Bug#977764: marked as done (flac: CVE-2020-0499)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 21 Dec 2020 16:04:01 +0000
with message-id <E1krNfF-000D02-QJ@fasolo.debian.org>
and subject line Bug#977764: fixed in flac 1.3.3-2
has caused the Debian Bug report #977764,
regarding flac: CVE-2020-0499
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
977764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977764
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: flac: CVE-2020-0499
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 20 Dec 2020 14:03:59 +0100
• Message-id: <[🔎] 160846943965.307646.1768349635425546746.reportbug@eldamar.lan>

Source: flac
Version: 1.3.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for flac.

CVE-2020-0499[0]:
| In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a
| possible out of bounds read due to a heap buffer overflow. This could
| lead to remote information disclosure with no additional execution
| privileges needed. User interaction is needed for
| exploitation.Product: AndroidVersions: Android-11Android ID:
| A-156076070


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-0499
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499
[1] https://github.com/xiph/flac/commit/2e7931c27eb15e387da440a37f12437e35b22dd4

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 977764-close@bugs.debian.org
• Subject: Bug#977764: fixed in flac 1.3.3-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 21 Dec 2020 16:04:01 +0000
• Message-id: <E1krNfF-000D02-QJ@fasolo.debian.org>
• Reply-to: Fabian Greffrath <fabian@debian.org>

Source: flac
Source-Version: 1.3.3-2
Done: Fabian Greffrath <fabian@debian.org>

We believe that the bug you reported is fixed in the latest version of
flac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 977764@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated flac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 21 Dec 2020 16:39:34 +0100
Source: flac
Architecture: source
Version: 1.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Closes: 977764
Changes:
 flac (1.3.3-2) unstable; urgency=medium
 .
   [ Debian Janitor ]
   * Use secure URI in Homepage field.
 .
   [ Fabian Greffrath ]
   * libFLAC/bitreader.c: Fix out-of-bounds read (CVE-2020-0499),
     Closes: #977764.
Checksums-Sha1:
 f95d09d2d722ced253071b08cace14dea227868b 2266 flac_1.3.3-2.dsc
 cf5c09f7fae3ac1a970d94d882764e560473e545 17428 flac_1.3.3-2.debian.tar.xz
 37b3bee9e571be12495dc1dd729ae25fa7376f55 8479 flac_1.3.3-2_amd64.buildinfo
Checksums-Sha256:
 8e35a77757b44441f8cdf5d5542feb174befa3c0d1c1294ddb7b0be5b38a757e 2266 flac_1.3.3-2.dsc
 78abfda22350056535c501082e17f6e1eb58205ae8a69062b66f7814b945a7f4 17428 flac_1.3.3-2.debian.tar.xz
 57ca32e0d3c3a66c8edd2c1cc1a1717b64eb7b33128429b6cbe26ca1bd027bac 8479 flac_1.3.3-2_amd64.buildinfo
Files:
 bd7d4b930f709db77769eddf0fb91afb 2266 sound optional flac_1.3.3-2.dsc
 28ceafe6d627b86b65f431c45b461a5d 17428 sound optional flac_1.3.3-2.debian.tar.xz
 13a4411510a8db83b1ed4ce095e2d5d2 8479 sound optional flac_1.3.3-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAl/gwssSHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnf6W0P/A0Nqa6jWZ3aZhTMWoSJG7RQS+oLHI4E
ctnj4EH6TfnlQUWA3NdFLkkLuwLoqWDcizXVmR9uSOFD0T3U3x8RDJEuRH7HAEkj
SW4AP8Q2aqp15MbraoTPoRTIZEnN7wA98wWgV0AMX4NWQy8S1/M+XZG6m4b2s/5N
6qvJcDz9SG2x5IIO5KxwNsgjnhur5mVFdOEWXRVkirKnaon6/vzys0DC1IKX1maT
CCLta1zUswqAGr6NVijcEuaxZQwlhO+U4qlTOdfUJFyPtKjfaTVWfatVrp0nCqLM
YDIyf6YCxe2RBhPRxYkVDJdZPpN9OYP3fswJuQcFh6TlmAGmqVu2OOMLTZdH/Kya
UYoTqj8TDe0uvcoeBadIE1Ixq2x9dcmj2Huul3P/VpwYqNXEDn90k2V6GCxUbB8x
xmKOP214Rw6MKR8ASdW2joFVxEGlzn+SjqRXcD2d7rFiOz0Arn/vxrE0OUUoitIK
epgY5hhqWzbYBnR3CG+6GA8aw5SGCz1wBFig+79zAcYOyEYNUcQchHPlT52+AxIz
JS1rxvwyXvazwTlQTDbois+DVq/4CBsAqJLUAy/4fvqRNyQ9kwKRobzwwhCYz1BS
Uf8cLYuSvkyJXK7RaP4XZuzfv5f92FNDCaTOoSAIn5jMd0HmBSsjkLKW5J1LkBVS
1F1hK2Q2OvfM
=qKOd
-----END PGP SIGNATURE-----

--- End Message ---