Debian Bug report logs - #383030
multiple buffer overflows in libmusicbrainz

Package: libmusicbrainz-2.1; Maintainer for libmusicbrainz-2.1 is Debian QA Group <packages@qa.debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Mon, 14 Aug 2006 17:18:13 UTC

Severity: grave

Tags: fixed, patch, security

Done: Jens Peter Secher <jps@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#383030; Package libmusicbrainz-2.1. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: multiple buffer overflows in libmusicbrainz
Date: Mon, 14 Aug 2006 19:02:31 +0200
package: libmusicbrainz-2.1
severity: grave
tags: security

Some buffer overflows have been found in libmusicbrainz up to 2.1.2. 

See

http://aluigi.altervista.org/adv/brainzbof-adv.txt
http://secunia.com/advisories/21404/

for details.



Information forwarded to debian-bugs-dist@lists.debian.org, Lukáš Lalinský <lalinsky@gmail.com>:
Bug#383030; Package libmusicbrainz-2.1. Full text and rfc822 format available.

Acknowledgement sent to "Martín Ferrari" <martin.ferrari@gmail.com>:
Extra info received and forwarded to list. Copy sent to Lukáš Lalinský <lalinsky@gmail.com>. Full text and rfc822 format available.

Message #10 received at 383030@bugs.debian.org (full text, mbox):

From: "Martín Ferrari" <martin.ferrari@gmail.com>
To: debian-security@lists.debian.org, 383030@bugs.debian.org, control@bugs.debian.org, 383030-submitter@bugs.debian.org
Subject: Fix for one of the two vulnerabilities
Date: Tue, 22 Aug 2006 02:26:24 -0300
[Message part 1 (text/plain, inline)]
tags 383030 +patch
thanks

Hi,
I think this patch fixes the first vulnerability reported. I'm CCing
debian-security as it would be good if somebody more seasoned in this
matters could take a look at it (please CC me).

-- 
Martín Ferrari
[libmusicbrainz-buffer-overflow1.patch (text/x-patch, attachment)]

Tags added: patch Request was from "Martín Ferrari" <martin.ferrari@gmail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Stefan Fritsch <sf@sfritsch.de>:
Bug#383030. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#383030; Package libmusicbrainz-2.1. Full text and rfc822 format available.

Acknowledgement sent to Lukáš Lalinský <lalinsky@gmail.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 383030@bugs.debian.org (full text, mbox):

From: Lukáš Lalinský <lalinsky@gmail.com>
To: Jens Peter Secher <jps@debian.org>
Cc: Martín Ferrari <martin.ferrari@gmail.com>, debian-security@lists.debian.org, 383030@bugs.debian.org
Subject: Re: Bug#383030: Fix for one of the two vulnerabilities
Date: Tue, 22 Aug 2006 12:10:37 +0200
Jens Peter Secher wrote:
> On 8/22/06, Martín Ferrari <martin.ferrari@gmail.com> wrote:
> 
>> I think this patch fixes the first vulnerability reported. I'm CCing
>> debian-security as it would be good if somebody more seasoned in this
>> matters could take a look at it (please CC me).
> 
> Lukáš Lalinský is upstream maintainer as well as Debian package
> maintainer.  He is in the process of dealing with this.
> 
> Lukáš, could you put a note about your plans the two open bugs?

Sure. Fix for both of them is already in the MusicBrainz SVN (for this one it's
http://bugs.musicbrainz.org/changeset/8440) and both of these fixes are also
included in the 2.1.4 release:
http://ftp.musicbrainz.org/pub/musicbrainz/libmusicbrainz-2.1.4.tar.gz

Here is the package for unstable:
http://users.musicbrainz.org/~luks/tmp/libmusicbrainz-2.1_2.1.4-1.diff.gz
http://users.musicbrainz.org/~luks/tmp/libmusicbrainz-2.1_2.1.4-1.dsc
http://users.musicbrainz.org/~luks/tmp/libmusicbrainz-2.1_2.1.4.orig.tar.gz
Jens, could you please upload it?

And for stable-security, this patch could be probably used (however I'm not sure
how to prepare the package):
http://bugs.musicbrainz.org/changeset/8440?format=diff&new=8440

-Lukáš



Information forwarded to debian-bugs-dist@lists.debian.org, Lukáš Lalinský <lalinsky@gmail.com>:
Bug#383030; Package libmusicbrainz-2.1. Full text and rfc822 format available.

Acknowledgement sent to "Martín Ferrari" <martin.ferrari@gmail.com>:
Extra info received and forwarded to list. Copy sent to Lukáš Lalinský <lalinsky@gmail.com>. Full text and rfc822 format available.

Message #25 received at 383030@bugs.debian.org (full text, mbox):

From: "Martín Ferrari" <martin.ferrari@gmail.com>
To: "Lukáš Lalinský" <lalinsky@gmail.com>
Cc: "Jens Peter Secher" <jps@debian.org>, debian-security@lists.debian.org, 383030@bugs.debian.org
Subject: Re: Bug#383030: Fix for one of the two vulnerabilities
Date: Tue, 22 Aug 2006 11:08:49 -0300
On 8/22/06, Lukáš Lalinský <lalinsky@gmail.com> wrote:
> Jens Peter Secher wrote:

> > Lukáš Lalinský is upstream maintainer as well as Debian package
> > maintainer.  He is in the process of dealing with this.
> >
> > Lukáš, could you put a note about your plans the two open bugs?
>
> Sure. Fix for both of them is already in the MusicBrainz SVN (for this one it's
> http://bugs.musicbrainz.org/changeset/8440) and both of these fixes are also
> included in the 2.1.4 release:
> http://ftp.musicbrainz.org/pub/musicbrainz/libmusicbrainz-2.1.4.tar.gz

Ah well, I started working on it since I saw no mention of a fix for
this anywhere.. :s

-- 
Martín Ferrari

Tags added: fixed Request was from Lukáš Lalinský <lalinsky@gmail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Jens Peter Secher <jps@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 383030-close@bugs.debian.org (full text, mbox):

From: Jens Peter Secher <jps@debian.org>
To: 383030-close@bugs.debian.org, 383402-close@bugs.debian.org
Subject: Bugs #383030 & #383402 fixed in most recent upload
Date: Sat, 26 Aug 2006 17:41:41 +0200
Bugs #383030 & #383402 fixed in most recent upload.
-- 
                                                    Jens Peter Secher
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jun 2007 22:06:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 02:06:51 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.