Bug#991496: marked as done (libsndfile: CVE-2021-3246)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 31 Jul 2021 20:18:35 +0000
with message-id <E1m9vRL-000DA0-59@fasolo.debian.org>
and subject line Bug#991496: fixed in libsndfile 1.0.28-6+deb10u1
has caused the Debian Bug report #991496,
regarding libsndfile: CVE-2021-3246
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991496: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991496
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: libsndfile: CVE-2021-3246
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Sun, 25 Jul 2021 21:13:24 +0200
• Message-id: <[🔎] YP231JnUqeyKetVq@pisco.westfalen.local>

Source: libsndfile
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for libsndfile.

CVE-2021-3246[0]:
| A heap buffer overflow vulnerability in msadpcm_decode_block of
| libsndfile 1.0.30 allows attackers to execute arbitrary code via a
| crafted WAV file.

https://github.com/libsndfile/libsndfile/issues/687

Patch is here:
https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3246
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 991496-close@bugs.debian.org
• Subject: Bug#991496: fixed in libsndfile 1.0.28-6+deb10u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 31 Jul 2021 20:18:35 +0000
• Message-id: <E1m9vRL-000DA0-59@fasolo.debian.org>
• Reply-to: Moritz Mühlenhoff <jmm@debian.org>

Source: libsndfile
Source-Version: 1.0.28-6+deb10u1
Done: Moritz Mühlenhoff <jmm@debian.org>

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991496@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 30 Jul 2021 00:14:25 +0200
Source: libsndfile
Binary: libsndfile1 libsndfile1-dbgsym libsndfile1-dev sndfile-programs sndfile-programs-dbgsym
Architecture: source amd64
Version: 1.0.28-6+deb10u1
Distribution: buster-security
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
 libsndfile1 - Library for reading/writing audio files
 libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
 sndfile-programs - Sample programs that use libsndfile
Closes: 991496
Changes:
 libsndfile (1.0.28-6+deb10u1) buster-security; urgency=medium
 .
   * CVE-021-3246 (Closes: #991496)
Checksums-Sha1:
 eebfac143613e4a4e16c9edd504bfe4452b6c590 2227 libsndfile_1.0.28-6+deb10u1.dsc
 85aa967e19f6b9bf975601d79669025e5f8bc77d 1202833 libsndfile_1.0.28.orig.tar.gz
 df1de91749853ff6491d611e2c57684299435045 16928 libsndfile_1.0.28-6+deb10u1.debian.tar.xz
 ad461e7c34c1b6f91969fad2f4c7751a0be53533 482040 libsndfile1-dbgsym_1.0.28-6+deb10u1_amd64.deb
 049afb871ba233adf0deef8d37fce46c04c9c302 364200 libsndfile1-dev_1.0.28-6+deb10u1_amd64.deb
 240ccad47b0bd7877378cc70df0e99464c533e21 252728 libsndfile1_1.0.28-6+deb10u1_amd64.deb
 3c97d1e2a4b4f7f26fe4fb57295660d8125e2a44 7043 libsndfile_1.0.28-6+deb10u1_amd64.buildinfo
 8abd3c10e683ed439ede7ee6f2daf42411e57e07 129732 sndfile-programs-dbgsym_1.0.28-6+deb10u1_amd64.deb
 b0b753d70e5b15d0883c03562d04e18145dd37cb 128036 sndfile-programs_1.0.28-6+deb10u1_amd64.deb
Checksums-Sha256:
 c332f2e77106b01706c7f4c00980bb6b0723db7af53426bc59897cbbb8d3e8fd 2227 libsndfile_1.0.28-6+deb10u1.dsc
 1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9 1202833 libsndfile_1.0.28.orig.tar.gz
 178f5a4a946e07b2493c9bb6b820ed5bf42ec43fbd10ac6285582ca341b46642 16928 libsndfile_1.0.28-6+deb10u1.debian.tar.xz
 951e05076b5494d2d7a440c9341c760aec3b0647b89db15a67d1f4f15b780a49 482040 libsndfile1-dbgsym_1.0.28-6+deb10u1_amd64.deb
 04573398fe671e2c49dadf63c295983122c6371150421b704a9d7038d99bc9c4 364200 libsndfile1-dev_1.0.28-6+deb10u1_amd64.deb
 9b577f6088994687a416fd250d154d9e3c6c05357791a602ef66dd8692008078 252728 libsndfile1_1.0.28-6+deb10u1_amd64.deb
 0efafd0983826f29390b6f6924cf8d70f06242ef828f56ea6487efa30ea5d4e0 7043 libsndfile_1.0.28-6+deb10u1_amd64.buildinfo
 0ae88ff3c94bd8c3e36e56e497c87b5939d1a87d2af6e67bc452956591f300d2 129732 sndfile-programs-dbgsym_1.0.28-6+deb10u1_amd64.deb
 d9aeaf52a44953535fdd2f39fefbbc9468471bfd0da18ac5af678eca9dc20923 128036 sndfile-programs_1.0.28-6+deb10u1_amd64.deb
Files:
 2281d56b8ae90a8a0949d9f91dd233f1 2227 devel optional libsndfile_1.0.28-6+deb10u1.dsc
 646b5f98ce89ac60cdb060fcd398247c 1202833 devel optional libsndfile_1.0.28.orig.tar.gz
 0aede63abf478047573994c7ba59c95b 16928 devel optional libsndfile_1.0.28-6+deb10u1.debian.tar.xz
 303ab627d1731c3104bb0ae9a804e2d0 482040 debug optional libsndfile1-dbgsym_1.0.28-6+deb10u1_amd64.deb
 461e13172d76f9be0577de1d654e2471 364200 libdevel optional libsndfile1-dev_1.0.28-6+deb10u1_amd64.deb
 7467ea71168c55b38da54966ecff0c52 252728 libs optional libsndfile1_1.0.28-6+deb10u1_amd64.deb
 21c3677704539dfb3a7d5becc74ceffa 7043 devel optional libsndfile_1.0.28-6+deb10u1_amd64.buildinfo
 ffc98ae1a7726e23683bbf40c7fd86a0 129732 debug optional sndfile-programs-dbgsym_1.0.28-6+deb10u1_amd64.deb
 ee6b143d49a6668a9c3dde17bce2e693 128036 utils optional sndfile-programs_1.0.28-6+deb10u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmEDvOcACgkQEMKTtsN8
TjYUGw//WIH9ZqCt1d8tx7vD0+w2qJJ/TJ2PYV+I8INLlMwIjmAXGuAwNHU76JOz
qaWC1nJsUx1iH1WGrcK2KQD4mA0I0b1svGol2h5PS7zJ30o11MhflDvEkVYUGvuO
aS1p+z/NNGxbLk3QN3whwlx78R1TK3X95gdrPUCE8uJ9XcnzY2d+C7nV7CyMF2SZ
HaKOa9H8jHBEU68ix2MusvsaBgurenRQM+4sUjH/GyVHKk65C9JEgcigoKkC1sce
WCu1vqNPpoofz2qKBWQIzifW2ZPS++BdEpWfy3M7XP5Pfehbbz3WvvuUn0kUbU5h
KU9ai+INisPAF/Ky7Q7yLlSbSAUXLEE2848imYBLzI7bPoNvkitKV0mJ1v3l5LJv
tOOOOgS+65j2Jw3MmE+LP7jpGPhRy7GxZPn3dpTY/mJrgr6chH2PgiCBl+uQ+Aki
/1FMfgeGTxXVEEFA9pAtFDgjrUuO9IPQamg5OWnbuuycFvaEVIhMBDDk9enjedBl
hppToU+CFG1YY31VntOrHoRmXPifosIbkxURT7zuQxC8dPscARlPF1HV9EZNq691
hOLDPpMuZjUF5xFeMhbMvrGqaLQ3LJnuJf5yEFAoVoNukOMyAbC1kyDnq1J7zpWc
d9/6kZaKFhX45HPqXJvBbOPkmTBpuFUf0xb/8JZ5dpaR6LTchtU=
=Rb8t
-----END PGP SIGNATURE-----

--- End Message ---