Bug#893132: marked as done (libvorbisidec: CVE-2018-5147: out-of-bounds memory write)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 16 Mar 2018 20:55:03 +0000
with message-id <E1ewwNT-000I8Y-0a@fasolo.debian.org>
and subject line Bug#893132: fixed in libvorbisidec 1.2.1+git20180316-1
has caused the Debian Bug report #893132,
regarding libvorbisidec: CVE-2018-5147: out-of-bounds memory write
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
893132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893132
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libvorbisidec: CVE-2018-5147: out-of-bounds memory write
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 16 Mar 2018 19:31:14 +0100
• Message-id: <[🔎] 152122507468.11310.18417636145722045781.reportbug@eldamar.local>

Source: libvorbisidec
Version: 1.0.2+svn18153-0.2
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerability was published for libvorbisidec.

CVE-2018-5147[0]:
out-of-bounds memory write

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5147
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5147
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 893132-close@bugs.debian.org
• Subject: Bug#893132: fixed in libvorbisidec 1.2.1+git20180316-1
• From: Julien Cristau <jcristau@debian.org>
• Date: Fri, 16 Mar 2018 20:55:03 +0000
• Message-id: <E1ewwNT-000I8Y-0a@fasolo.debian.org>

Source: libvorbisidec
Source-Version: 1.2.1+git20180316-1

We believe that the bug you reported is fixed in the latest version of
libvorbisidec, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated libvorbisidec package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 16 Mar 2018 21:00:36 +0100
Source: libvorbisidec
Binary: libvorbisidec-dev libvorbisidec1
Architecture: source
Version: 1.2.1+git20180316-1
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
 libvorbisidec-dev - Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files)
 libvorbisidec1 - Integer-only Ogg Vorbis decoder, AKA "tremor"
Closes: 893132
Changes:
 libvorbisidec (1.2.1+git20180316-1) unstable; urgency=high
 .
   * QA upload.
   * Update from upstream git.
   * Includes fix for CVE-2018-5147 (closes: #893132).
Checksums-Sha1:
 e0fd0abbc2195a84831dc121c94b71a01a768836 1959 libvorbisidec_1.2.1+git20180316-1.dsc
 0650fb3b5387d769384fc55428c369c3290e64d5 147673 libvorbisidec_1.2.1+git20180316.orig.tar.gz
 df8100f99b94ad0f6e20d3f6b562d647ca2cbab5 5733 libvorbisidec_1.2.1+git20180316-1.diff.gz
Checksums-Sha256:
 4807cfb1380dc740089f96d3030b644c9a09d4070435ad4f0fdf8be4dacd7572 1959 libvorbisidec_1.2.1+git20180316-1.dsc
 491b88661544f55b17154407420b5d78d2ac35d12786ee030d0925eb6aec03da 147673 libvorbisidec_1.2.1+git20180316.orig.tar.gz
 a7041c6685ac38795f7cdfc41f7688443b959d04b9bd08236d836aa75501592e 5733 libvorbisidec_1.2.1+git20180316-1.diff.gz
Files:
 a630e3d9a2b404b582345da9d4acfb65 1959 libs extra libvorbisidec_1.2.1+git20180316-1.dsc
 477c0b353fb9f9287b5133f19b1fd0c2 147673 libs extra libvorbisidec_1.2.1+git20180316.orig.tar.gz
 6116d60c3dc769f2d8b7cb906107b8c5 5733 libs extra libvorbisidec_1.2.1+git20180316-1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAlqsKGAACgkQnbAjVVb4
z61y+w//SPDHzvKBKTA4lcyI+Ha4sf5sgtE6YvmAXjgCEZjFYCrGTntgJT7+79o0
RI9uY5OliVNROCsNK+7M28fwKc6EB4qi4ovaAOQ4ERcON+OOiXhSP3/u6IlCTGo0
DlBtpcvBvTz5UPUtj3Rc+HBHDyyxmlOogo62JDeiRDU1RIg2hW49DNt/MTmY3tbL
eqSEy04k2IQVsaZIm55qAkadTg3xTLEGCUqdqC8DUIS1lhlXZ5mxPLyUvMLUXCyd
mqTfGZHXEDCCBs1rteyar0dEJRWKYaLDQTkhc57eQdtLKEVNlaGe2CqRg0kKfQrl
yujK/YDxVnc3v7A4nb09m+lGyjYug8p03Pm9DkK+6d+Jdd0q0KCuABik5cagCgg7
TQD67ynaMJvvg5N5o2H7augASlRm6u9HaQb8SLWPg9arYEL67z8LuWqWpKAKL27Z
zMGRG4gYdK+6azmKjVfxt0pM3FwKyuWAPKgDwBcqCas9M/T5jlLieG9cJaNzV9RR
hX3YkKr9IoNOwPC6wAHZfw9m2hTQjlj8Kq9XUQTdNQ1gugaONXaJBFoJuLLg10WR
63BTxSuetIzt0yP0wiq11gVE9qzfgQYOrIBWUMOATQhGB2tLdeTqD+szKINozB9A
MpmM6c0+ioHsdjpXhEkYaP9scQ5y7eMFe3O2vubIgskN1wNTx9U=
=1tXT
-----END PGP SIGNATURE-----

--- End Message ---