GNU bug report logs

#36909 CVE-2017-837{2,3,4} patches for libmad from Debian

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to help-debbugs@gnu.org:
bug#36909; Package libmad. (Sat, 03 Aug 2019 15:18:02 GMT) (full text, mbox, link).

Acknowledgement sent to marit@secmail.pro:
New bug report received and forwarded. Copy sent to help-debbugs@gnu.org. (Sat, 03 Aug 2019 15:18:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: marit@secmail.pro
To: bug-guix@gnu.org
Subject: CVE-2017-837{2,3,4} patches for libmad from Debian
Date: Sat, 3 Aug 2019 05:12:24 -0700
Package: libmad
Version: 0.15.1b
Tags: security
Severity: important

Hello!
I think that package "libmad" should be updated to include fixes for the
following vulnerabilities:
https://security-tracker.debian.org/tracker/CVE-2017-8372,
https://security-tracker.debian.org/tracker/CVE-2017-8373,
https://security-tracker.debian.org/tracker/CVE-2017-8374.
This can be done by applying md_size.diff from Debian and replacing
libmad-frame-length.patch with length-check.diff from Debian.

Merged 36909 36910. Request was from marit@secmail.pro to control@debbugs.gnu.org. (Sat, 03 Aug 2019 17:47:01 GMT) (full text, mbox, link).

Merged 36909 36910. Request was from Glenn Morris <rgm@gnu.org> to control@debbugs.gnu.org. (Sat, 03 Aug 2019 17:48:02 GMT) (full text, mbox, link).

bug reassigned from package 'libmad' to 'guix'. Request was from Glenn Morris <rgm@gnu.org> to control@debbugs.gnu.org. (Sat, 03 Aug 2019 17:49:02 GMT) (full text, mbox, link).

bug No longer marked as found in versions 0.15.1b. Request was from Glenn Morris <rgm@gnu.org> to control@debbugs.gnu.org. (Sat, 03 Aug 2019 17:49:02 GMT) (full text, mbox, link).

Reply sent to Mark H Weaver <mhw@netris.org>:
You have taken responsibility. (Tue, 06 Aug 2019 07:29:03 GMT) (full text, mbox, link).

Notification sent to marit@secmail.pro:
bug acknowledged by developer. (Tue, 06 Aug 2019 07:29:03 GMT) (full text, mbox, link).

Message #18 received at 36909-done@debbugs.gnu.org (full text, mbox, reply):

From: Mark H Weaver <mhw@netris.org>
To: marit@secmail.pro
Cc: 36909-done@debbugs.gnu.org
Subject: Re: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian
Date: Tue, 06 Aug 2019 03:27:43 -0400
Hi,

marit@secmail.pro wrote:

> I think that package "libmad" should be updated to include fixes for the
> following vulnerabilities:
> https://security-tracker.debian.org/tracker/CVE-2017-8372,
> https://security-tracker.debian.org/tracker/CVE-2017-8373,
> https://security-tracker.debian.org/tracker/CVE-2017-8374.
> This can be done by applying md_size.diff from Debian and replacing
> libmad-frame-length.patch with length-check.diff from Debian.

I've applied the updates that you recommended in commit
aac6c53a7bc9a8d22e88a490ebc99ec79d64a05b on our 'master' branch.

Thanks very much for bringing this to our attention.

     Best,
      Mark

Reply sent to Mark H Weaver <mhw@netris.org>:
You have taken responsibility. (Tue, 06 Aug 2019 07:29:04 GMT) (full text, mbox, link).

Notification sent to marit@secmail.pro:
bug acknowledged by developer. (Tue, 06 Aug 2019 07:29:04 GMT) (full text, mbox, link).

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Tue, 03 Sep 2019 11:24:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 11:45:31 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.