Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, unknown-package@qa.debian.org: Bug#499899; Package fraad2.
(Tue, 23 Sep 2008 13:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, unknown-package@qa.debian.org.
(Tue, 23 Sep 2008 13:33:03 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fraad2: heap overflow
Date: Tue, 23 Sep 2008 23:27:55 +1000
Package: fraad2
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
fraad2 is affected by a heap overflow, please see the upstream
announcement[0] for more information. Also see the gentoo security
bug for further information[1]. The upstream patch can be found here[2].
As soon as a CVE id is issued, I'll forward it to this bugreport.
Cheers
Steffen
[0]: http://www.audiocoding.com/
[1]: http://bugs.gentoo.org/show_bug.cgi?id=238445
[2]: http://www.audiocoding.com/patch/main_overflow.diff
Information forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org: Bug#499899; Package fraad2.
(Wed, 24 Sep 2008 18:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Dornberger <Mike.Dornberger@gmx.de>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org.
(Wed, 24 Sep 2008 18:15:03 GMT) (full text, mbox, link).
reassign #499899 faad2
thanks
Hi Steffen,
On Tue, Sep 23, 2008 at 11:27:55PM +1000, Steffen Joeris wrote:
> Package: fraad2
> [2]: http://www.audiocoding.com/patch/main_overflow.diff
since this says in summary media-libs/faad2, I'm reassigning this bug
accordingly.
Greetings,
Mike Dornberger
Bug reassigned from package `fraad2' to `faad2'.
Request was from Mike Dornberger <Mike.Dornberger@gmx.de>
to control@bugs.debian.org.
(Wed, 24 Sep 2008 18:15:04 GMT) (full text, mbox, link).
Reply sent
to Steffen Joeris <white@debian.org>:
You have taken responsibility.
(Fri, 26 Sep 2008 13:30:08 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Fri, 26 Sep 2008 13:30:08 GMT) (full text, mbox, link).
Source: faad2
Source-Version: 2.6.1-3.1
We believe that the bug you reported is fixed in the latest version of
faad2, which is due to be installed in the Debian FTP archive:
faad2_2.6.1-3.1.diff.gz
to pool/main/f/faad2/faad2_2.6.1-3.1.diff.gz
faad2_2.6.1-3.1.dsc
to pool/main/f/faad2/faad2_2.6.1-3.1.dsc
faad_2.6.1-3.1_i386.deb
to pool/main/f/faad2/faad_2.6.1-3.1_i386.deb
libfaad-dev_2.6.1-3.1_i386.deb
to pool/main/f/faad2/libfaad-dev_2.6.1-3.1_i386.deb
libfaad0_2.6.1-3.1_i386.deb
to pool/main/f/faad2/libfaad0_2.6.1-3.1_i386.deb
libfaad2-0_2.6.1-3.1_all.deb
to pool/main/f/faad2/libfaad2-0_2.6.1-3.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 499899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated faad2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 26 Sep 2008 12:02:35 +0000
Source: faad2
Binary: libfaad0 libfaad2-0 libfaad-dev faad
Architecture: source all i386
Version: 2.6.1-3.1
Distribution: unstable
Urgency: high
Maintainer: Matthew W. S. Bell <matthew@bells23.org.uk>
Changed-By: Steffen Joeris <white@debian.org>
Description:
faad - freeware Advanced Audio Decoder player
libfaad-dev - freeware Advanced Audio Decoder - development files
libfaad0 - freeware Advanced Audio Decoder - runtime files
libfaad2-0 - freeware Advanced Audio Decoder - dummy package
Closes: 499899
Changes:
faad2 (2.6.1-3.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Include upstream patch to fix heap overflow in the frontend code
(Closes: #499899)
Checksums-Sha1:
6ab7302373acdd74e4c091fb4946ed5ff02bf3d5 1057 faad2_2.6.1-3.1.dsc
c66eadccb86a7463a2bddd4ebe3e9d4615ec796a 334566 faad2_2.6.1-3.1.diff.gz
bffce7f2b24a50b8d2505004a8d491ed016795e7 6340 libfaad2-0_2.6.1-3.1_all.deb
b725b1a2852fbe05b54a4cb46e8b83290a5e24e1 168116 libfaad0_2.6.1-3.1_i386.deb
4bc534cb1c6410842dc42c033eee4c86eea59aa7 204646 libfaad-dev_2.6.1-3.1_i386.deb
ad3e060a4fdcc9a7326bfdc5f6bd8def55df0c2f 30346 faad_2.6.1-3.1_i386.deb
Checksums-Sha256:
5e5f6ef23904584ca5f137f918f69e14fe3070285646ac8c8b18b1e5416bf6e8 1057 faad2_2.6.1-3.1.dsc
24178b8a72b7d049552b6aba0eb3466bb6ef5c11bb36107a318c0bd8a29a1244 334566 faad2_2.6.1-3.1.diff.gz
2ed920457f5b09352a50bab8b4530e9b0f234c72c91d5b42f98d87363fd38ca8 6340 libfaad2-0_2.6.1-3.1_all.deb
6a93b197606da383ec51b6d3c443406c07202309417d1474d5bbdcbb0189542d 168116 libfaad0_2.6.1-3.1_i386.deb
08d1619dc6065782f4f839a07915a4153643d4636c3c3bacf873ca5c9f78a1b5 204646 libfaad-dev_2.6.1-3.1_i386.deb
a5e0133542a1f28817ca3ca3c3147e58c11d7defb3022799ea60f0b0951a8a51 30346 faad_2.6.1-3.1_i386.deb
Files:
ee6dff04537a83f52993d250ed0f831d 1057 libs optional faad2_2.6.1-3.1.dsc
c0a2262a0b59bff627f1c9aff8a008af 334566 libs optional faad2_2.6.1-3.1.diff.gz
e2be9e646c136611ef2e6c72d0062fe2 6340 libs optional libfaad2-0_2.6.1-3.1_all.deb
a76204c2448aab72ec4baca277fbafa2 168116 libs optional libfaad0_2.6.1-3.1_i386.deb
3b5c1e312a251c71e8fc728e83ba1f37 204646 libdevel optional libfaad-dev_2.6.1-3.1_i386.deb
eb608789d220ad64f33fd5d70c5a00fc 30346 sound optional faad_2.6.1-3.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjc1K4ACgkQ62zWxYk/rQctUACgwb8mLDDlmr9CE8G4Nis1uanT
ESEAnj4WFwfEDY1wPUQ1LJub2maKbFm/
=NX4M
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 01 Nov 2008 07:32:22 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.