Bug#978548: marked as done (wavpack: CVE-2020-35738)

To: Sebastian Ramacher <sramacher@debian.org>
Subject: Bug#978548: marked as done (wavpack: CVE-2020-35738)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 30 Dec 2020 09:51:02 +0000
Message-id: <[🔎] handler.978548.D978548.16093217665397.ackdone@bugs.debian.org>
Reply-to: 978548@bugs.debian.org
References: <E1kuY6e-000F3E-M4@fasolo.debian.org> <[🔎] 160916439091.600381.10976612410470513938.reportbug@eldamar.lan>

Your message dated Wed, 30 Dec 2020 09:49:24 +0000
with message-id <E1kuY6e-000F3E-M4@fasolo.debian.org>
and subject line Bug#978548: fixed in wavpack 5.3.0-2
has caused the Debian Bug report #978548,
regarding wavpack: CVE-2020-35738
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
978548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978548
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wavpack: CVE-2020-35738
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 28 Dec 2020 15:06:30 +0100
Message-id: <[🔎] 160916439091.600381.10976612410470513938.reportbug@eldamar.lan>

Source: wavpack
Version: 5.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/dbry/WavPack/issues/91
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for wavpack.

CVE-2020-35738[0]:
| WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in
| pack_utils.c because of an integer overflow in a malloc argument.
| NOTE: some third-parties claim that there are later "unofficial"
| releases through 5.3.2, which are also affected.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35738
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35738
[1] https://github.com/dbry/WavPack/issues/91

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 978548-close@bugs.debian.org
Subject: Bug#978548: fixed in wavpack 5.3.0-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 30 Dec 2020 09:49:24 +0000
Message-id: <E1kuY6e-000F3E-M4@fasolo.debian.org>
Reply-to: Sebastian Ramacher <sramacher@debian.org>

Source: wavpack
Source-Version: 5.3.0-2
Done: Sebastian Ramacher <sramacher@debian.org>

We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 978548@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 30 Dec 2020 10:40:48 +0100
Source: wavpack
Architecture: source
Version: 5.3.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 978548
Changes:
 wavpack (5.3.0-2) unstable; urgency=medium
 .
   * debian/control: Bump Standards-Version
   * debian/: Bump debhelper compat to 13
   * debian/patches: Add upstream patches for CVE-2020-35738 (Closes: #978548)
Checksums-Sha1:
 ed2c34da806e1c03f1c69b5635d63f3251d10215 2059 wavpack_5.3.0-2.dsc
 28ad3c0b6aa84d783dc0ace90fe4c68a11d7e95a 7268 wavpack_5.3.0-2.debian.tar.xz
Checksums-Sha256:
 cce90e767a5c78ca5fa333ceb417212422bf44bbe075e2a4d1bd522d285a780b 2059 wavpack_5.3.0-2.dsc
 b9b67868d9b2e85c4895a078a7020b300c01d75c63ff6d90f2b876680b56cb9a 7268 wavpack_5.3.0-2.debian.tar.xz
Files:
 147e7b591215a6fd21afb38f940ef7e8 2059 sound optional wavpack_5.3.0-2.dsc
 90bacfa26ba7df3d64e22f906ec46c42 7268 sound optional wavpack_5.3.0-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl/sS5kACgkQafL8UW6n
GZPBNhAAp6t5HZM1xu5w/FVs9leps1APEX+5VFUQk5Ua6ro9G16nnpqf+NIHRjDM
LhHme8MThG9SYy2brvteg84emMh+xgR7d+ViG5wz3uV0nW3FMULC2MvXKq5gmUjJ
QZt0Ue+WU06lED6JjrS4EZmfMD7FC6f0t5iTeZuxQUhDU2zlMC5Aw3Huum9J48Aq
rIvYj0rPJEw168zcIrorEqqQzobN9T0U7L9d59XARmJQq99fbcyx6dnGUWA57KSk
FiG/T0V58UGsWMhfv7zkNv725rJDqqQ9UnmycSbVC3dITGJj3vnqkVflmZY2bNJU
U32WK2JRd+86ME10cXM2A5gBneO9uMUOxL2my7yeSQcRloXQesvg9Z3zDcJdfnxM
89rAdX2KLc+/iqZebuFBBRxfhZCwTwT1eeh53Fjktg4r6xSdVthiEY3R3mcfczxB
I+fnzizrK1NY+c7wpfGsBdDoKqr39KmDUAAEED38yzkbXgFM/8xnd9P6/fdX99ht
oIPD5tIG6kh/f+y281O5uGzumIhIvKDKpvTqB0NPzERCUkxxJvhjHrLoUup5U80T
jIiJpK7BVv12PIndQQ2nERVTJWQvl7HwNJyPrlVQWso2wARYXzT3wYgfnf10xjMk
8rTi/BiZ7UDuL+F7KK7d6kfCKCflJ/Le87SWMhmsC2NOBGHLNfQ=
=yf1o
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#978548: wavpack: CVE-2020-35738
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: qxgedit_0.9.0-1_source.changes ACCEPTED into unstable
Next by Date: Processing of wavpack_5.3.0-2_source.changes
Previous by thread: Bug#978548: wavpack: CVE-2020-35738
Next by thread: [bts-link] source package src:bambootracker
Index(es):
- Date
- Thread