From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 03 11:17:43 2019 Received: (at submit) by debbugs.gnu.org; 3 Aug 2019 15:17:43 +0000 Received: from localhost ([127.0.0.1]:59773 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1htvmw-0007VW-Tt for submit@debbugs.gnu.org; Sat, 03 Aug 2019 11:17:43 -0400 Received: from lists.gnu.org ([209.51.188.17]:42562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1htsuA-0002NB-6s for submit@debbugs.gnu.org; Sat, 03 Aug 2019 08:12:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53567) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1htsu9-0003YW-Ae for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:58 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1htsu8-000891-DV for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:57 -0400 Received: from secmail.pro ([146.185.132.44]:57214) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1htsu8-000887-86 for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:56 -0400 Received: by secmail.pro (Postfix, from userid 33) id 9905CDFFFF; Sat, 3 Aug 2019 11:55:02 +0000 (UTC) Received: from secmailw453j7piv.onion (localhost [IPv6:::1]) by secmail.pro (Postfix) with ESMTP id 0FBC9F239E for ; Sat, 3 Aug 2019 05:12:24 -0700 (PDT) Received: from 127.0.0.1 (SquirrelMail authenticated user marit@secmail.pro) by giyzk7o6dcunb2ry.onion with HTTP; Sat, 3 Aug 2019 05:12:24 -0700 Message-ID: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> Date: Sat, 3 Aug 2019 05:12:24 -0700 Subject: CVE-2017-837{2,3,4} patches for libmad from Debian From: marit@secmail.pro To: bug-guix@gnu.org User-Agent: SquirrelMail/1.4.22 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 146.185.132.44 X-Spam-Score: -0.9 (/) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sat, 03 Aug 2019 11:17:42 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) Package: libmad Version: 0.15.1b Tags: security Severity: important Hello! I think that package "libmad" should be updated to include fixes for the following vulnerabilities: https://security-tracker.debian.org/tracker/CVE-2017-8372, https://security-tracker.debian.org/tracker/CVE-2017-8373, https://security-tracker.debian.org/tracker/CVE-2017-8374. This can be done by applying md_size.diff from Debian and replacing libmad-frame-length.patch with length-check.diff from Debian. From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 03 13:46:45 2019 Received: (at control) by debbugs.gnu.org; 3 Aug 2019 17:46:45 +0000 Received: from localhost ([127.0.0.1]:59873 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty7A-0002vR-WB for submit@debbugs.gnu.org; Sat, 03 Aug 2019 13:46:45 -0400 Received: from secmail.pro ([146.185.132.44]:51164) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty79-0002vF-CZ for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:46:43 -0400 Received: by secmail.pro (Postfix, from userid 33) id 63A24DFC0E; Sat, 3 Aug 2019 17:29:19 +0000 (UTC) Received: from secmailw453j7piv.onion (localhost [IPv6:::1]) by secmail.pro (Postfix) with ESMTP id D91C6F263F for ; Sat, 3 Aug 2019 10:46:30 -0700 (PDT) Received: from 127.0.0.1 (SquirrelMail authenticated user marit@secmail.pro) by giyzk7o6dcunb2ry.onion with HTTP; Sat, 3 Aug 2019 10:46:30 -0700 Message-ID: Date: Sat, 3 Aug 2019 10:46:30 -0700 Subject: Merge #36910 and #36909 From: marit@secmail.pro To: control@debbugs.gnu.org User-Agent: SquirrelMail/1.4.22 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) merge 36909 36910 # #36910 is a duplicate of #36909, submitted by mistake. From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 03 13:47:52 2019 Received: (at control) by debbugs.gnu.org; 3 Aug 2019 17:47:53 +0000 Received: from localhost ([127.0.0.1]:59878 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty8G-0002xY-MQ for submit@debbugs.gnu.org; Sat, 03 Aug 2019 13:47:52 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40122) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty8E-0002xF-Vi for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:47:51 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60603) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hty89-0007xr-QI for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:47:45 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1hty89-0003mS-E1 for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:47:45 -0400 Subject: control message for bug 36910 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Sat, 03 Aug 2019 13:47:45 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) merge 36909 36910 From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 03 13:48:08 2019 Received: (at control) by debbugs.gnu.org; 3 Aug 2019 17:48:08 +0000 Received: from localhost ([127.0.0.1]:59882 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty8V-0002yc-Un for submit@debbugs.gnu.org; Sat, 03 Aug 2019 13:48:08 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40137) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty8U-0002xp-FF for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:48:06 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60605) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hty8P-00085d-Aq for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:48:01 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1hty8P-0003mz-1E for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:48:01 -0400 Subject: control message for bug 36909 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Sat, 03 Aug 2019 13:48:01 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) reassign 36909 guix From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 06 03:28:04 2019 Received: (at 36909-done) by debbugs.gnu.org; 6 Aug 2019 07:28:04 +0000 Received: from localhost ([127.0.0.1]:36381 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hutt6-0005lS-17 for submit@debbugs.gnu.org; Tue, 06 Aug 2019 03:28:04 -0400 Received: from world.peace.net ([64.112.178.59]:45838) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hutt4-0005ky-9W for 36909-done@debbugs.gnu.org; Tue, 06 Aug 2019 03:28:03 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hutsy-0004Xv-7x; Tue, 06 Aug 2019 03:27:56 -0400 From: Mark H Weaver To: marit@secmail.pro Subject: Re: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian In-Reply-To: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> (marit@secmail.pro's message of "Sat, 3 Aug 2019 05:12:24 -0700") References: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) Date: Tue, 06 Aug 2019 03:27:43 -0400 Message-ID: <87sgqen46t.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36909-done Cc: 36909-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, marit@secmail.pro wrote: > I think that package "libmad" should be updated to include fixes for the > following vulnerabilities: > https://security-tracker.debian.org/tracker/CVE-2017-8372, > https://security-tracker.debian.org/tracker/CVE-2017-8373, > https://security-tracker.debian.org/tracker/CVE-2017-8374. > This can be done by applying md_size.diff from Debian and replacing > libmad-frame-length.patch with length-check.diff from Debian. I've applied the updates that you recommended in commit aac6c53a7bc9a8d22e88a490ebc99ec79d64a05b on our 'master' branch. Thanks very much for bringing this to our attention. Best, Mark From unknown Mon Aug 18 17:53:44 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 03 Sep 2019 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator