Debian Bug report logs - #661197
multiple vulnerabilities in csound

version graph

Package: csound; Maintainer for csound is Debian Multimedia Maintainers <>; Source for csound is src:csound.

Reported by: Raphael Geissert <>

Date: Fri, 24 Feb 2012 23:12:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security

Fixed in version csound/1:5.17.6~dfsg-1

Done: Felipe Sateler <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,,, Debian Multimedia Maintainers <>:
Bug#661197; Package csound. (Fri, 24 Feb 2012 23:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <>:
New Bug report received and forwarded. Copy sent to,,, Debian Multimedia Maintainers <>. (Fri, 24 Feb 2012 23:12:05 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Raphael Geissert <>
To: Debian Bug Tracking System <>
Subject: CVE-2012-0270: buffer overflows
Date: Fri, 24 Feb 2012 17:08:47 -0600
Package: csound
Severity: grave
Tags: security


Two vulnerabilities have been found in csound. Please refer to the
following page for more information:

Raphael Geissert

Information forwarded to, Debian Multimedia Maintainers <>:
Bug#661197; Package csound. (Sun, 11 Mar 2012 04:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <>. (Sun, 11 Mar 2012 04:21:03 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Paul Wise <>
Cc: control <>
Subject: csound: 661197: fixed upstream, patch
Date: Sun, 11 Mar 2012 12:16:51 +0800
[Message part 1 (text/plain, inline)]
tags 661197 + fixed-upstream patch

This bug is fixed upstream in 5.16.6. Should you want to fix it without
uploading the new upstream version, here is the upstream fix:;a=commitdiff;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f

[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream and patch. Request was from Paul Wise <> to (Sun, 11 Mar 2012 04:21:05 GMT) Full text and rfc822 format available.

Information forwarded to, Debian Multimedia Maintainers <>:
Bug#661197; Package csound. (Sun, 11 Mar 2012 04:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Felipe Sateler <>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <>. (Sun, 11 Mar 2012 04:36:03 GMT) Full text and rfc822 format available.

Message #17 received at (full text, mbox):

From: Felipe Sateler <>
To: Paul Wise <>,
Subject: Re: Bug#661197: csound: 661197: fixed upstream, patch
Date: Sun, 11 Mar 2012 00:31:26 -0400
On Sun, Mar 11, 2012 at 00:16, Paul Wise <> wrote:
> tags 661197 + fixed-upstream patch
> thanks
> This bug is fixed upstream in 5.16.6. Should you want to fix it without
> uploading the new upstream version, here is the upstream fix:

Thanks for the help. But csound is failing to build now, and for the
new upstream versions I'm switching to the new cmake build system
(which should fix the ftbfs), but it is not complete yet, and I'm
working with upstream to fix it. I hope to have the build system ready


Felipe Sateler

Information forwarded to, Debian Multimedia Maintainers <>:
Bug#661197; Package csound. (Mon, 16 Apr 2012 20:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <>. (Mon, 16 Apr 2012 20:57:03 GMT) Full text and rfc822 format available.

Message #22 received at (full text, mbox):

From: Yves-Alexis Perez <>
Cc: Debian Multimedia Maintainers <>
Subject: More CVEs
Date: Mon, 16 Apr 2012 22:56:13 +0200
[Message part 1 (text/plain, inline)]
retitle 661197 multiple vulnerabilities in csound

More vulnerabilities were found in csound:

CVE-2012-2106: integer overflow in pv_import (
CVE-2012-2107: integer overflow in lpc_import (
CVE-2012-2108: stack-based buffer overflow in lpc_import (

I don't think there's a need for a new bug though, so I'm adding them here.

[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'multiple vulnerabilities in csound' from 'CVE-2012-0270: buffer overflows' Request was from Yves-Alexis Perez <> to (Mon, 16 Apr 2012 20:57:09 GMT) Full text and rfc822 format available.

Reply sent to Felipe Sateler <>:
You have taken responsibility. (Thu, 19 Apr 2012 13:06:08 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <>:
Bug acknowledged by developer. (Thu, 19 Apr 2012 13:06:08 GMT) Full text and rfc822 format available.

Message #29 received at (full text, mbox):

From: Felipe Sateler <>
Subject: Bug#661197: fixed in csound 1:5.17.6~dfsg-1
Date: Thu, 19 Apr 2012 13:02:32 +0000
Source: csound
Source-Version: 1:5.17.6~dfsg-1

We believe that the bug you reported is fixed in the latest version of
csound, which is due to be installed in the Debian FTP archive:

  to main/c/csound/csladspa_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/csound-data_5.17.6~dfsg-1_all.deb
  to main/c/csound/csound-gui_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/csound-utils_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/csound_5.17.6~dfsg-1.debian.tar.gz
  to main/c/csound/csound_5.17.6~dfsg-1.dsc
  to main/c/csound/csound_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/csound_5.17.6~dfsg.orig.tar.gz
  to main/c/csound/libcsnd-dev_5.17.6~dfsg-1_all.deb
  to main/c/csound/libcsnd-java_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/libcsnd5.2_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/libcsound64-5.2_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/libcsound64-dev_5.17.6~dfsg-1_all.deb
  to main/c/csound/libcsound64-doc_5.17.6~dfsg-1_all.deb
  to main/c/csound/libcsoundac-dev_5.17.6~dfsg-1_all.deb
  to main/c/csound/libcsoundac5.2_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/liblua5.1-luacsnd5.2_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/pd-csound_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/python-csound_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/python-csoundac_5.17.6~dfsg-1_amd64.deb
  to main/c/csound/tclcsound_5.17.6~dfsg-1_amd64.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Felipe Sateler <> (supplier of updated csound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA256

Format: 1.8
Date: Thu, 19 Apr 2012 09:26:46 -0300
Source: csound
Binary: csound csound-data csound-gui csound-utils libcsound64-5.2 libcsnd-java libcsound64-dev libcsnd-dev libcsoundac-dev pd-csound python-csound libcsnd5.2 liblua5.1-luacsnd5.2 tclcsound libcsoundac5.2 python-csoundac csladspa libcsound64-doc
Architecture: source all amd64
Version: 1:5.17.6~dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Maintainers <>
Changed-By: Felipe Sateler <>
 csladspa   - LADSPA plugin for Csound
 csound     - powerful and versatile sound synthesis software
 csound-data - data files used by the csound library
 csound-gui - GUI interfaces and opcodes for Csound
 csound-utils - miscellaneous utilities for the Csound system
 libcsnd-dev - development files for Csound -- C++ API
 libcsnd-java - Java bindings for the Csound API
 libcsnd5.2 - C++ bindings for the Csound API
 libcsound64-5.2 - main library for Csound
 libcsound64-dev - development files for Csound
 libcsound64-doc - Csound API documentation
 libcsoundac-dev - development files for CsoundAC
 libcsoundac5.2 - the Csound Algorithmic Composition library
 liblua5.1-luacsnd5.2 - Lua bindings for the Csound API
 pd-csound  - Csound external for PureData
 python-csound - Python bindings for Csound
 python-csoundac - Python bindings for CsoundAC
 tclcsound  - Tcl bindings and interpreters for Csound
Closes: 656034 661197
 csound (1:5.17.6~dfsg-1) unstable; urgency=low
   * New upstream release
    - Do not build the wiimote opcodes (we need wiiuse).
   * Add new API function to symbols file
   * Disable lua opcodes, they were broken. Requires OpenMP to be enabled.
   * Backport fixes from upstream:
     - Link dssi4cs with dl. Backport
     - Fix building of CsoundAC
 csound (1:5.16.6~dfsg-1) UNRELEASED; urgency=low
   * New upstream release
    + Update patches
    + Fix for CVE-2012-0270 included upstream. Closes: #661197
   * Finalize switch to cmake build system.
    + Backport upstream fixes to the cmake build system
 csound (1:5.15.0~dfsg-1) UNRELEASED; urgency=low
   [ Felipe Sateler ]
   * New upstream release
    + Remove patch applied upstream
    + Remove stale option buildLoris
    + Refresh patches
    + Remove stale options for other frontends
    + Document libmpadec copyright
    + Remove plugins that were folded into the main library
    + No GUI clients anymore
   * Recommend stk so that the stk rawwaves can be used. Closes: #656034
   * Preliminary cmake support
    + Remove patch for abi versioned plugin install dir, adopted upstream
    + Remove 1004-fix-csoundac-csnd-linkage.diff, does not apply with cmake
    + Remove 1005-fix-ftbfs-gcc-4.6.diff, does not apply to cmake build system
    + Port patches to cmake build system
    + Drop patches not needed in cmake build system
    + Backport changes from upstream git repository
      - 0000-updated-CMake-build-for-mp3in-changes.patch for mp3in ugen
      - 0001-CMake-BuildSystem-Updates.diff: Lots of Cmake fixes
    + Add Custom.cmake to add the stk include dir
    + Drop debian/rules cleaning not necessary on out-of-tree builds
    + Add patch to enable hidden visibility of most symbols
    + Add patch to link the pd class to libcsound
   * Use CDBS parallel build support
   * Do not install public lua library. It is probably never used
     directly. Just provide the lua module.
   * Add missing opcodes to install list
   * Use CDBS pd class to handle pd lib stripping and shlibs
   [ Jonas Smedegaard ]
   * Unfuzz patches.
   * Update copyright file:
     + Extend copyright years for main Files section.
     + Add a copyright holder.
   * Drop dpkg-source local-options: Defaults since dpkg-source 1.16.1.
   * Bump debhelper compat level to 7.
   * Shorten Vcs-Browser field in control file.
   * Avoid copyright-checking some known-good data files.
 0cb267d97f6061295cdfaf5a743f9360a8f35f53 3257 csound_5.17.6~dfsg-1.dsc
 be0a4f8e1672894ee48ca4ab34d34cd462a0ccde 8864392 csound_5.17.6~dfsg.orig.tar.gz
 f5c08a0e278f52f847b0f1a89adf0009f6d32fa3 45029 csound_5.17.6~dfsg-1.debian.tar.gz
 a2c52ce075c03ca42a84fb95ac6f04c2537e02b5 1692764 csound-data_5.17.6~dfsg-1_all.deb
 a8050fc57dcbd1cb8a678588aea2c654025088b3 192696 libcsound64-dev_5.17.6~dfsg-1_all.deb
 941be121b0dda524aaa159e2eae4de4bfb6a1be0 153780 libcsnd-dev_5.17.6~dfsg-1_all.deb
 7cca9f7dc03c59e4a5bbab9dd9ca93300099e794 178304 libcsoundac-dev_5.17.6~dfsg-1_all.deb
 a39d0017870d21c0dfba9a7306a220adc02e5cec 2272910 libcsound64-doc_5.17.6~dfsg-1_all.deb
 d34e94bfc40acb647d7c8474b5d5bae7cdad5d40 200868 csound_5.17.6~dfsg-1_amd64.deb
 5af1d795bedac1546d3bb6d11ae60eca831c3b5b 243092 csound-gui_5.17.6~dfsg-1_amd64.deb
 490a4a4f2add61d091ea28f0cf7998c3aeeb8c88 190436 csound-utils_5.17.6~dfsg-1_amd64.deb
 ac8e48c104be6629316f6b07e8ebe12cf6fa7e40 1381352 libcsound64-5.2_5.17.6~dfsg-1_amd64.deb
 11221b2033ab02562ead3282a0f992ca16ae2dda 300894 libcsnd-java_5.17.6~dfsg-1_amd64.deb
 2b2e6fdea58cf059a75e514af86cb901c2e4065f 168986 pd-csound_5.17.6~dfsg-1_amd64.deb
 3acddcab4e5b84090ff2c5992e509758610de817 427086 python-csound_5.17.6~dfsg-1_amd64.deb
 4437b2cfca8da1967f68661c57797de0dee8fa66 213018 libcsnd5.2_5.17.6~dfsg-1_amd64.deb
 af5b386d168879bee2f4c7228fddfd5a0eb14da1 687912 liblua5.1-luacsnd5.2_5.17.6~dfsg-1_amd64.deb
 afb9f191367393cc86032b997ff9c743b534ce13 172720 tclcsound_5.17.6~dfsg-1_amd64.deb
 9856ec8e746b80ac01cb49d530ed875b603fcfda 541234 libcsoundac5.2_5.17.6~dfsg-1_amd64.deb
 6bf66e6f176fe8cbcacceeb3c19e4168295e845a 642320 python-csoundac_5.17.6~dfsg-1_amd64.deb
 beb32b99f03aaaca5fabb0aed343c4902751f2f3 163560 csladspa_5.17.6~dfsg-1_amd64.deb
 aa29a1f975ec45d3e605eaba21a3a321e985578d621076c4c054a61c20eca32f 3257 csound_5.17.6~dfsg-1.dsc
 d106192c78d451fa484fc60406be18853f79d29a6a6003432d8655d356f67f54 8864392 csound_5.17.6~dfsg.orig.tar.gz
 eb037472805c79e9be910e0a6c308aed44c5553e12b767dd88ccc5583a460bc4 45029 csound_5.17.6~dfsg-1.debian.tar.gz
 fb7fa0c7be8ba183d72162620c4b60e2431d34b61c22591e5517cc7096e89ffd 1692764 csound-data_5.17.6~dfsg-1_all.deb
 47dacc6423e9e837614b4e748eb648ede9d7c4384f7f79c067accc7bfa0562f4 192696 libcsound64-dev_5.17.6~dfsg-1_all.deb
 00d05e7d1fbfe94116c6d714b81e3e5202183f57ea2584dafc93eb31c08b62b3 153780 libcsnd-dev_5.17.6~dfsg-1_all.deb
 e8d06f3de2c512c034236bbda2503488a9f2502786856f7fd30a8474bfe05ef8 178304 libcsoundac-dev_5.17.6~dfsg-1_all.deb
 7abbffde18cca418ef1b6f3858183902c31b84c3347732581b759aa067129fd7 2272910 libcsound64-doc_5.17.6~dfsg-1_all.deb
 7a0230e89e44a57280697bb926e75d5776385fc57ed3e9233a6dedfc27ccb945 200868 csound_5.17.6~dfsg-1_amd64.deb
 74473c9ce88d71b9165ed0484abe0c2b757ed1a12ede0f4241d8da8950b66250 243092 csound-gui_5.17.6~dfsg-1_amd64.deb
 47e9cc5603a5b3b40ceb0af9207b45047db3b38278573248d625d0bdeb93367d 190436 csound-utils_5.17.6~dfsg-1_amd64.deb
 0c938568c9af9aec8ba69e4274594c08b17d958c614d369fecbd9005c7c0a1e6 1381352 libcsound64-5.2_5.17.6~dfsg-1_amd64.deb
 1b325c2cbfdadf475c0f991b8178f96e7d432d8f53e2d90e0cfb3257271590f8 300894 libcsnd-java_5.17.6~dfsg-1_amd64.deb
 fea54ff70a12fa9a18ce9651393722fa388b508c05c90eb76994142af95c8b8a 168986 pd-csound_5.17.6~dfsg-1_amd64.deb
 dabebbc7eace08fe4b17be08d56db37c66c7ef9aeacaf0fd4f1d7ba04e5e7d47 427086 python-csound_5.17.6~dfsg-1_amd64.deb
 dd60d65bf5f5fdc072452b34b82e44c7134688a3c62f3ff8164449ccdea2287a 213018 libcsnd5.2_5.17.6~dfsg-1_amd64.deb
 eedfc5cab30e3bf73da48b01afc6315bc94175075617edb162111e624befcdda 687912 liblua5.1-luacsnd5.2_5.17.6~dfsg-1_amd64.deb
 72ccecbb191ec34125f01cf6cf7510c8278c9fdd25ede147b4a75e0e1fd0c8c8 172720 tclcsound_5.17.6~dfsg-1_amd64.deb
 7c1aa3c103752187b0ec01d3ee242c8e5e0f49521238958abe1b79eb80f8c0cd 541234 libcsoundac5.2_5.17.6~dfsg-1_amd64.deb
 80ac22311edf32cd4274677ddd0ef5df49ccd5db11739d8d705aeb9ebc0ddd95 642320 python-csoundac_5.17.6~dfsg-1_amd64.deb
 666c85f5691bebee0fced993163909c9e21f4139cd9ed1fd450523144ad03339 163560 csladspa_5.17.6~dfsg-1_amd64.deb
 c8e9a5c1d689a2a63a698400cdd46be5 3257 sound optional csound_5.17.6~dfsg-1.dsc
 f9446f79545645f5e5ffec6d9df1a30e 8864392 sound optional csound_5.17.6~dfsg.orig.tar.gz
 418ca5aa14591a0408afa64e864ad355 45029 sound optional csound_5.17.6~dfsg-1.debian.tar.gz
 226372bb04403c618a55f100961b10d5 1692764 sound optional csound-data_5.17.6~dfsg-1_all.deb
 438c7f316825434910dc3d33b47e3a8c 192696 libdevel extra libcsound64-dev_5.17.6~dfsg-1_all.deb
 0f5269dcbb67d5d2781c26200efabfc7 153780 libdevel extra libcsnd-dev_5.17.6~dfsg-1_all.deb
 887e38b96b977ef250989d78b51e79fe 178304 libdevel extra libcsoundac-dev_5.17.6~dfsg-1_all.deb
 bd147b1046839174cbfad10c3503beb7 2272910 doc extra libcsound64-doc_5.17.6~dfsg-1_all.deb
 519fd028bb6472fc7b18985e1351e6b2 200868 sound optional csound_5.17.6~dfsg-1_amd64.deb
 6b76e104bf7dd39a0f8e2cd805194dc4 243092 sound optional csound-gui_5.17.6~dfsg-1_amd64.deb
 14ff6c501e00560e88192cfc56b2d5a4 190436 sound optional csound-utils_5.17.6~dfsg-1_amd64.deb
 331bc5ac0eb1bdc5615a981ea0f65ec1 1381352 libs optional libcsound64-5.2_5.17.6~dfsg-1_amd64.deb
 3087075fc586b0ac1214b389c17c5395 300894 java optional libcsnd-java_5.17.6~dfsg-1_amd64.deb
 128f4fd6101b1960e190b303c656c210 168986 sound optional pd-csound_5.17.6~dfsg-1_amd64.deb
 fcd130348c54836a1f11502cc118ff53 427086 python optional python-csound_5.17.6~dfsg-1_amd64.deb
 bd2953cc938718d362d6bb3f9d7e81e2 213018 sound optional libcsnd5.2_5.17.6~dfsg-1_amd64.deb
 d253b53a8106e68e4401e87c9378aea6 687912 sound optional liblua5.1-luacsnd5.2_5.17.6~dfsg-1_amd64.deb
 d042ee09225bb6899f50e8b4585d325c 172720 sound optional tclcsound_5.17.6~dfsg-1_amd64.deb
 924a4806c8e7287b95cbfe628a8ea236 541234 sound optional libcsoundac5.2_5.17.6~dfsg-1_amd64.deb
 623f83e56ca14bfa9c2a5cb9a33fc673 642320 python optional python-csoundac_5.17.6~dfsg-1_amd64.deb
 5b85d77b7b470abd05780110666f7a2d 163560 sound optional csladspa_5.17.6~dfsg-1_amd64.deb

Version: GnuPG v1.4.12 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 05 May 2013 08:06:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 13:53:32 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.