-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 01 May 2018 13:20:28 +0200 Source: libmad Binary: libmad0 libmad0-dev Architecture: source amd64 Version: 0.15.1b-8+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Mad Maintainers <pkg-mad-maintainers@lists.alioth.debian.org> Changed-By: Kurt Roeckx <kurt@roeckx.be> Description: libmad0 - MPEG audio decoder library libmad0-dev - MPEG audio decoder development library Closes: 287519 Changes: libmad (0.15.1b-8+deb9u1) stretch-security; urgency=high . * Properly check the size of the main data. The previous patch only checked that it could fit in the buffer, but didn't ensure there was actually enough room free in the buffer. This was assigned both CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a different way to detect it. (Closes: #287519) * Rewrite patch to check the size of buffer. It now checks it before reading it instead of afterwards checking that we did read too much. This now also covers parsing the frame and layer3, not just layer 1 and 2. This was original reported in #508133. CVE-2017-8374 mentions a case in layer 3. Checksums-Sha1: 04cc06ae09edb60f1cda7beaac6a744885b350be 1926 libmad_0.15.1b-8+deb9u1.dsc cac19cd00e1a907f3150cc040ccc077783496d76 502379 libmad_0.15.1b.orig.tar.gz 12db76295603655c090a5aeae6a5bf8c4bf3b763 13490 libmad_0.15.1b-8+deb9u1.diff.gz a6408f5bf8842a7247ce5c58a735021e3be91f05 3632 libmad0-dbgsym_0.15.1b-8+deb9u1_amd64.deb 19aa8b3ddd126d72949ca65100f4edf57961342c 78676 libmad0-dev_0.15.1b-8+deb9u1_amd64.deb 8004b2586e618f8a2536521d4c45f2a36198230c 70728 libmad0_0.15.1b-8+deb9u1_amd64.deb c97af0ebefe028d21ebdc2f316979f96448491be 6336 libmad_0.15.1b-8+deb9u1_amd64.buildinfo Checksums-Sha256: 022e21d5adaa93adb98b604b5aa444df85f55eb2365d9f26b340976b3ad7ebaa 1926 libmad_0.15.1b-8+deb9u1.dsc bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690 502379 libmad_0.15.1b.orig.tar.gz e9f0d81cfeea77e3e6b09ff153c65b6a3d5232382e70b7a754c447720d8a12c2 13490 libmad_0.15.1b-8+deb9u1.diff.gz a49b0025361730de473f837bb709d82effeec0cc0e9dab916fb6027dcfc56de3 3632 libmad0-dbgsym_0.15.1b-8+deb9u1_amd64.deb da774302b902a5f92f266e92f105adbd5c717846963626e4af71b3d2006aa794 78676 libmad0-dev_0.15.1b-8+deb9u1_amd64.deb 8d3c851119b943be053d67a83701f79d3fa3f14c7bed7458f353a8c366a4be7e 70728 libmad0_0.15.1b-8+deb9u1_amd64.deb 650059267cbc61fe54b13ddb2a346186397a1ab7bf876864e09f8eb2567aeb76 6336 libmad_0.15.1b-8+deb9u1_amd64.buildinfo Files: c801fe1e9b8c21055a46ddede164299f 1926 sound optional libmad_0.15.1b-8+deb9u1.dsc 1be543bc30c56fb6bea1d7bf6a64e66c 502379 sound optional libmad_0.15.1b.orig.tar.gz 94a2ba304d0482051e8e18fb5f71cf80 13490 sound optional libmad_0.15.1b-8+deb9u1.diff.gz 9765426c66cba4d3a92012f55ea429c6 3632 debug extra libmad0-dbgsym_0.15.1b-8+deb9u1_amd64.deb eac4e030d64d45c518676993c657be74 78676 libdevel optional libmad0-dev_0.15.1b-8+deb9u1_amd64.deb 2f210109b458df559e4c1f3577e04455 70728 libs optional libmad0_0.15.1b-8+deb9u1_amd64.deb 4e271c3c7b5ed04a1d9eab24e8f112e0 6336 sound optional libmad_0.15.1b-8+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUWHm1ANgDdycoJP748TdzR5MEkQFAlroY8QACgkQ48TdzR5M EkRGnQ//eLKBX7VIlHBdrGrfe0VpVA280trMVGfR10OYz+OUdQitS7hJjPs/h7qK Ygocb+zvA3+lS1RlacmGd21aeWU0wUL4g6bc/T6/oVCpH+Erzgwpv1DwYbYstSWl vGJCSIpsQN5beZJ7rMA7P8++7mjCvr7SaKB6ffsTOG3da2xbZrGOcRBqC35X/nkW GkkKWSpynEwwhmyK04H3g6c8Ef53humLrb8RGsvZCF0HQi/aXGUDCGoADpjqyV5p 5JBLUj3e+O3+OHWmBNj/fmO+wT8srbWtzkmOWGmVCXL+t1EMJmRnbmGAn1Lims5w cGyZm1WNVNO7sqDbH8HpKqYnxovTTKe1ftv9TooGAFq5YpZ/oaoUx3OIF30yFHEJ RV7TWn1SjstClvEkdEXY6eCH4ZYlUs7LBtTP24y7ncdj12FqnwxMg/68ZGItTMcE FYZEFNgm6MCokfLb2eGpvOl9Z6k+GX2omy0sD7/KJ2myokpwlKRKppU/KLZmoIHX H8ujTwMsAPeVAwmSI7HnFa6RiLomOLd/3tW5J3D2JfD33/LFyD0kkaWZ7CYdrnkm fRXt44D/fwu1al3VayiGqizSHJ+cFiY66TmvxPaPz8h2polGOXoCbbuQienc2dVa mrce5MxjekfMuxGtAsABWH6XFtXgOrQ+FwJBtgrKlJeGetj2WBo= =N85J -----END PGP SIGNATURE-----