Ubuntu
flac package

Sync flac 1.3.0-3 (main) from Debian unstable (main)

Bug #1398666 reported by Logan Rosen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
flac (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Please sync flac 1.3.0-3 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: arbitrary code execution via crafted .flac file
    - debian/patches/CVE-2014-8962.patch: validate id in
      src/libFLAC/stream_decoder.c.
    - CVE-2014-8962
  * SECURITY UPDATE: arbitrary code execution via crafted .flac file
    - debian/patches/CVE-2014-9028.patch: error out to avoid heap overflow
      in src/libFLAC/stream_decoder.c.
    - CVE-2014-9028
This security fixes were done in Debian.

Changelog entries since current vivid version 1.3.0-2ubuntu1:

flac (1.3.0-3) unstable; urgency=high

  * Fixes for CVE-2014-8962 and CVE-2014-9028:
    + Backport three patches from upstream GIT repository:
      - CVE-2014-8962.patch: Fix a buffer read overflow.
      - CVE-2014-9028.patch: Avoid a heap overflow.
      - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
        the former fix, but strictly speaking not the same vulnerability.
    + Closes: #770918.
    + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

 -- Fabian Greffrath <email address hidden> Thu, 27 Nov 2014 16:52:51 +0100

CVE References

Logan Rosen (logan)
Changed in flac (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Daniel Holbach (dholbach) wrote :

This bug was fixed in the package flac - 1.3.0-3
Sponsored for Logan Rosen (logan)

---------------
flac (1.3.0-3) unstable; urgency=high

  * Fixes for CVE-2014-8962 and CVE-2014-9028:
    + Backport three patches from upstream GIT repository:
      - CVE-2014-8962.patch: Fix a buffer read overflow.
      - CVE-2014-9028.patch: Avoid a heap overflow.
      - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to
        the former fix, but strictly speaking not the same vulnerability.
    + Closes: #770918.
    + Thanks Erik de Castro Lopo for the bug report and the upstream fixes!

 -- Fabian Greffrath <email address hidden> Thu, 27 Nov 2014 16:52:51 +0100

Changed in flac (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.