-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 01 May 2018 13:20:28 +0200 Source: libmad Binary: libmad0 libmad0-dev Architecture: source amd64 Version: 0.15.1b-8+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Mad Maintainers <pkg-mad-maintainers@lists.alioth.debian.org> Changed-By: Kurt Roeckx <kurt@roeckx.be> Description: libmad0 - MPEG audio decoder library libmad0-dev - MPEG audio decoder development library Closes: 287519 Changes: libmad (0.15.1b-8+deb8u1) jessie-security; urgency=high . * Properly check the size of the main data. The previous patch only checked that it could fit in the buffer, but didn't ensure there was actually enough room free in the buffer. This was assigned both CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a different way to detect it. (Closes: #287519) * Rewrite patch to check the size of buffer. It now checks it before reading it instead of afterwards checking that we did read too much. This now also covers parsing the frame and layer3, not just layer 1 and 2. This was original reported in #508133. CVE-2017-8374 mentions a case in layer 3. Checksums-Sha1: 62c756feea4ab78319f65fad4eed3c659b808440 1926 libmad_0.15.1b-8+deb8u1.dsc cac19cd00e1a907f3150cc040ccc077783496d76 502379 libmad_0.15.1b.orig.tar.gz b67e223e57dbad575e8850cad7c5ad1c65ae331c 13490 libmad_0.15.1b-8+deb8u1.diff.gz d68b13b04d08b96674f1384dd2de15a3defd5ac4 69232 libmad0_0.15.1b-8+deb8u1_amd64.deb 67c4168412c14ad485d6178b0ba1690ff4876280 78034 libmad0-dev_0.15.1b-8+deb8u1_amd64.deb Checksums-Sha256: 989206361a434043439761bc28c2fb78c23f0288ee064214f6bcbba67f9c3141 1926 libmad_0.15.1b-8+deb8u1.dsc bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690 502379 libmad_0.15.1b.orig.tar.gz f5bd15e31442cce502ae593c6ed66b09f97440d4d04690cbc5374e773a02d5d7 13490 libmad_0.15.1b-8+deb8u1.diff.gz 5071f7777da93fe8c00574775ef436f92a87570e51ee7b9b55ceeaad6e90e6ed 69232 libmad0_0.15.1b-8+deb8u1_amd64.deb d93b0831212080e8a6e8f6f7b7cbc058bbdac9fb5d19a63bee725f4272ac5600 78034 libmad0-dev_0.15.1b-8+deb8u1_amd64.deb Files: 27814037e7b8fb21927914915badb82b 1926 sound optional libmad_0.15.1b-8+deb8u1.dsc 1be543bc30c56fb6bea1d7bf6a64e66c 502379 sound optional libmad_0.15.1b.orig.tar.gz 92978cfeb59a5a45273ac1c9c3c3df79 13490 sound optional libmad_0.15.1b-8+deb8u1.diff.gz 445590759791e38cbe8c2665099f1780 69232 libs optional libmad0_0.15.1b-8+deb8u1_amd64.deb 7639b7be551f805c47997827f3dd1573 78034 libdevel optional libmad0-dev_0.15.1b-8+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUWHm1ANgDdycoJP748TdzR5MEkQFAlroY5IACgkQ48TdzR5M EkTOMA//f1oyd7qmJ7cO8TLC8xWPlLvmPTdW+HAywmqq3z+lvSfXqMnYhceyKnCH RcKAx8/zfFseHPVl7w14CWMEC/+pjKOlp9vD9NhQ3DQphnom4HmqCRhfHUaosPoA AJNNujXrts5QjvZImGgfFftAWBaVWGs90CiK1iM8lbJV9B/p1g7oWCoOw+fz13OX Jd3Kx2gf6BAV2aWpY6AezkaBL4PNay5O6P7W4+h7LFsbkg76s7rmbjE5SvWcy2BT NzKuPqg4zO/Bv3D5ZTb47rllewW/oEfda6Mljv1pY+SHa5PioSiE6C7nyWKz4UFJ tU9egVQAHOexBWDRZQ4pOeq+WFSiPFBLUU8yClp4MILDCYkKeu6Er+7HCiySiElu g56HbbUgkzIGdM3eZFtiZKzTFpsV54yyr8h+Z0FNwQwJtKc5ZbVOsZnEN3z9uSQ6 Qe/phw0iYc+iZEFAJZf7oprI0Rf2plbDzofxmv/Dk1wws48y9OoQXFlmFvqV+L94 kfY+Ej3y5WbRZbjHL7Hu/p3Th3611LxEcVJuCf6D4k30ikcvSN1u2QcM8WyUSV2x O49Mr5P2x751tyqPOFISb9R7WWvRXAnDC05paxrA7FJMnruU4zN6hLHmoXV+6hBx bLHvl0av9xPvsbR0GSjJLqTW0CFwIq451NwCF23ROuztLy7hh/0= =EQWZ -----END PGP SIGNATURE-----
