Bug#914641: marked as done (faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956)
Your message dated Wed, 28 Aug 2019 15:51:09 +0000
with message-id <E1i30E1-0005Bx-1v@fasolo.debian.org>
and subject line Bug#914641: fixed in faad2 2.8.8-3.1
has caused the Debian Bug report #914641,
regarding faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
914641: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914641
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 25 Nov 2018 21:47:22 +0100
- Message-id: <154317884277.4840.169913633902801934.reportbug@eldamar.local>
Source: faad2
Version: 2.8.8-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/faac/bugs/240/
Hi,
The following vulnerabilities were published for faad2.
CVE-2018-19502[0]:
| An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
| 2.8.1. There was a heap-based buffer overflow in the function
| excluded_channels() in libfaad/syntax.c.
CVE-2018-19503[1]:
| An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
| 2.8.1. There was a stack-based buffer overflow in the function
| calculate_gain() in libfaad/sbr_hfadj.c.
CVE-2018-19504[2]:
| An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
| 2.8.1. There is a NULL pointer dereference in ifilter_bank() in
| libfaad/filtbank.c.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19502
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19502
[1] https://security-tracker.debian.org/tracker/CVE-2018-19503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19503
[2] https://security-tracker.debian.org/tracker/CVE-2018-19504
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19504
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: faad2
Source-Version: 2.8.8-3.1
We believe that the bug you reported is fixed in the latest version of
faad2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 914641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hugo Lefeuvre <hle@debian.org> (supplier of updated faad2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Aug 2019 13:29:39 -0400
Source: faad2
Architecture: source
Version: 2.8.8-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Hugo Lefeuvre <hle@debian.org>
Closes: 914641
Changes:
faad2 (2.8.8-3.1) unstable; urgency=medium
.
* Non-maintainer upload with maintainer's permission.
* CVE-2019-6956: Buffer over read in the function ps_mix_phase()
(libfaad/ps_dec.c) (Closes: #914641).
* CVE-2018-20196: Stack buffer overflow in the function calculate_gain
(libfaad/sbr_hfadj.c).
* CVE-2018-20199, CVE-2018-20360: NULL pointer dereference in the function
ifilter_bank (libfaad/filtbank.c).
Checksums-Sha1:
d6eb36089ffff2140410882ba3313231765f577b 1928 faad2_2.8.8-3.1.dsc
adf15aba659252a157adba375b88dc246f7ff39a 11612 faad2_2.8.8-3.1.debian.tar.xz
c86395ce7a4b3e913eee2466d86652b01ae166fa 6425 faad2_2.8.8-3.1_amd64.buildinfo
Checksums-Sha256:
985c05aca1682bd45d0879efa9b4260d63501a906eee525e051f410be89838a1 1928 faad2_2.8.8-3.1.dsc
f457a53c8dd18774acbce8c9a03b515fc98d33caca632f7659f4a1e363b2b68c 11612 faad2_2.8.8-3.1.debian.tar.xz
e3ecda45c6e892b6c507605c25d6fe91391c709048ef9ded1ba2e432bd15093d 6425 faad2_2.8.8-3.1_amd64.buildinfo
Files:
3703f5bad64a5694f91cc36b828cbc30 1928 libs optional faad2_2.8.8-3.1.dsc
86baea7c2fd64ba2a0cc0bf71bc5d831 11612 libs optional faad2_2.8.8-3.1.debian.tar.xz
bff76971c6c23b6901af8f19a4bc20b6 6425 libs optional faad2_2.8.8-3.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHDBAEBCgAtFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl1mmQIPHGhsZUBkZWJp
YW4ub3JnAAoJEBHjBY5eRBpC/kgMAIkfToyfIgMyc3fXe7ePReeM9uE2X8bKV7DS
EFxzLENsM0/9KwgS6EBWHK6dCgE8r1i3o8K5qbfslVKZGb5/hbQu6S3ES9I6S6it
sLQZzeTrfj+WI3+sV4ctKPDDaloO8G8WrvxYOtZrRprOPXVQQozi9AOUhgj9r+tv
HIPo64RelyXsqioH+TCLj4bWh+FmygLH7reczdoTPRj9h1Owvda9Kl2ZNuUgnKc+
Q7R/4Cv++ltmQ//QOm2Qv8ZFvtRdOsmMjg0i0Z+8l8DWojcPBcPRYv7rAWk8H6Hr
zq/yD27aOCfHvvm694upnm+/dkMGR2UulBxZu8BJ/IJHmlZIXjGLX999NK7/To5J
5rhh+Sudz9Xh2F/hxopzs/XvO8DpUEgttSFCy6Ff0dsAwYFj7ozEzjUE7NPhW16G
VEEi4rAX1fZIGOetxd1dk/Ef5ThwDnkMFkgf+UqHsgAqgCJgjtk6GKGngNnc1ZNI
2UyZ60iNNnRcaIMVqxmDonB5qj5dyw==
=ZUwY
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: