Ubuntu
brotli package

  1. Bug #1737364
  2. Activity log

Activity log for bug #1737364

Date Who What changed Old value New value Message
2017-12-09 23:07:54 Jeremy Bícha bug added bug
2017-12-09 23:09:12 Jeremy Bícha attachment added brotli-xenial-lp1737364.debdiff https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+attachment/5020748/+files/brotli-xenial-lp1737364.debdiff
2017-12-09 23:09:25 Jeremy Bícha tags xenial patch xenial
2017-12-09 23:09:35 Jeremy Bícha cve linked 2016-1624
2017-12-09 23:09:48 Jeremy Bícha cve linked 2016-1968
2017-12-09 23:10:05 Jeremy Bícha bug added subscriber Ubuntu Security Sponsors Team
2017-12-09 23:14:04 Jeremy Bícha description Impact ------ Integer underflow could be targeted as a buffer overflow https://security-tracker.debian.org/tracker/source-package/brotli Debdiff attached. Regression Potential -------------------- This update was published in Debian unstable/testing as 0.3.0+dfsg-3 from late March to mid June 2016 when it was superseded by a newer version. The Ubuntu security sync tool wasn't able to retrieve this version now. brotli has no reverse dependencies in Ubuntu and is in universe. Testing Done ------------ Only a simple build test. There is a build test to ensure basic functionality of brotli with both python2 and python3. Other Info ---------- The main purpose of this security update is to clear up the security history section of MIR LP: #1737053. It is mentioned in the MIR bug that it is intended for brotli 1.0.2 to be backported to Ubuntu 16.04 and 17.10 as a security update (and promoted to main there), after 17.04 reaches End of Life. Impact ------ Integer underflow could be targeted as a buffer overflow https://security-tracker.debian.org/tracker/source-package/brotli Debdiff attached. Because brotli is embedded in web browsers for WOFF2 support (to be somewhat fixed by the proposed brotli MIR), this issue was already mentioned in https://usn.ubuntu.com/usn/USN-2917-1/ (Firefox) Luke Li discovered a buffer overflow during Brotli decompression in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1968) https://usn.ubuntu.com/usn/USN-2895-1/ (Oxide) An integer underflow was discovered in Brotli. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. (CVE-2016-1624) Regression Potential -------------------- This update was published in Debian unstable/testing as 0.3.0+dfsg-3 from late March to mid June 2016 when it was superseded by a newer version. The Ubuntu security sync tool wasn't able to retrieve this version now. brotli has no reverse dependencies in Ubuntu and is in universe. Testing Done ------------ Only a simple build test. There is a build test to ensure basic functionality of brotli with both python2 and python3. Other Info ---------- The main purpose of this security update is to clear up the security history section of MIR LP: #1737053. It is mentioned in the MIR bug that it is intended for brotli 1.0.2 to be backported to Ubuntu 16.04 and 17.10 as a security update (and promoted to main there), after 17.04 reaches End of Life.
2018-02-05 19:44:32 Marc Deslauriers nominated for series Ubuntu Xenial
2018-02-05 19:44:32 Marc Deslauriers bug task added brotli (Ubuntu Xenial)
2018-02-05 19:45:53 Marc Deslauriers brotli (Ubuntu): status New Fix Released
2018-02-05 19:45:56 Marc Deslauriers brotli (Ubuntu Xenial): status New Fix Committed
2018-02-05 20:28:48 Launchpad Janitor brotli (Ubuntu Xenial): status Fix Committed Fix Released