Debian Bug report logs - #475152
libfishsound: CVE-2008-1686 code execution via crafted header containing negative offsets

version graph

Package: libfishsound1; Maintainer for libfishsound1 is Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>; Source for libfishsound1 is src:libfishsound.

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 9 Apr 2008 12:21:02 UTC

Severity: grave

Tags: patch, security

Found in version libfishsound/0.7.0-2

Fixed in versions libfishsound/0.7.0-2.2, xine-lib/1.1.10.1-2+lenny2, libfishsound/0.9.1-2

Done: John Ferlito <johnf@inodes.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jamie Wilkinson <jaq@debian.org>:
Bug#475152; Package libfishsound1. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Jamie Wilkinson <jaq@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: libfishsound: CVE-2008-1686 code execution via crafted header containing negative offsets
Date: Wed, 9 Apr 2008 14:17:56 +0200
[Message part 1 (text/plain, inline)]
Package: libfishsound1
Version: 0.7.0-2
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libfishsound1.


CVE-2008-1686[0]:
| Uncontrolled array index in Speex 1.1.12 and earlier, as used in
| libfishsound 0.9.0 and earlier, including Illiminable DirectShow
| Filters and Annodex Plugins for Firefox, allows remote attackers to
| execute arbitrary code via a header structure containing a negative
| offset, which is used to dereference a function pointer.

A patch is on:
http://trac.annodex.net/changeset/3536

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
    http://security-tracker.debian.net/tracker/CVE-2008-1686

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jamie Wilkinson <jaq@debian.org>:
Bug#475152; Package libfishsound1. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jamie Wilkinson <jaq@debian.org>. Full text and rfc822 format available.

Message #10 received at 475152@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 475152@bugs.debian.org
Subject: intent to NMU
Date: Thu, 10 Apr 2008 15:03:28 +0200
[Message part 1 (text/plain, inline)]
Hi,
the attached patch fixes this issue.
It will be also archived on:

http://people.debian.org/~nion/nmu-diff/libfishsound-0.7.0-2.1_0.7.0-2.2.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[libfishsound-0.7.0-2.1_0.7.0-2.2.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 475152-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 475152-close@bugs.debian.org
Subject: Bug#475152: fixed in libfishsound 0.7.0-2.2
Date: Sat, 12 Apr 2008 11:47:06 +0000
Source: libfishsound
Source-Version: 0.7.0-2.2

We believe that the bug you reported is fixed in the latest version of
libfishsound, which is due to be installed in the Debian FTP archive:

libfishsound1-dbg_0.7.0-2.2_amd64.deb
  to pool/main/libf/libfishsound/libfishsound1-dbg_0.7.0-2.2_amd64.deb
libfishsound1-dev_0.7.0-2.2_amd64.deb
  to pool/main/libf/libfishsound/libfishsound1-dev_0.7.0-2.2_amd64.deb
libfishsound1_0.7.0-2.2_amd64.deb
  to pool/main/libf/libfishsound/libfishsound1_0.7.0-2.2_amd64.deb
libfishsound_0.7.0-2.2.diff.gz
  to pool/main/libf/libfishsound/libfishsound_0.7.0-2.2.diff.gz
libfishsound_0.7.0-2.2.dsc
  to pool/main/libf/libfishsound/libfishsound_0.7.0-2.2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475152@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated libfishsound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Apr 2008 14:57:28 +0200
Source: libfishsound
Binary: libfishsound1 libfishsound1-dev libfishsound1-dbg
Architecture: source amd64
Version: 0.7.0-2.2
Distribution: unstable
Urgency: high
Maintainer: Jamie Wilkinson <jaq@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libfishsound1 - simple programming interface that wraps Xiph.Org audio codecs
 libfishsound1-dbg - simple programming interface that wraps Xiph.Org audio codecs (de
 libfishsound1-dev - simple programming interface that wraps Xiph.Org audio codecs (de
Closes: 475152
Changes: 
 libfishsound (0.7.0-2.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update fixes the following security issue:
     - CVE-2008-1686: insufficient boundary checks on a header structure
       of a speex stream due to missing check for a negative value
       might lead to arbitrary code execution (Closes: #475152).
Checksums-Sha1: 
 8874b32ebe27bbe21032d9ebd01cdfd7dd381ec5 1058 libfishsound_0.7.0-2.2.dsc
 7904b22eeb338923e31b32703e7dcb071abfcb96 204804 libfishsound_0.7.0-2.2.diff.gz
 bfef41420ed98c80787a1f80b5f657253c2c17a5 14746 libfishsound1_0.7.0-2.2_amd64.deb
 29f3e727dd3b795531c3e079abcaabc56e98b490 31028 libfishsound1-dev_0.7.0-2.2_amd64.deb
 1f85641f6bfeb578784df4f5e271ae3f446d54ae 23018 libfishsound1-dbg_0.7.0-2.2_amd64.deb
Checksums-Sha256: 
 b3c56bc9f710f216215f11ad0103efee1275375f1826ef68c04f65bf673e03fb 1058 libfishsound_0.7.0-2.2.dsc
 213433557ac85019d81a799ec7840d289a4fcd11fc5297bc0b5667d5ad45c1dd 204804 libfishsound_0.7.0-2.2.diff.gz
 de7be7882135def617a700d8244fc4e030cb7f2327a87f0209a04d9c4ddad29d 14746 libfishsound1_0.7.0-2.2_amd64.deb
 f84059914e2144d83ee12bc1259351444668c150cd41a79c790082c1b85c7fa8 31028 libfishsound1-dev_0.7.0-2.2_amd64.deb
 e94227facc312d0a7d99c175590312cd44aa18c6a5fe1856b07bb19de40bc46f 23018 libfishsound1-dbg_0.7.0-2.2_amd64.deb
Files: 
 ce9e5d27f954dbbf69be38759b7f6e12 1058 unknown optional libfishsound_0.7.0-2.2.dsc
 8d268f649d641599078e78e652039569 204804 unknown optional libfishsound_0.7.0-2.2.diff.gz
 3e113fd64115b681241093f69e625c48 14746 libs optional libfishsound1_0.7.0-2.2_amd64.deb
 b98597fd334c8e864204d02c63486aa3 31028 libdevel optional libfishsound1-dev_0.7.0-2.2_amd64.deb
 af6c52838ff9220c4202a9aa379ab437 23018 libdevel optional libfishsound1-dbg_0.7.0-2.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIAJ9EHYflSXNkfP8RAnV1AKCkUvVl85ddIW/gYV/nXvNF3rVs2gCfdNbs
IK+5UD/tv66AjiYlcNelCXg=
=uQDo
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 475152-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 475152-close@bugs.debian.org
Subject: Bug#475152: fixed in xine-lib 1.1.10.1-2+lenny2
Date: Tue, 06 May 2008 21:02:09 +0000
Source: xine-lib
Source-Version: 1.1.10.1-2+lenny2

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine-dev_1.1.10.1-2+lenny2_amd64.deb
libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
  to pool/main/x/xine-lib/libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
libxine1-console_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-console_1.1.10.1-2+lenny2_amd64.deb
libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb
libxine1-doc_1.1.10.1-2+lenny2_all.deb
  to pool/main/x/xine-lib/libxine1-doc_1.1.10.1-2+lenny2_all.deb
libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
libxine1-plugins_1.1.10.1-2+lenny2_all.deb
  to pool/main/x/xine-lib/libxine1-plugins_1.1.10.1-2+lenny2_all.deb
libxine1-x_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-x_1.1.10.1-2+lenny2_amd64.deb
libxine1_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1_1.1.10.1-2+lenny2_amd64.deb
xine-lib_1.1.10.1-2+lenny2.diff.gz
  to pool/main/x/xine-lib/xine-lib_1.1.10.1-2+lenny2.diff.gz
xine-lib_1.1.10.1-2+lenny2.dsc
  to pool/main/x/xine-lib/xine-lib_1.1.10.1-2+lenny2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475152@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 04 May 2008 13:20:43 +0200
Source: xine-lib
Binary: libxine1-doc libxine1 libxine1-bin libxine-dev libxine1-ffmpeg libxine1-gnome libxine1-console libxine1-x libxine1-misc-plugins libxine1-dbg libxine1-plugins libxine1-all-plugins
Architecture: source all amd64
Version: 1.1.10.1-2+lenny2
Distribution: testing-security
Urgency: high
Maintainer: Reinhard Tartler <siretart@tauware.de>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine1   - the xine video/media player library, meta-package
 libxine1-all-plugins - the xine video/media player library, meta package
 libxine1-bin - the xine video/media player library, binary files
 libxine1-console - libaa/libcaca/framebuffer/directfb related plugins for libxine1
 libxine1-dbg - debug symbols for libxine1
 libxine1-doc - the xine video player library, documentation files
 libxine1-ffmpeg - MPEG-related plugins for libxine1
 libxine1-gnome - GNOME-related plugins for libxine1
 libxine1-misc-plugins - Input, audio output and post plugins for libxine1
 libxine1-plugins - the xine video/media player library, meta package
 libxine1-x - X desktop video output plugins for libxine1
Closes: 473057 475152 476990
Changes: 
 xine-lib (1.1.10.1-2+lenny2) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issues:
     - CVE-2008-1878: stack-based buffer overflow in nsf demuxer that
       allows execution of arbitrary code via a crafted title (Closes: #476990)
     - CVE-2008-1686: insufficient boundary checking on a header structure that
       is read from user input could lead to arbitrary code to arbitrary
       code execution via negative values (Closes: #475152).
     - CVE-2008-0073: stack-based buffer overflow in subtitle parsing could
       lead to arbitrary code execution via a crafted subtitle
       file (Closes: #473057).
Checksums-Sha1: 
 31c25d033898d041270d0f16a953fb5febf31d0d 2211 xine-lib_1.1.10.1-2+lenny2.dsc
 a88dc84e01f89c885bef69703b2006caf8cdfc90 34458 xine-lib_1.1.10.1-2+lenny2.diff.gz
 c2358de7db8a561a41c32868213384d8a92a36d8 142966 libxine1-doc_1.1.10.1-2+lenny2_all.deb
 276857c90eb87142ad51754d2225c0be732dea91 50544 libxine1-plugins_1.1.10.1-2+lenny2_all.deb
 fa32a31fbdc57f8d6f82be44513368c66b1e9034 50556 libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
 cb7a9d7e8f661f339323bf6d5d3845df727523b1 1268 libxine1_1.1.10.1-2+lenny2_amd64.deb
 2d14e9e7ce99ff75ae896b3b9e84f4899db1dd61 1604388 libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
 d240c01bd1fcbd80a0fca105b55d58d518b2ed28 328448 libxine-dev_1.1.10.1-2+lenny2_amd64.deb
 5bc46fddd655c6388cc957f8c2ff1254b99ca318 380268 libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
 30af87760462b4f4ee0c026acbe1608fdda1f32b 15220 libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
 5fc2a8cae8ec606029b46e79be729910563004de 57688 libxine1-console_1.1.10.1-2+lenny2_amd64.deb
 21ecc3529cc6b989678fb94ff3a4da13abd181d9 209504 libxine1-x_1.1.10.1-2+lenny2_amd64.deb
 f49c66690bb70e496e8ee2199387d5b1f4443e73 797726 libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
 4a5ee081b26626ceb1fae94d7e53ebeb8786958b 3701936 libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb
Checksums-Sha256: 
 73f4bf457b910ddf4af8788644f3fb95dff5fa3f66df374b73ad2deaa3a7b04a 2211 xine-lib_1.1.10.1-2+lenny2.dsc
 a039361198faffb6f46acbc85be9086032db0950ddc21c05223ff1cce92abadc 34458 xine-lib_1.1.10.1-2+lenny2.diff.gz
 9a5c6b29a8919a32c3ebce608a4794db2a92413710282634558dd075ee689179 142966 libxine1-doc_1.1.10.1-2+lenny2_all.deb
 c5617251ff116d2dc81090815050be7539cd61f55a3d27c297fc3c993c2137e9 50544 libxine1-plugins_1.1.10.1-2+lenny2_all.deb
 3de6e5a8104043824463033b6e6e8cd645a9b00f13263abb1a67a1fb12ca0459 50556 libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
 7cf7428f25d7c7e3fa363b0c557e972976533377ac6750442d6dabfc36bf0b3e 1268 libxine1_1.1.10.1-2+lenny2_amd64.deb
 444f5046adc2ddb4e5661ccb1ff28da965e699e0bc8e27b9f5fc5a514b6a3ea4 1604388 libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
 53a3c3560e6c0338996ee3d324e7c8c135c06035ce85a3aa18d60b0f16920c0b 328448 libxine-dev_1.1.10.1-2+lenny2_amd64.deb
 817b7f766141637b8c6a360aa3e832457356976951adab3883a519f310d0641f 380268 libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
 8ffde8e421714442925d1014d1bd58c16bfa7e440d786b9c3e0ba70696c959bb 15220 libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
 9c9ec36551ade7b81df7475376edbd15725cc7ce27dd1d050b035204c5f65666 57688 libxine1-console_1.1.10.1-2+lenny2_amd64.deb
 472cce69ac804ec9c064b03602f362ce323a7c37f84c217547d1f1205804d0d7 209504 libxine1-x_1.1.10.1-2+lenny2_amd64.deb
 59a4111326b66162b813a454cb30534f7e3b8938e64f680ccc28840583d2c1d9 797726 libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
 6edc04c31d1c16fa9471b02d334524806fd35da2701ecb17216f29605ac14439 3701936 libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb
Files: 
 c7749574df280130dd6d19bfd04ff014 2211 libs optional xine-lib_1.1.10.1-2+lenny2.dsc
 3ecf6cf76b8c22a33c78af1658bf1711 34458 libs optional xine-lib_1.1.10.1-2+lenny2.diff.gz
 a87d8d93d0b0b8d95f7721790e165319 142966 doc optional libxine1-doc_1.1.10.1-2+lenny2_all.deb
 ec5a4e8d5f2c892d87267d62f31aaba6 50544 libs extra libxine1-plugins_1.1.10.1-2+lenny2_all.deb
 b5f50475db6743ff21b2afd634e60278 50556 libs extra libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
 649fe6a291271bd0e92cf4ca87d08679 1268 libs optional libxine1_1.1.10.1-2+lenny2_amd64.deb
 c98dcf0ad1e31901563da86b8b4f5db0 1604388 libs optional libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
 d8eb40ef504fe4ff34e83c22e0cbba96 328448 libdevel optional libxine-dev_1.1.10.1-2+lenny2_amd64.deb
 89fe1bd8c31269760658c0de70e1c7e0 380268 libs optional libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
 a0a04f8aee0a952969cbbf7ad7d87775 15220 libs optional libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
 23d7096e4976cf8fdf009484610d3977 57688 libs extra libxine1-console_1.1.10.1-2+lenny2_amd64.deb
 a58a93d8fb2cddd36afbfd63bf0c8fa5 209504 libs optional libxine1-x_1.1.10.1-2+lenny2_amd64.deb
 f620e31f218b741b78d82f81546f0e2d 797726 libs optional libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
 e17a7735fa7bb11f4719e20e6c29fdde 3701936 libs extra libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIHy9MHYflSXNkfP8RAuTSAJ9FH6spes5TmonfTOl0gOJhC3yBsACcDSuT
pUFRqyH915uFIt4x/2Glu0k=
=Uc8W
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Jamie Wilkinson <jaq@debian.org>:
Bug#475152; Package libfishsound1. Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Jamie Wilkinson <jaq@debian.org>. Full text and rfc822 format available.

Message #25 received at 475152@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 475152@bugs.debian.org
Subject: re: bug #475152
Date: Mon, 12 May 2008 21:57:50 -0400
looks like ubuntu has released updated versions of the packages
affected by this vulnerability [1].  any chance the fixes for etch
will be released soon?

[1]  http://www.ubuntu.com/usn/usn-611-1




Reply sent to John Ferlito <johnf@inodes.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 475152-close@bugs.debian.org (full text, mbox):

From: John Ferlito <johnf@inodes.org>
To: 475152-close@bugs.debian.org
Subject: Bug#475152: fixed in libfishsound 0.9.1-2
Date: Thu, 24 Jul 2008 07:47:08 +0000
Source: libfishsound
Source-Version: 0.9.1-2

We believe that the bug you reported is fixed in the latest version of
libfishsound, which is due to be installed in the Debian FTP archive:

libfishsound1-dbg_0.9.1-2_i386.deb
  to pool/main/libf/libfishsound/libfishsound1-dbg_0.9.1-2_i386.deb
libfishsound1-dev_0.9.1-2_i386.deb
  to pool/main/libf/libfishsound/libfishsound1-dev_0.9.1-2_i386.deb
libfishsound1_0.9.1-2_i386.deb
  to pool/main/libf/libfishsound/libfishsound1_0.9.1-2_i386.deb
libfishsound_0.9.1-2.diff.gz
  to pool/main/libf/libfishsound/libfishsound_0.9.1-2.diff.gz
libfishsound_0.9.1-2.dsc
  to pool/main/libf/libfishsound/libfishsound_0.9.1-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475152@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
John Ferlito <johnf@inodes.org> (supplier of updated libfishsound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Jul 2008 20:23:53 +1000
Source: libfishsound
Binary: libfishsound1 libfishsound1-dev libfishsound1-dbg
Architecture: source i386
Version: 0.9.1-2
Distribution: unstable
Urgency: low
Maintainer: John Ferlito <johnf@inodes.org>
Changed-By: John Ferlito <johnf@inodes.org>
Description: 
 libfishsound1 - simple API that wraps Xiph.Org audio codecs
 libfishsound1-dbg - simple API that wraps Xiph.Org audio codecs (debugging informatio
 libfishsound1-dev - simple API that wraps Xiph.Org audio codecs (development files)
Closes: 475152
Changes: 
 libfishsound (0.9.1-2) unstable; urgency=low
 .
   * CVE-2008-1686 code execution via crafted header containing negative
     offsets, should have been closed in 0.9.1-1 (Closes: #475152)
   * Add DM-Upload-Allowed: yes to debian/control
   * Update standards version to 3.8.0 (no changes)
Checksums-Sha1: 
 ee9f9de128652c95721d68b90881869aa0266605 1074 libfishsound_0.9.1-2.dsc
 3fa52d56cc132c16be2b026cec99130969321373 3384 libfishsound_0.9.1-2.diff.gz
 3db82150a0127ede45578890161b1a35475227d8 17404 libfishsound1_0.9.1-2_i386.deb
 6e83ec0a481c4b9b5d279b60942ce684d2523d03 35566 libfishsound1-dev_0.9.1-2_i386.deb
 1ed69fe2ebade17fa63d7f380e084c6fe4624747 28608 libfishsound1-dbg_0.9.1-2_i386.deb
Checksums-Sha256: 
 f04ee1f39f4f3c26c61980a98030ecd75f5c9c1b356ca3b8c6c60b3bf7299657 1074 libfishsound_0.9.1-2.dsc
 10dd21ce7488ad4e4c267c956c67142386e2471b7bda12b5ea27644370d85ba4 3384 libfishsound_0.9.1-2.diff.gz
 f2b43251eca8bcfa2eee72c81273dc84a3c129a383f00584f7f8ef14ab81dca8 17404 libfishsound1_0.9.1-2_i386.deb
 5ca2b222582e05c4a24075181062672d834871222275994db526fcb12b8f0a3c 35566 libfishsound1-dev_0.9.1-2_i386.deb
 acbd9083186114958c986279519e1309af18f78a5bc24749b6ba532e9fb0d0a3 28608 libfishsound1-dbg_0.9.1-2_i386.deb
Files: 
 55940eee15313182feae016c8aac199d 1074 unknown optional libfishsound_0.9.1-2.dsc
 635393a410943665c07af44bbce50cd0 3384 unknown optional libfishsound_0.9.1-2.diff.gz
 69f7c877606e8deb2b4785b085f01c03 17404 libs optional libfishsound1_0.9.1-2_i386.deb
 449a5ec466fdee672bc48b47a4497f39 35566 libdevel optional libfishsound1-dev_0.9.1-2_i386.deb
 4b969ab584abc86ae6deffcb63af63ed 28608 libdevel extra libfishsound1-dbg_0.9.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiIMr8ACgkQ5u9oNyz9HDiOGgCgnkcwvg2DEqcJo/hMr/KtvJxv
d4IAoMyuuHD5N2/a1fn4xXCFKOtFbd/8
=xo8t
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, John Ferlito <johnf@inodes.org>:
Bug#475152; Package libfishsound1. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to John Ferlito <johnf@inodes.org>. Full text and rfc822 format available.

Message #35 received at 475152@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 475152@bugs.debian.org
Subject: Re: Bug#475152 closed by John Ferlito <johnf@inodes.org> (Bug#475152: fixed in libfishsound 0.9.1-2)
Date: Thu, 24 Jul 2008 12:16:36 +0200
[Message part 1 (text/plain, inline)]
[...] 
>    * CVE-2008-1686 code execution via crafted header containing negative
>      offsets, should have been closed in 0.9.1-1 (Closes: #475152)

This bug was already fixed...
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:09:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:53:07 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.