Bug#893132: marked as done (libvorbisidec: CVE-2018-5147: out-of-bounds memory write)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 17 Mar 2018 21:46:15 +0000
with message-id <E1exJeZ-0004wI-33@fasolo.debian.org>
and subject line Bug#893132: fixed in libvorbisidec 1.0.2+svn18153-1~deb8u2
has caused the Debian Bug report #893132,
regarding libvorbisidec: CVE-2018-5147: out-of-bounds memory write
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
893132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893132
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libvorbisidec: CVE-2018-5147: out-of-bounds memory write
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 16 Mar 2018 19:31:14 +0100
• Message-id: <[🔎] 152122507468.11310.18417636145722045781.reportbug@eldamar.local>

Source: libvorbisidec
Version: 1.0.2+svn18153-0.2
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerability was published for libvorbisidec.

CVE-2018-5147[0]:
out-of-bounds memory write

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5147
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5147
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 893132-close@bugs.debian.org
• Subject: Bug#893132: fixed in libvorbisidec 1.0.2+svn18153-1~deb8u2
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 17 Mar 2018 21:46:15 +0000
• Message-id: <E1exJeZ-0004wI-33@fasolo.debian.org>

Source: libvorbisidec
Source-Version: 1.0.2+svn18153-1~deb8u2

We believe that the bug you reported is fixed in the latest version of
libvorbisidec, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvorbisidec package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 16 Mar 2018 20:53:05 +0100
Source: libvorbisidec
Binary: libvorbisidec-dev libvorbisidec1
Architecture: source
Version: 1.0.2+svn18153-1~deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 893132
Description: 
 libvorbisidec-dev - Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files)
 libvorbisidec1 - Integer-only Ogg Vorbis decoder, AKA "tremor"
Changes:
 libvorbisidec (1.0.2+svn18153-1~deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Prevent out-of-bounds write in codebook decoding (CVE-2018-5147)
     (Closes: #893132)
Checksums-Sha1: 
 0517002428b9ef48478f73e1e08c23171dae332a 2178 libvorbisidec_1.0.2+svn18153-1~deb8u2.dsc
 e1f8e5281a92029a1bb325ecb247a6d9c8bf7199 149060 libvorbisidec_1.0.2+svn18153.orig.tar.gz
 58dc0b581545007184b70dda956efc47d244959c 6235 libvorbisidec_1.0.2+svn18153-1~deb8u2.diff.gz
Checksums-Sha256: 
 b451cdf36212ffc08813b6e22e138c64cf8089d862099275c6e72aaee9afc0d1 2178 libvorbisidec_1.0.2+svn18153-1~deb8u2.dsc
 4dc8c224289da3479fc10ce4e49ffbb85c790eb2fe55ef480934a265ee0a6782 149060 libvorbisidec_1.0.2+svn18153.orig.tar.gz
 1a66861aa4f05b12831cc4a9c629915f69d96eefbbe2dd4279c106f552860cbb 6235 libvorbisidec_1.0.2+svn18153-1~deb8u2.diff.gz
Files: 
 82e065654ecd84b0999270bb98ffbfca 2178 libs extra libvorbisidec_1.0.2+svn18153-1~deb8u2.dsc
 4190859414c5d6760e316b5cf00fe7c5 149060 libs extra libvorbisidec_1.0.2+svn18153.orig.tar.gz
 6191de785fec795ae39822b597e4eae6 6235 libs extra libvorbisidec_1.0.2+svn18153-1~deb8u2.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsIXVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ekf4QAI7j7vthE2R/wmnPJRFK/wxOXLfsJvZS
EhJD0AuQWWqd8TWycm9L38uE7Cck4dyfNL7r+zDrfVI0gORVAv0ZBV0LK9T+iBV8
4J+hI09WgNgTCnQlr+zpt88KE+LXWx5TTXsIzC+3G83z0mo6Am1iqWQVbQ4vS5Vg
+MfmgREGNOSeppvPAFFq/RtVGdFpJEMIpYQI6nc7NSwjzncJugdHpfCYDZj97UXv
TCdmk6R71FqGNL2A3Dzxtoavo51rR5pjSJltaAcbHcpLxRzDBLxC1rAS0OKBkKUa
8B+a6keBcRYCjbS548unSHUloamdK1Rglxz/33kujjqE1jZmrT4z7aFJ31vibmHW
9os2plFNfarfwsUCSaNK80qqJHpQfCljl5V758jSi+NM9NsIdHnQM9euYeqPFGUQ
mIflZvX6+SC5ZpYunkf2/B+ZW2ILRl+G7CxgXazn2344ntw1tL5hbP0Ot4KtFMBQ
Kuh+ib2raTcSmbJ/Xj3iAck3VoM5syuFUlR4scOFVzPAKuVlAnex1wm/mXCfB2bw
hDIWoh1PrRvjBzy6XUhzbP08yS8Wv0eZItlG32FyH6wnVJx0H0AEZLHYdbawnjbo
smamGC7IUXvqvHIg/1OTogP//YtlX4fHs+0JvjFbBM1V0eAlrmTIahVTh8PFtCwJ
MtQPPljHKnl/
=wM/s
-----END PGP SIGNATURE-----

--- End Message ---