vyI4qKdJ
=S5XT
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: