Bug#977764: marked as done (flac: CVE-2020-0499)

To: Adrian Bunk <bunk@debian.org>
Subject: Bug#977764: marked as done (flac: CVE-2020-0499)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 05 Mar 2022 22:51:32 +0000
Message-id: <[🔎] handler.977764.D977764.164652045327895.ackdone@bugs.debian.org>
Reply-to: 977764@bugs.debian.org
References: <E1nQdBT-0000x2-Bx@fasolo.debian.org> <160846943965.307646.1768349635425546746.reportbug@eldamar.lan>

Your message dated Sat, 05 Mar 2022 22:47:31 +0000
with message-id <E1nQdBT-0000x2-Bx@fasolo.debian.org>
and subject line Bug#977764: fixed in flac 1.3.2-3+deb10u1
has caused the Debian Bug report #977764,
regarding flac: CVE-2020-0499
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
977764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977764
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: flac: CVE-2020-0499
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 20 Dec 2020 14:03:59 +0100
Message-id: <160846943965.307646.1768349635425546746.reportbug@eldamar.lan>

Source: flac
Version: 1.3.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for flac.

CVE-2020-0499[0]:
| In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a
| possible out of bounds read due to a heap buffer overflow. This could
| lead to remote information disclosure with no additional execution
| privileges needed. User interaction is needed for
| exploitation.Product: AndroidVersions: Android-11Android ID:
| A-156076070


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-0499
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499
[1] https://github.com/xiph/flac/commit/2e7931c27eb15e387da440a37f12437e35b22dd4

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 977764-close@bugs.debian.org
Subject: Bug#977764: fixed in flac 1.3.2-3+deb10u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 05 Mar 2022 22:47:31 +0000
Message-id: <E1nQdBT-0000x2-Bx@fasolo.debian.org>
Reply-to: Adrian Bunk <bunk@debian.org>

Source: flac
Source-Version: 1.3.2-3+deb10u1
Done: Adrian Bunk <bunk@debian.org>

We believe that the bug you reported is fixed in the latest version of
flac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 977764@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated flac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Jan 2022 20:54:01 +0200
Source: flac
Architecture: source
Version: 1.3.2-3+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 977764
Changes:
 flac (1.3.2-3+deb10u1) buster; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2020-0499: Out of bounds read due to a heap buffer overflow.
     (Closes: #977764)
Checksums-Sha1:
 beed7240b6c9eb12fb3cbd2ebda5a70d04175599 2264 flac_1.3.2-3+deb10u1.dsc
 acbdec23065b8e3bffc91b0a9f3285732ee08ea4 18476 flac_1.3.2-3+deb10u1.debian.tar.xz
Checksums-Sha256:
 ef81a253510af4ff7de98ea0da4c8b1853635490f332f7503bb2f15f06299e9b 2264 flac_1.3.2-3+deb10u1.dsc
 635ed56a59b3950e1c626ede5ebcc9f6d995879b2bd494b4aa97318029c4be9c 18476 flac_1.3.2-3+deb10u1.debian.tar.xz
Files:
 028037276a414a8fde98ee2470f86464 2264 sound optional flac_1.3.2-3+deb10u1.dsc
 80782583de3d73c7bc59ee319eb7a951 18476 sound optional flac_1.3.2-3+deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHkargACgkQiNJCh6LY
mLHV5BAAxMEnbNCBVn2G+8g5jYRmkGRev17bD6L3810+wp+zrC0KctpJdBtWt6Y2
hyfV+YuAN3trkTyCFFbGpiECOiBErCV71STG8KiMap5mqzIUH/OX4TGG6KTOjWUw
Suo9lXqzYm2F0gf870ZoUM5yfPqe6nWOepVofsQ2y/AqV9yv6KgSiAs5l9ETVODF
vXj4vZminVB/xfH3Ij5WWl5ILgZAe5TOykofsbqNSFZ6ErBJJCvXXLLH5raf0VEn
ZpyKevS7f3ozAa1E8uOTzEovC+tLqt9BxOWL3IMYixOwSqULiWiX3F+Hgilg/Mfj
EbAZ9TIZd9dHsBoIHN+Oi1dTBIJD1gAz1sQK75h/VcayEAjZQpVJjPgdpI6OaV+X
vzEB2UVePqB5Ziw643KPcRdM60smemeRQaXGgQ+3GYtA5ZbkAPLg0Pv746YjRJmp
mFWyVA7lrA/B2XRL+6Ws2dkMcvXhWBQNnLLDGvc/HLqzouUgnK3+jiCGitcPF9Ws
iGqb9BBHZNsulLNryTE14NaIR37nZZNk/ZRbPYJu3iHDCnLChL3YPVXl1m41E1Lx
5WP2x3BY+89vJFAUV1oPNV+yYhiBk1JoMoPlq5uwB2KtXz81iQkyF4+iB63xbh6k
S9q+uncuq2c/uHdsxn0jOtxL5JWRcguOe+Tyed17M7aqsul+vy8=
=zBge
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: gmerlin-encoders_2.0.0~svn6278-2_source.changes ACCEPTED into unstable
Next by Date: flac_1.3.2-3+deb10u1_source.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Previous by thread: gmerlin-encoders_2.0.0~svn6278-2_source.changes ACCEPTED into unstable
Next by thread: flac_1.3.2-3+deb10u1_source.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Index(es):
- Date
- Thread