Bug#991496: marked as done (libsndfile: CVE-2021-3246)

To: Sebastian Ramacher <sramacher@debian.org>
Subject: Bug#991496: marked as done (libsndfile: CVE-2021-3246)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 26 Jul 2021 21:21:06 +0000
Message-id: <[🔎] handler.991496.D991496.162733432528905.ackdone@bugs.debian.org>
Reply-to: 991496@bugs.debian.org
References: <E1m87zm-000Bjs-FT@fasolo.debian.org> <[🔎] YP231JnUqeyKetVq@pisco.westfalen.local>

Your message dated Mon, 26 Jul 2021 21:18:42 +0000
with message-id <E1m87zm-000Bjs-FT@fasolo.debian.org>
and subject line Bug#991496: fixed in libsndfile 1.0.31-2
has caused the Debian Bug report #991496,
regarding libsndfile: CVE-2021-3246
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991496: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: libsndfile: CVE-2021-3246
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sun, 25 Jul 2021 21:13:24 +0200
Message-id: <[🔎] YP231JnUqeyKetVq@pisco.westfalen.local>

Source: libsndfile
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for libsndfile.

CVE-2021-3246[0]:
| A heap buffer overflow vulnerability in msadpcm_decode_block of
| libsndfile 1.0.30 allows attackers to execute arbitrary code via a
| crafted WAV file.

https://github.com/libsndfile/libsndfile/issues/687

Patch is here:
https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3246
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 991496-close@bugs.debian.org
Subject: Bug#991496: fixed in libsndfile 1.0.31-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 26 Jul 2021 21:18:42 +0000
Message-id: <E1m87zm-000Bjs-FT@fasolo.debian.org>
Reply-to: Sebastian Ramacher <sramacher@debian.org>

Source: libsndfile
Source-Version: 1.0.31-2
Done: Sebastian Ramacher <sramacher@debian.org>

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991496@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 26 Jul 2021 23:09:17 +0200
Source: libsndfile
Architecture: source
Version: 1.0.31-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 984746 991496
Changes:
 libsndfile (1.0.31-2) unstable; urgency=medium
 .
   * Team upload
 .
   [ IOhannes m zmölnig (Debian/GNU) ]
   * Fix FTBFS with DEB_BUILD_OPTIONS=nocheck.
     Thanks to Helmut Grohne <helmut@subdivi.de> (Closes: #984746)
 .
   [ Sebastian Ramacher ]
   * debian/patches: Apply upstream fix for CVE-2021-3246 (Closes: #991496)
Checksums-Sha1:
 3f633bc69d8b0a759fc7f8bb5c6b9366bdd613c2 2296 libsndfile_1.0.31-2.dsc
 37b6072f98cf00abeb091f9f893fd2f5eba1868e 14264 libsndfile_1.0.31-2.debian.tar.xz
Checksums-Sha256:
 325bf30be4857a5a7eac9866d0161d33804cc6d2b4afc33ee025f30e79c295fc 2296 libsndfile_1.0.31-2.dsc
 54eb467c9026753ccd5d9aee2247ccdc512e87542589fff9fe51ca3e3d36e653 14264 libsndfile_1.0.31-2.debian.tar.xz
Files:
 3dc33e937bce0d338cdf010bb6307feb 2296 devel optional libsndfile_1.0.31-2.dsc
 0551bd670c30e5e9afe69659e3dcedd5 14264 devel optional libsndfile_1.0.31-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAmD/JTIACgkQafL8UW6n
GZMeHA/8C+UMiB72PHHhmyYffJPtTNLbFnoluLb7Vz6WmEJqRPfDuHtWBcykEBBK
iO5NnAjDMqYN+ZMDDm6AQmV0j1NMXJzdw5jRfuzMHCsOBWcvdozLI/9FZva4P91D
c7hYZM7YTgM2AHJiRTMCtnyzng37g4AO5Uw+vafPnt3F79QHZKo45PBwV783l+Sh
s5hTVn9C+VYidoAxPVCGOeW17yfPidwaCsiZ9XR8Gtm5H+JckKPVorRhEeGDE3lx
oJ+Bmg/xwaOeZKSfuc9mA+rhMIDa5s4NPaAVVzDsBuSMcKix4KxA7Hmgq7H4cwU3
c0g4Z12fNyqqyO4oWp2ac3fsH2RvSDZcwvljnhFEMQ2Zi0//bQ2VtlxmCo/HsSR0
j0QhiMnkW/eHs2yvBNNcxentLjgT/vgBk0k3Udrv+wSWSdtauCmhsVDo0cjQunge
zOUm1VXo+4A8EtOkOuqtz2QoHiDsKuy4ke1LzSHfmXyYx044yUFSWSjZta8usNX9
haEbiXsAC/E4dEbJpG8TD4IMMCzz6PGd1Ww7Y165lO8crD6zHUGrcHQE3YZNARb+
N31CtzRPCHsLxjm6M7ttyp3JDcY5TgtvWNFU4TSHURkjcaUl7majCrRXpBhL2Z8t
mIxXb5c23uF6RbsYo2Yyy/SH2lqrc/oraa24pW07ieWmGxTqLsw=
=pRu+
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#991496: libsndfile: CVE-2021-3246
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#984746: marked as done (libsndfile FTBFS with DEB_BUILD_OPTIONS=nocheck)
Next by Date: Processing of libsndfile_1.0.31-2_source.changes
Previous by thread: Bug#991496: libsndfile: CVE-2021-3246
Next by thread: Bug#991496: marked as done (libsndfile: CVE-2021-3246)
Index(es):
- Date
- Thread