Bug#432008: marked as done (flac123: CVE-2007-3507: stack-based buffer overflow)

To: Julien Cristau <jcristau@debian.org>
Subject: Bug#432008: marked as done (flac123: CVE-2007-3507: stack-based buffer overflow)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 20 Jul 2007 13:09:24 +0000
Message-id: <[🔎] handler.432008.D432008.118493673632703.ackdone@bugs.debian.org>
References: <E1IBs7O-0008Rh-BI@ries.debian.org> <[🔎] 20070706162401.20810.27304.reportbug@barry>

Your message dated Fri, 20 Jul 2007 13:02:02 +0000
with message-id <E1IBs7O-0008Rh-BI@ries.debian.org>
and subject line Bug#432008: fixed in flac123 0.0.11-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: flac123: CVE-2007-3507: stack-based buffer overflow
From: "Alec Berryman" <alec@thened.net>
Date: Fri, 06 Jul 2007 11:24:01 -0500
Message-id: <[🔎] 20070706162401.20810.27304.reportbug@barry>

Package: flac123
Version: 0.0.9-5
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-3507 [0]:

"Stack-based buffer overflow in the local__vcentry_parse_value function
in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10
allows user-assisted remote attackers to execute arbitrary code via a
large comment value_length."

This vulnerability introduces a security hole allowing access to the
accounts of users who use the package.  The original advisory is
available [1], but this has been fixed upstream as the only change in
0.0.10.  I've attached a drop-in dpatch I created from the diff between
0.0.9 and 0.0.10; the patch applies and the package builds fine, but I
have not done further testing.

Please mention the CVE in your changelog.

Thanks,

Alec

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3507
[1] http://www.isecpartners.com/advisories/2007-002-flactools.txt


- -- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGjmyhAud/2YgchcQRAkMzAJ97PKB93lfQfIEx7syd3zKKa1zf+ACcDHiQ
lh7IDIl6dYrBxA4H67WEoM0=
=SM9U
-----END PGP SIGNATURE-----

Attachment: CVE-2007-3507.dpatch
Description: application/shellscript

--- End Message ---

--- Begin Message ---

To: 432008-close@bugs.debian.org
Subject: Bug#432008: fixed in flac123 0.0.11-1
From: Julien Cristau <jcristau@debian.org>
Date: Fri, 20 Jul 2007 13:02:02 +0000
Message-id: <E1IBs7O-0008Rh-BI@ries.debian.org>

Source: flac123
Source-Version: 0.0.11-1

We believe that the bug you reported is fixed in the latest version of
flac123, which is due to be installed in the Debian FTP archive:

flac123_0.0.11-1.diff.gz
  to pool/main/f/flac123/flac123_0.0.11-1.diff.gz
flac123_0.0.11-1.dsc
  to pool/main/f/flac123/flac123_0.0.11-1.dsc
flac123_0.0.11-1_i386.deb
  to pool/main/f/flac123/flac123_0.0.11-1_i386.deb
flac123_0.0.11.orig.tar.gz
  to pool/main/f/flac123/flac123_0.0.11.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 432008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated flac123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 20 Jul 2007 14:53:07 +0200
Source: flac123
Binary: flac123
Architecture: source i386
Version: 0.0.11-1
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 flac123    - command-line flac player
Closes: 432008
Changes: 
 flac123 (0.0.11-1) unstable; urgency=low
 .
   * QA upload.
   * New upstream release
     + fixes buffer overflow in vorbis comment parsing (CVE-2007-3507),
       closes: #432008.
     + patch flac-1.1.13 dropped.
   * Updated debian/copyright.
Files: 
 d9ccb04f4cc1a2d6b5964658b82c947f 627 sound optional flac123_0.0.11-1.dsc
 60204986d3556330255b87aa42a4c9d1 71244 sound optional flac123_0.0.11.orig.tar.gz
 649f50c9919ed904fe797f8d2529ff96 83853 sound optional flac123_0.0.11-1.diff.gz
 2501c032267a148a20df3cc604997143 12844 sound optional flac123_0.0.11-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGoLEpmEvTgKxfcAwRAmz3AKCu3x2hVy+SJPHyw6srk2W5Slb8EQCglNZX
nvjtTNl+lyLyce7QzpHpZpA=
=3nXD
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#432008: flac123: CVE-2007-3507: stack-based buffer overflow
  - From: "Alec Berryman" <alec@thened.net>

Prev by Date: flac123_0.0.11-1_i386.changes ACCEPTED
Next by Date: Bug#433958: uuenpipe command does not correctly escape spaces
Previous by thread: Bug#432008: flac123: CVE-2007-3507: stack-based buffer overflow
Next by thread: Bug#432010: artwiz-cursor update failed
Index(es):
- Date
- Thread