-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 25 Apr 2017 09:49:01 -0400 Source: libsndfile Binary: libsndfile1-dev libsndfile1 sndfile-programs Architecture: source amd64 Version: 1.0.25-9.1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com> Changed-By: Antoine Beaupré <anarcat@debian.org> Description: libsndfile1 - Library for reading/writing audio files libsndfile1-dev - Development files for libsndfile; a library for reading/writing a sndfile-programs - Sample programs that use libsndfile Closes: 860255 Changes: libsndfile (1.0.25-9.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Backport fix_bufferoverflows.patch from sid to fix CVE-2017-7585, CVE-2017-7586 and CVE-2017-7741. * Also backport 41da64d9270b2fa10c93ce74dea014fe8f0bd303 from upstream in order to backport the above and fix another (undocumented) id3 overflow present in < 1.27 fixed in 2011 (!). * CVE-2017-7585: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. * CVE-2017-7586: In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. * CVE-2017-7741: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. * Backport 60b234301adf258786d8b90be5c1d437fc8799e0 from upstream to fix CVE-2017-7742. * CVE-2017-7742: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. (Closes: #860255) * backport 1.0.25-9 from jessie to fix security issues, while keeping the old build system (CVE-2014-9496, CVE-2014-9756, CVE-2015-7805) Checksums-Sha1: edde727ce7087db9aaadc2d120cc46c7cefcff4e 2010 libsndfile_1.0.25-9.1+deb7u1.dsc e95d9fca57f7ddace9f197071cbcfb92fa16748e 1060692 libsndfile_1.0.25.orig.tar.gz 8d775787f445de57d2a6ac17b3666060e44b674a 18274 libsndfile_1.0.25-9.1+deb7u1.debian.tar.gz 67781e89c335966874590a76319f9f2d0a91b672 392474 libsndfile1-dev_1.0.25-9.1+deb7u1_amd64.deb f5be7efc14ef35d8b313632b74a7b9f54ab14c27 245112 libsndfile1_1.0.25-9.1+deb7u1_amd64.deb cca28688b559d1aa8872776a93ae2189c2271d61 119734 sndfile-programs_1.0.25-9.1+deb7u1_amd64.deb Checksums-Sha256: 15d3e717f0e9ee0f574df8c9c12a5f9d990efd37febbe36d8b7c088e9f55cba9 2010 libsndfile_1.0.25-9.1+deb7u1.dsc 59016dbd326abe7e2366ded5c344c853829bebfd1702ef26a07ef662d6aa4882 1060692 libsndfile_1.0.25.orig.tar.gz e7b83ff6f4609cc801ef77a1cf29ca10764e013bf05c28af009ee7ac3e414933 18274 libsndfile_1.0.25-9.1+deb7u1.debian.tar.gz de350cf19626c8c667792dd7abf2716a3f4f41e10c76d58732c5d89c550baf1c 392474 libsndfile1-dev_1.0.25-9.1+deb7u1_amd64.deb e4c36728b66d134c3a659913a0caf19c0627d46869f045e9a110498613866827 245112 libsndfile1_1.0.25-9.1+deb7u1_amd64.deb ee118e42925809c04d2793b544b6139aeebc55dcb44635a6a1a42fe32533c786 119734 sndfile-programs_1.0.25-9.1+deb7u1_amd64.deb Files: 6934380dac7694de7d95ccbc72706c33 2010 devel optional libsndfile_1.0.25-9.1+deb7u1.dsc e2b7bb637e01022c7d20f95f9c3990a2 1060692 devel optional libsndfile_1.0.25.orig.tar.gz 6dd9059743b48a2ab6b63bdde93be26a 18274 devel optional libsndfile_1.0.25-9.1+deb7u1.debian.tar.gz 7ba17d21cf63546596d9ffae57d8ca72 392474 libdevel optional libsndfile1-dev_1.0.25-9.1+deb7u1_amd64.deb 47d94f19c64828efd9dca5f7be72cf1b 245112 libs optional libsndfile1_1.0.25-9.1+deb7u1_amd64.deb 4de6caf8b4511ec9f17cea98fdf6acf1 119734 utils optional sndfile-programs_1.0.25-9.1+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAlkE3FoACgkQeSFSUnt1 kh6knQ//cTzy+b7MYv9URpVI2hbh4u4m+TyQ09Pbif5T9moYNo/uHF6w7mauXcOg 872e8TNmtQqW+NDyW1VAaaZmRoh+tP5TmEu+yV9A1jWinE1476VlblLZhAhHFld6 lKcGFlKVV4bHRSrrqJaQZse4CD/Lsl7DEnr2Ab/kRAA9yVWr6ynV8dVN5PtiF3Ce eIHsMWkAz3YljM3ghEuMo3Uyn2jBTuF++mYyu4K5CJgONFcpdyL97RHYaxmj64HA SNYodAWbk14ukakB8eNea2wo/4tIAdQvdkIz5orfWVg7mXyzAq6judGKCoz7keTR ZAsx9kg/xHQJ0uxPtgl/ulKe4+QCK8AVsPTyfGi+ltwonPDsAZ7wuml7cmuKXMWQ ZIJu3JLj7rCwh+1/YrNa0vS85Qta9oFOgDyB96QCglhROgfeiSDU2Ege48seciap yqtdjkowDIyN1KcKkzdIHSygL8tEVufGq3Tz8lmRbHx2//VXyhDquxRBJ7bUDFvJ JwsHjo5MEm/AmgUS/Y5YsWTsDKpLO9nWmh/uU48RilECd4HMG/z9j2WDeKFk14a4 DoL0rGnrkJdo2BACch0l7wdPKiETkod1mMwBrXTeINljEB4VQRRwJgJNI/nclbEi 5vsar4ndQjFwOhfHcCgg3RvawBiPIufirguqxjhvD/RJ0Rh5vn0= =M+iW -----END PGP SIGNATURE-----