-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 28 Jan 2018 16:28:46 +0100 Source: libmad Binary: libmad0 libmad0-dev Architecture: source Version: 0.15.1b-9 Distribution: unstable Urgency: high Maintainer: Mad Maintainers <pkg-mad-maintainers@lists.alioth.debian.org> Changed-By: Kurt Roeckx <kurt@roeckx.be> Description: libmad0 - MPEG audio decoder library libmad0-dev - MPEG audio decoder development library Closes: 287519 Changes: libmad (0.15.1b-9) unstable; urgency=high . * Properly check the size of the main data. The previous patch only checked that it could fit in the buffer, but didn't ensure there was actually enough room free in the buffer. This was assigned both CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a different way to detect it. (Closes: #287519) * Rewrite patch to check the size of buffer. It now checks it before reading it instead of afterwards checking that we did read too much. This now also covers parsing the frame and layer3, not just layer 1 and 2. This was original reported in #508133. CVE-2017-8374 mentions a case in layer 3. Checksums-Sha1: 57cdaf8db3f692fbb3ae676d2ba280c869a6f0f2 1860 libmad_0.15.1b-9.dsc 0ab6e005cbc0e553d99784b520cd92f93eafc68a 13536 libmad_0.15.1b-9.diff.gz c11dc21dc3a20731221e31eb702e70f4bbc61128 6754 libmad_0.15.1b-9_source.buildinfo Checksums-Sha256: 4c0e95ae62cb51e2e9d80f47c967a9efbff5846c8076ba0ceddb1006fc6c58de 1860 libmad_0.15.1b-9.dsc b538f3f2e1686623f571561949bbd190a398fd6c288badbe81ec28499b9672e3 13536 libmad_0.15.1b-9.diff.gz a3251532ddda9fe1895c65ef1eba0acea6eed3436bbbe07233e744a3d8a81663 6754 libmad_0.15.1b-9_source.buildinfo Files: 63450fb09c6fa823ba948bc8fd15a866 1860 sound optional libmad_0.15.1b-9.dsc 0cfc29f958d2b3661c82f260a84fe356 13536 sound optional libmad_0.15.1b-9.diff.gz c9a57a8888b9def24a7377caf5454692 6754 sound optional libmad_0.15.1b-9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUWHm1ANgDdycoJP748TdzR5MEkQFAlpuIeQACgkQ48TdzR5M EkSgLA/+LNIJjwdIz9R3Y0dVN8Zpf3D+CgkjTHkGdBNjcix6VrIJ8LyXwp4JBOoS ngtIherhIjGWmgj/u6/CedspusPsr6zA3/SFvFofc3pMqOynvisXfSbXazclTone A2Y+ALMXdV8FARE6e3lDFmtWwEBujJXQhTpl+5kVrNY7yQbiZF6yvUp/ouOms8uF 29huwxRObaRx2sB5w3HULnLhuFpNAVFVMNV3EZ6ovX0qtmW5C6IR5GbSiCBSe7VV OSdc3SrdABmhKAZ3s2bqXRvZrgQ9/qzz0HYs6UEk1m2cGkijPpgagNwH7LwKRNgL WXWjRwM1PVQtdXg2rmP1anPnP9K7C4BFi8ccibW3u7RMcS1h1NBHTYJ8ZaAzHji9 e1bdw9AsOpPJ0Y0pUdyh/HS2x2nZEPM5Asn3ReZvtvpmg+UfVTEeV7W3XjCXu8P/ urTdSycP2+gyjNn+bncpqEv1JMDVTcQ/jJ+lRB7EomS2GvkaMpo3VeBJoZuPki5Y POBFI44y9J5uV8ggNs1xeUDzuiO9UX7Gu7u5iBUzobtBRXNvknk1BZ2klJnLWiVR NXVUGDxa5g3kMQObcfdaSyusfUwDUKFPJp1Shp24HUUsYM3gaQ2JeVOujcVDWxss 4gAzYeLAT1hI81uNEfhp4wIxSxR6PMZ0kXG+nwqFsCDhq5ZeqfQ= =ZeFP -----END PGP SIGNATURE-----
