Your message dated Sat, 26 Mar 2022 12:02:22 +0000 with message-id <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk> and subject line Closing requests for updates in 10.12 has caused the Debian Bug report #1003842, regarding buster-pu: package flac/1.3.2-3+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1003842: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003842 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package flac/1.3.2-3+deb10u1
- From: Adrian Bunk <bunk@debian.org>
- Date: Sun, 16 Jan 2022 21:03:39 +0200
- Message-id: <164235981965.1561.654031692305667850.reportbug@localhost>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu * CVE-2020-0499: Out of bounds read due to a heap buffer overflow. (Closes: #977764)diff -Nru flac-1.3.2/debian/changelog flac-1.3.2/debian/changelog --- flac-1.3.2/debian/changelog 2018-05-16 22:35:01.000000000 +0300 +++ flac-1.3.2/debian/changelog 2022-01-16 20:54:01.000000000 +0200 @@ -1,3 +1,11 @@ +flac (1.3.2-3+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * CVE-2020-0499: Out of bounds read due to a heap buffer overflow. + (Closes: #977764) + + -- Adrian Bunk <bunk@debian.org> Sun, 16 Jan 2022 20:54:01 +0200 + flac (1.3.2-3) unstable; urgency=medium * Use my debian account in Uploaders field and diff -Nru flac-1.3.2/debian/patches/0001-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch flac-1.3.2/debian/patches/0001-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch --- flac-1.3.2/debian/patches/0001-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch 1970-01-01 02:00:00.000000000 +0200 +++ flac-1.3.2/debian/patches/0001-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch 2022-01-16 20:53:21.000000000 +0200 @@ -0,0 +1,28 @@ +From 2b3dcc9e6c3fcba41fd1fb795e43419c22e03eb5 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo <erikd@mega-nerd.com> +Date: Mon, 7 Oct 2019 12:55:58 +1100 +Subject: libFLAC/bitreader.c: Fix out-of-bounds read + +Credit: Oss-Fuzz +Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17069 +Testcase: fuzzer_decoder-5670265022840832 +--- + src/libFLAC/bitreader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libFLAC/bitreader.c b/src/libFLAC/bitreader.c +index ab62d414..8969714e 100644 +--- a/src/libFLAC/bitreader.c ++++ b/src/libFLAC/bitreader.c +@@ -859,7 +859,7 @@ incomplete_lsbs: + cwords = br->consumed_words; + words = br->words; + ucbits = FLAC__BITS_PER_WORD - br->consumed_bits; +- b = br->buffer[cwords] << br->consumed_bits; ++ b = cwords < br->capacity ? br->buffer[cwords] << br->consumed_bits : 0; + } while(cwords >= words && val < end); + } + +-- +2.20.1 + diff -Nru flac-1.3.2/debian/patches/series flac-1.3.2/debian/patches/series --- flac-1.3.2/debian/patches/series 2018-05-16 21:55:07.000000000 +0300 +++ flac-1.3.2/debian/patches/series 2022-01-16 20:53:49.000000000 +0200 @@ -4,3 +4,4 @@ 0050-stream_decoder.c-Fix-a-memory-leak.patch 0051-metaflac-Fix-a-memory-leak.patch 0001-remove-build-path-from-generated-FLAC.tag-file.patch +0001-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
--- End Message ---
--- Begin Message ---
- To: 959469-done@bugs.debian.org, 985063-done@bugs.debian.org, 987376-done@bugs.debian.org, 992546-done@bugs.debian.org, 992613-done@bugs.debian.org, 995748-done@bugs.debian.org, 996023-done@bugs.debian.org, 996024-done@bugs.debian.org, 996600-done@bugs.debian.org, 996624-done@bugs.debian.org, 996695-done@bugs.debian.org, 996929-done@bugs.debian.org, 996997-done@bugs.debian.org, 997079-done@bugs.debian.org, 998042-done@bugs.debian.org, 998248-done@bugs.debian.org, 998344-done@bugs.debian.org, 1000218-done@bugs.debian.org, 1000341-done@bugs.debian.org, 1000386-done@bugs.debian.org, 1000408-done@bugs.debian.org, 1000473-done@bugs.debian.org, 1000479-done@bugs.debian.org, 1000480-done@bugs.debian.org, 1000486-done@bugs.debian.org, 1000608-done@bugs.debian.org, 1001043-done@bugs.debian.org, 1001149-done@bugs.debian.org, 1001280-done@bugs.debian.org, 1001454-done@bugs.debian.org, 1001556-done@bugs.debian.org, 1001749-done@bugs.debian.org, 1001752-done@bugs.debian.org, 1002297-done@bugs.debian.org, 1002298-done@bugs.debian.org, 1002740-done@bugs.debian.org, 1002912-done@bugs.debian.org, 1003795-done@bugs.debian.org, 1003825-done@bugs.debian.org, 1003826-done@bugs.debian.org, 1003827-done@bugs.debian.org, 1003841-done@bugs.debian.org, 1003842-done@bugs.debian.org, 1004049-done@bugs.debian.org, 1004055-done@bugs.debian.org, 1004056-done@bugs.debian.org, 1004249-done@bugs.debian.org, 1004261-done@bugs.debian.org, 1004265-done@bugs.debian.org, 1004267-done@bugs.debian.org, 1004268-done@bugs.debian.org, 1005000-done@bugs.debian.org, 1005218-done@bugs.debian.org, 1005233-done@bugs.debian.org, 1005353-done@bugs.debian.org, 1005374-done@bugs.debian.org, 1006377-done@bugs.debian.org, 1006417-done@bugs.debian.org, 1006494-done@bugs.debian.org, 1006525-done@bugs.debian.org, 1007745-done@bugs.debian.org, 1007746-done@bugs.debian.org, 1007879-done@bugs.debian.org, 1007938-done@bugs.debian.org, 1007948-done@bugs.debian.org, 1007964-done@bugs.debian.org, 1008030-done@bugs.debian.org, 1008072-done@bugs.debian.org, 1006142-done@bugs.debian.org
- Subject: Closing requests for updates in 10.12
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 26 Mar 2022 12:02:22 +0000
- Message-id: <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.12 Hi, The updates referenced in these requests were included in oldstable as part of today's 10.12 point release. Regards, Adam
--- End Message ---