Bug#932061: marked as done (wavpack: CVE-2019-1010319)
Your message dated Sun, 14 Jul 2019 19:35:20 +0000
with message-id <E1hmkHI-000FGu-9Q@fasolo.debian.org>
and subject line Bug#932061: fixed in wavpack 5.1.0-7
has caused the Debian Bug report #932061,
regarding wavpack: CVE-2019-1010319
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
932061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932061
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: wavpack
Version: 5.1.0-6
Severity: important
Tags: security upstream
Forwarded: https://github.com/dbry/WavPack/issues/68
Hi,
The following vulnerability was published for wavpack.
CVE-2019-1010319[0]:
| WavPack 5.1.0 and earlier is affected by: CWE-457: Use of
| Uninitialized Variable. The impact is: Unexpected control flow,
| crashes, and segfaults. The component is: ParseWave64HeaderConfig
| (wave64.c:211). The attack vector is: Maliciously crafted .wav file.
| The fixed version is: After commit https://github.com/dbry/WavPack/com
| mit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-1010319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010319
[1] https://github.com/dbry/WavPack/issues/68
[2] https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wavpack
Source-Version: 5.1.0-7
We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 932061@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Jul 2019 21:10:51 +0200
Source: wavpack
Architecture: source
Version: 5.1.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 932060 932061
Changes:
wavpack (5.1.0-7) unstable; urgency=medium
.
* debian/patches: Cherry-pick upstream patches to fix use of uninitialized
values. (CVE-2019-1010317, CVE-2019-1010319) (Closes: #932060, #932061)
* debian/: Bump debhelper compat to 12.
* debian/control: Bump Standards-Version.
Checksums-Sha1:
e9bec98e6a87025925d98f33ce1d252c6d6e635c 2062 wavpack_5.1.0-7.dsc
e78d7732f78cfaea8aeedab14931c70977b7c503 11300 wavpack_5.1.0-7.debian.tar.xz
Checksums-Sha256:
ce455bf7945103854574b33358899c28cad86f4769dbea3e0a4c841e0e97992a 2062 wavpack_5.1.0-7.dsc
bf9b0a55f459ac94181fa5f49a86512c1f40ac272bb84d5feb2bd66efbba1ce8 11300 wavpack_5.1.0-7.debian.tar.xz
Files:
42306b294381403f908d83ac722e0b08 2062 sound optional wavpack_5.1.0-7.dsc
dc22df28c59e9cf1bd0929d1a88c19cc 11300 sound optional wavpack_5.1.0-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl0rfr4ACgkQafL8UW6n
GZM2jRAApQoW4H45jtrQSwh+Sy+MKBB+I+hQCzQ9ManNrTOrdLBxQ+cR7C/+pP+f
TJt+WhMf7yAdM3X5H6YtN1oQbVxB1cWWZliBONfCjB75TP1IQv5K0WVy5cgzHvwe
eTYhcQEcYY4XICG+UUSl47ADrZZ0bBVDAajeHPz9x2/aHzRptOLybhnrujA8reae
2pIAnyRqxvslrT+dVagRKMgCRljijnx2wWlKxtwb7hNfgFbEhcGgC6tToTxEfwze
y2HoZHvK2XKbCH356VS79egxUQ9Hn67gQGmYECULw+GdOGuxFAVu6ynqPHx6jpjk
CZt3pTphvfGlnKZVFIYbniYlRPivMtWZCX+OIjj88FueycUApOX+k45sXva+ut9Z
8SVf8+OWxZ85t5oSx3vjaJeuTtFsHnsEvsRJdsHgNTahMm8m0tKBQOa48oOBlepU
zJS53tnF3XyuhmsqSVQRHI5GghEOMfNWbSD8LU2DHAgmavSn9I2oVzge/cPG0kfj
vtu3VIomvj/+mUdE7qfrLJANnKdK+SaxWwNPImFkWlnKhjXmB7YsHnPIvBBDBSY0
t7NSkT1a5dOgpQFQ2+tHmMAt+HkW6OQ3R8LggDTo59yITZ2kAJlvYih0SFgCIkAr
m0fj4nnqxu7HNVSp5Q0YCXcpd5+YXvBgI9uGxLSMMTTgeaYS1yQ=
=qIJO
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: