Debian Bug report logs - #499899
fraad2: heap overflow

version graph

Package: faad2; Maintainer for faad2 is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>;

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Tue, 23 Sep 2008 13:33:01 UTC

Severity: grave

Tags: patch, security

Fixed in version faad2/2.6.1-3.1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, unknown-package@qa.debian.org:
Bug#499899; Package fraad2. (Tue, 23 Sep 2008 13:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, unknown-package@qa.debian.org. (Tue, 23 Sep 2008 13:33:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fraad2: heap overflow
Date: Tue, 23 Sep 2008 23:27:55 +1000
Package: fraad2
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

fraad2 is affected by a heap overflow, please see the upstream
announcement[0] for more information. Also see the gentoo security
bug for further information[1]. The upstream patch can be found here[2].

As soon as a CVE id is issued, I'll forward it to this bugreport.


Cheers
Steffen

[0]: http://www.audiocoding.com/

[1]: http://bugs.gentoo.org/show_bug.cgi?id=238445

[2]: http://www.audiocoding.com/patch/main_overflow.diff




Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#499899; Package fraad2. (Wed, 24 Sep 2008 18:15:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Dornberger <Mike.Dornberger@gmx.de>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. (Wed, 24 Sep 2008 18:15:03 GMT) Full text and rfc822 format available.

Message #10 received at 499899@bugs.debian.org (full text, mbox):

From: Mike Dornberger <Mike.Dornberger@gmx.de>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 499899@bugs.debian.org, control@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#499899: fraad2: heap overflow
Date: Wed, 24 Sep 2008 20:14:22 +0200
reassign #499899 faad2
thanks

Hi Steffen,

On Tue, Sep 23, 2008 at 11:27:55PM +1000, Steffen Joeris wrote:
> Package: fraad2

> [2]: http://www.audiocoding.com/patch/main_overflow.diff

since this says in summary media-libs/faad2, I'm reassigning this bug
accordingly.

Greetings,
 Mike Dornberger




Bug reassigned from package `fraad2' to `faad2'. Request was from Mike Dornberger <Mike.Dornberger@gmx.de> to control@bugs.debian.org. (Wed, 24 Sep 2008 18:15:04 GMT) Full text and rfc822 format available.

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Fri, 26 Sep 2008 13:30:08 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Fri, 26 Sep 2008 13:30:08 GMT) Full text and rfc822 format available.

Message #17 received at 499899-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 499899-close@bugs.debian.org
Subject: Bug#499899: fixed in faad2 2.6.1-3.1
Date: Fri, 26 Sep 2008 13:02:04 +0000
Source: faad2
Source-Version: 2.6.1-3.1

We believe that the bug you reported is fixed in the latest version of
faad2, which is due to be installed in the Debian FTP archive:

faad2_2.6.1-3.1.diff.gz
  to pool/main/f/faad2/faad2_2.6.1-3.1.diff.gz
faad2_2.6.1-3.1.dsc
  to pool/main/f/faad2/faad2_2.6.1-3.1.dsc
faad_2.6.1-3.1_i386.deb
  to pool/main/f/faad2/faad_2.6.1-3.1_i386.deb
libfaad-dev_2.6.1-3.1_i386.deb
  to pool/main/f/faad2/libfaad-dev_2.6.1-3.1_i386.deb
libfaad0_2.6.1-3.1_i386.deb
  to pool/main/f/faad2/libfaad0_2.6.1-3.1_i386.deb
libfaad2-0_2.6.1-3.1_all.deb
  to pool/main/f/faad2/libfaad2-0_2.6.1-3.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 499899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated faad2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 26 Sep 2008 12:02:35 +0000
Source: faad2
Binary: libfaad0 libfaad2-0 libfaad-dev faad
Architecture: source all i386
Version: 2.6.1-3.1
Distribution: unstable
Urgency: high
Maintainer: Matthew W. S. Bell <matthew@bells23.org.uk>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 faad       - freeware Advanced Audio Decoder player
 libfaad-dev - freeware Advanced Audio Decoder - development files
 libfaad0   - freeware Advanced Audio Decoder - runtime files
 libfaad2-0 - freeware Advanced Audio Decoder - dummy package
Closes: 499899
Changes: 
 faad2 (2.6.1-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Include upstream patch to fix heap overflow in the frontend code
     (Closes: #499899)
Checksums-Sha1: 
 6ab7302373acdd74e4c091fb4946ed5ff02bf3d5 1057 faad2_2.6.1-3.1.dsc
 c66eadccb86a7463a2bddd4ebe3e9d4615ec796a 334566 faad2_2.6.1-3.1.diff.gz
 bffce7f2b24a50b8d2505004a8d491ed016795e7 6340 libfaad2-0_2.6.1-3.1_all.deb
 b725b1a2852fbe05b54a4cb46e8b83290a5e24e1 168116 libfaad0_2.6.1-3.1_i386.deb
 4bc534cb1c6410842dc42c033eee4c86eea59aa7 204646 libfaad-dev_2.6.1-3.1_i386.deb
 ad3e060a4fdcc9a7326bfdc5f6bd8def55df0c2f 30346 faad_2.6.1-3.1_i386.deb
Checksums-Sha256: 
 5e5f6ef23904584ca5f137f918f69e14fe3070285646ac8c8b18b1e5416bf6e8 1057 faad2_2.6.1-3.1.dsc
 24178b8a72b7d049552b6aba0eb3466bb6ef5c11bb36107a318c0bd8a29a1244 334566 faad2_2.6.1-3.1.diff.gz
 2ed920457f5b09352a50bab8b4530e9b0f234c72c91d5b42f98d87363fd38ca8 6340 libfaad2-0_2.6.1-3.1_all.deb
 6a93b197606da383ec51b6d3c443406c07202309417d1474d5bbdcbb0189542d 168116 libfaad0_2.6.1-3.1_i386.deb
 08d1619dc6065782f4f839a07915a4153643d4636c3c3bacf873ca5c9f78a1b5 204646 libfaad-dev_2.6.1-3.1_i386.deb
 a5e0133542a1f28817ca3ca3c3147e58c11d7defb3022799ea60f0b0951a8a51 30346 faad_2.6.1-3.1_i386.deb
Files: 
 ee6dff04537a83f52993d250ed0f831d 1057 libs optional faad2_2.6.1-3.1.dsc
 c0a2262a0b59bff627f1c9aff8a008af 334566 libs optional faad2_2.6.1-3.1.diff.gz
 e2be9e646c136611ef2e6c72d0062fe2 6340 libs optional libfaad2-0_2.6.1-3.1_all.deb
 a76204c2448aab72ec4baca277fbafa2 168116 libs optional libfaad0_2.6.1-3.1_i386.deb
 3b5c1e312a251c71e8fc728e83ba1f37 204646 libdevel optional libfaad-dev_2.6.1-3.1_i386.deb
 eb608789d220ad64f33fd5d70c5a00fc 30346 sound optional faad_2.6.1-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjc1K4ACgkQ62zWxYk/rQctUACgwb8mLDDlmr9CE8G4Nis1uanT
ESEAnj4WFwfEDY1wPUQ1LJub2maKbFm/
=NX4M
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Nov 2008 07:32:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:50:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.