Bug#706667: marked as done (xmp: CVE-2013-1980: MASI parsing buffer overflow)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 17 May 2013 07:33:00 +0000
with message-id <E1UdF9w-0001PA-0q@franck.debian.org>
and subject line Bug#706667: fixed in xmp 3.4.0-3
has caused the Debian Bug report #706667,
regarding xmp: CVE-2013-1980: MASI parsing buffer overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
706667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706667
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: xmp: CVE-2013-1980: MASI parsing buffer overflow
• From: Henri Salo <henri@nerv.fi>
• Date: Fri, 3 May 2013 09:18:27 +0300
• Message-id: <20130503061827.GB10789@kludge.henri.nerv.fi>

Package: xmp
Version: 3.4.0-1.1
Severity: important
Tags: security

http://www.openwall.com/lists/oss-security/2013/04/22/5

A vulnerability has been reported in libxmp, which can be exploited by malicious
people to compromise an application using the library. The vulnerability is
caused due to a boundary error in the "get_dsmp"() function
(src/loaders/masi_load.c) when parsing MASI files, which can be exploited to
cause a buffer overflow. Successful exploitation may allow execution of
arbitrary code.

---
Henri Salo

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: 706667-close@bugs.debian.org
• Subject: Bug#706667: fixed in xmp 3.4.0-3
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 17 May 2013 07:33:00 +0000
• Message-id: <E1UdF9w-0001PA-0q@franck.debian.org>

Source: xmp
Source-Version: 3.4.0-3

We believe that the bug you reported is fixed in the latest version of
xmp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xmp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 May 2013 08:51:40 +0200
Source: xmp
Binary: xmp-common xmp xmp-audacious
Architecture: source all amd64
Version: 3.4.0-3
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 xmp        - module player supporting AWE32, GUS, and software-mixing
 xmp-audacious - XMP plugin for Audacious
 xmp-common - common files for xmp and the xmp Audacious plugin
Closes: 706667
Changes: 
 xmp (3.4.0-3) unstable; urgency=low
 .
   * QA upload.
   * Add CVE-2013-1980.patch patch.
     CVE-2013-1980: fix MASI parsing buffer overflow. (Closes: #706667)
Checksums-Sha1: 
 a261c2a060d4167c9ff3b9533d5b9bce10e59a0f 1944 xmp_3.4.0-3.dsc
 f5dd307444b7b754bd7c0e7aeefffbada18458cc 9813 xmp_3.4.0-3.debian.tar.gz
 e77d909e9cf0ed3a67762f917f28e241f3cf479a 43414 xmp-common_3.4.0-3_all.deb
 67552129adc48913220bc4a229c27890cddc8718 289768 xmp_3.4.0-3_amd64.deb
 b10389a3b6101038d65d8f3f3688692a9a8fa7af 286750 xmp-audacious_3.4.0-3_amd64.deb
Checksums-Sha256: 
 112039418c4039191ff5a5e5a8a42941899f7ba77c58eec91c352a59ac108a5d 1944 xmp_3.4.0-3.dsc
 957ca67991e47673fa0eece6f5a7e10b72278b2988c2295c7733aa27ef476fab 9813 xmp_3.4.0-3.debian.tar.gz
 e252c3d10358488a011358d84c3607946a45d8ec6f24fffa2bb4f4349fc78ed2 43414 xmp-common_3.4.0-3_all.deb
 9297bc417137f4ace0819c6741255e9b1557b5b321ebca9310079726eb67987f 289768 xmp_3.4.0-3_amd64.deb
 e6873927e15a0555d52c26868aac7468e52c01c4b7d18a0b9b14329966fc0bb4 286750 xmp-audacious_3.4.0-3_amd64.deb
Files: 
 676948b4313e24a2d4d93fd5e57ff87e 1944 sound optional xmp_3.4.0-3.dsc
 8966445cdf8e7e40daccdfb139e9347e 9813 sound optional xmp_3.4.0-3.debian.tar.gz
 0caaadd04367ddc007d6e296ad039b12 43414 sound optional xmp-common_3.4.0-3_all.deb
 77805d3805a3974ad760e4ff534b5325 289768 sound optional xmp_3.4.0-3_amd64.deb
 e1c42a8acab24cc3dc0070455d25f863 286750 sound optional xmp-audacious_3.4.0-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRldbYAAoJEHidbwV/2GP++5cQALzvVWazbAitURq/N1R+VMK4
TvmIoI83IF/wrguWGW7zLXS78B/aFs45+mOhrsjSh96bnnnD3YGyuMfuG7GJgcmU
eiplgHsaEadW83FBQANMaF65TrZUWV6aSyNUewLvBc17P1JrLn5drkuuUtq2O7OD
kaU3RQ+fq/GzkHsFtJJVchgYhmYQB23iJBtsYIY+v2Gz8qdVe81MhPb4QwfwVN+S
2EJU7QwxC0d6UIZrW8BYW0T5WdBs3eCbE0yTU32fQ5n+QZbM+NsevSROfTh4CAie
y8rxDoxLezm8Z3+059DOiss01+zKC/YS4bqshpadYGX6EaFXKv/9rpM6a4tbBFsq
KSI3FJR393g6g0vK7XliZcyjM2HOPGk60+7x+zY05fhuZAUWsGPO/btKilFsbB9z
+BmAz4HJfiMwAvG68IJd69o72tlWoL3p91b8jPJuKaYtEKDKvHuZ4mZhc9af/7KJ
R2kkl3+x1PwvMcQZ04QsCnB6mlEC5JQFCLm0G8j4NpyV9yQx+1hhjiEacJ8Rd8/T
aajMogkr/h4sRb7bMYsWyz7XC6yUtchoV1TmwQrj54rwoGgtO6ChB5C8m0o5/tqY
PoqmKMDaOgxJAOslcSmw6Trwgf4/bEml0bvNvCCbRzyGZDSYkVnHCankFjriNCsZ
Gjl69oH4QHhYlXNckXjO
=MRkq
-----END PGP SIGNATURE-----

--- End Message ---