Bug#1088692: marked as done (libsndfile: CVE-2024-50612)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 14 Dec 2024 13:19:23 +0000
with message-id <E1tMS3H-007xBd-UG@fasolo.debian.org>
and subject line Bug#1088692: fixed in libsndfile 1.2.2-2
has caused the Debian Bug report #1088692,
regarding libsndfile: CVE-2024-50612
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1088692: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088692
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: libsndfile: CVE-2024-50612
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Fri, 29 Nov 2024 17:21:32 +0100
• Message-id: <Z0nqDERqHZxI2CXN@pisco.westfalen.local>

Source: libsndfile
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for libsndfile.

CVE-2024-50612[0]:
| libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote
| out-of-bounds read.

https://github.com/libsndfile/libsndfile/issues/1035
Fixed by: https://github.com/libsndfile/libsndfile/commit/4755f5bd7854611d92ad0f1295587b439f9950ba


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-50612
    https://www.cve.org/CVERecord?id=CVE-2024-50612

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1088692-close@bugs.debian.org
• Subject: Bug#1088692: fixed in libsndfile 1.2.2-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 14 Dec 2024 13:19:23 +0000
• Message-id: <E1tMS3H-007xBd-UG@fasolo.debian.org>
• Reply-to: Fabian Greffrath <fabian@debian.org>

Source: libsndfile
Source-Version: 1.2.2-2
Done: Fabian Greffrath <fabian@debian.org>

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1088692@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 Dec 2024 13:50:37 +0100
Source: libsndfile
Architecture: source
Version: 1.2.2-2
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Closes: 1051891 1076516 1088692
Changes:
 libsndfile (1.2.2-2) unstable; urgency=high
 .
   [ Fabian Toepfer ]
   * SECURITY UPDATE: integer overflow vulnerability (Closes: #1051891)
     - debian/patches/CVE-2022-33065/CVE-2022-33065-*.patch: fix various
       numeric overflow vulnerabilities.
     - CVE-2022-33065
 .
   [ Fabian Greffrath ]
   * Add myself to Uploaders and Debian packaging copyright holders
   * Update the Homepage field
   * Apply patch from upstream to improve error checking for Vorbis
     (Closes: #1088692) CVE-2024-50612
   * Fix Build dependency loop between libsndfile and lame
     (Closes: #1076516) Thanks Samuel Thibault for the patch
   * Upload with urgency=high for the security fixes
Checksums-Sha1:
 ff1ac472e29afab50608235da1d8ffcd106ad9c7 2481 libsndfile_1.2.2-2.dsc
 aad73652fc4e5fcafc5cf13f21334e6bd658cd29 29148 libsndfile_1.2.2-2.debian.tar.xz
 dc8aaa56b8ccbb3f232f1132f8eccd1b1bde5ff0 9048 libsndfile_1.2.2-2_amd64.buildinfo
Checksums-Sha256:
 00042f9d7e85c3dbf22828141bc181b55ba719ad3550671ed7da9786fdfdd810 2481 libsndfile_1.2.2-2.dsc
 03801793ef488c9bc8579e47600386b4be0e6ac4b85c726e90dcb0ce2338729c 29148 libsndfile_1.2.2-2.debian.tar.xz
 60cac2d844a98818a2e7e70331ce8c04840cffb7652b0096b2aed44cac9122a0 9048 libsndfile_1.2.2-2_amd64.buildinfo
Files:
 6bf2f884dec3b7ff9011b3c82504b5f2 2481 devel optional libsndfile_1.2.2-2.dsc
 916169f09feeb9259753fde1b7ed7900 29148 devel optional libsndfile_1.2.2-2.debian.tar.xz
 8a3ae25a9360b9c756c867397ec3fc09 9048 devel optional libsndfile_1.2.2-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAmddf58SHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfKBkQAN2GQSMKHv8yje0OcWcDKvbWwYyfy047
AJ+pYsc2L3LhUj6drZBaaGDfRz3k3HWE0ZdokpM+ywUCz9s0dWFowEsoePpBczQe
Rd/VwW21q+H9lhsX/v0JojCHuCfLkodt/34T2VJnRV24PA0rAz5uD+Hqnb9Q/O4p
yEjZJnbQRZwbOQaxfLthDFWvUOeICMdwrXx/CP5WoooWVyBZDsH5YmnIhgyQ4kkJ
cxqXVPv0gN9EqXxYnpte19bfAySaLpGBR0GQ630QIeUHCgP2S2SbdCP2AFR7+ota
LpuUkG/O2/gekQ/uC9QFcWO/uHrl3p60nti8fMoS0tHIWs7H5SLGMLj36o7Zwxok
a7azADdV2zH0HHaB9OPRh9Qhg21Iz5K5rGfNvzEcrcgJOb2sS+Bv66v+ttMr8inp
A1q0y1fwI3fuXayUDnf6sZkuCzlVzXEKnDvK1V61fJmAffXzN5HLob69iEj31M9q
dRteoGOfWNdFDaUVH4ftyCqCMMBURfByRx9ROTck9vs4VJDhvsFEUttrMzW4hfrt
+7nth5dsvYOsJoPTInE9Ku2WbCmfzU4YGjOb/Cy4HW6YGVCi7Rf/gOKqYqcFh01K
RdsDFl9yrvt2NZSxIf3cDxl9sI8z2yJQVO6HUISQrIJ1l0nxYoPvH3Wdohm76g8h
e2T3eH/GPr10
=oAOu
-----END PGP SIGNATURE-----

Attachment: pgp0C8oxEY4Pf.pgp
Description: PGP signature

--- End Message ---