From unknown Mon Aug 18 17:56:43 2025 X-Loop: help-debbugs@gnu.org Subject: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian Resent-From: marit@secmail.pro Original-Sender: "Debbugs-submit" Resent-CC: help-debbugs@gnu.org Resent-Date: Sat, 03 Aug 2019 15:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 36909 X-GNU-PR-Package: libmad X-GNU-PR-Keywords: security To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.156484546328867 (code B ref -1); Sat, 03 Aug 2019 15:18:02 +0000 Received: (at submit) by debbugs.gnu.org; 3 Aug 2019 15:17:43 +0000 Received: from localhost ([127.0.0.1]:59773 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1htvmw-0007VW-Tt for submit@debbugs.gnu.org; Sat, 03 Aug 2019 11:17:43 -0400 Received: from lists.gnu.org ([209.51.188.17]:42562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1htsuA-0002NB-6s for submit@debbugs.gnu.org; Sat, 03 Aug 2019 08:12:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53567) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1htsu9-0003YW-Ae for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:58 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1htsu8-000891-DV for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:57 -0400 Received: from secmail.pro ([146.185.132.44]:57214) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1htsu8-000887-86 for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:56 -0400 Received: by secmail.pro (Postfix, from userid 33) id 9905CDFFFF; Sat, 3 Aug 2019 11:55:02 +0000 (UTC) Received: from secmailw453j7piv.onion (localhost [IPv6:::1]) by secmail.pro (Postfix) with ESMTP id 0FBC9F239E for ; Sat, 3 Aug 2019 05:12:24 -0700 (PDT) Received: from 127.0.0.1 (SquirrelMail authenticated user marit@secmail.pro) by giyzk7o6dcunb2ry.onion with HTTP; Sat, 3 Aug 2019 05:12:24 -0700 Message-ID: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> Date: Sat, 3 Aug 2019 05:12:24 -0700 From: marit@secmail.pro User-Agent: SquirrelMail/1.4.22 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 146.185.132.44 X-Spam-Score: -0.9 (/) X-Mailman-Approved-At: Sat, 03 Aug 2019 11:17:42 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) Package: libmad Version: 0.15.1b Tags: security Severity: important Hello! I think that package "libmad" should be updated to include fixes for the following vulnerabilities: https://security-tracker.debian.org/tracker/CVE-2017-8372, https://security-tracker.debian.org/tracker/CVE-2017-8373, https://security-tracker.debian.org/tracker/CVE-2017-8374. This can be done by applying md_size.diff from Debian and replacing libmad-frame-length.patch with length-check.diff from Debian. From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 03 13:46:45 2019 Received: (at control) by debbugs.gnu.org; 3 Aug 2019 17:46:45 +0000 Received: from localhost ([127.0.0.1]:59873 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty7A-0002vR-WB for submit@debbugs.gnu.org; Sat, 03 Aug 2019 13:46:45 -0400 Received: from secmail.pro ([146.185.132.44]:51164) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty79-0002vF-CZ for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:46:43 -0400 Received: by secmail.pro (Postfix, from userid 33) id 63A24DFC0E; Sat, 3 Aug 2019 17:29:19 +0000 (UTC) Received: from secmailw453j7piv.onion (localhost [IPv6:::1]) by secmail.pro (Postfix) with ESMTP id D91C6F263F for ; Sat, 3 Aug 2019 10:46:30 -0700 (PDT) Received: from 127.0.0.1 (SquirrelMail authenticated user marit@secmail.pro) by giyzk7o6dcunb2ry.onion with HTTP; Sat, 3 Aug 2019 10:46:30 -0700 Message-ID: Date: Sat, 3 Aug 2019 10:46:30 -0700 Subject: Merge #36910 and #36909 From: marit@secmail.pro To: control@debbugs.gnu.org User-Agent: SquirrelMail/1.4.22 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) merge 36909 36910 # #36910 is a duplicate of #36909, submitted by mistake. From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 03 13:47:52 2019 Received: (at control) by debbugs.gnu.org; 3 Aug 2019 17:47:53 +0000 Received: from localhost ([127.0.0.1]:59878 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty8G-0002xY-MQ for submit@debbugs.gnu.org; Sat, 03 Aug 2019 13:47:52 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40122) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty8E-0002xF-Vi for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:47:51 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60603) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hty89-0007xr-QI for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:47:45 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1hty89-0003mS-E1 for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:47:45 -0400 Subject: control message for bug 36910 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Sat, 03 Aug 2019 13:47:45 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) merge 36909 36910 From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 03 13:48:08 2019 Received: (at control) by debbugs.gnu.org; 3 Aug 2019 17:48:08 +0000 Received: from localhost ([127.0.0.1]:59882 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty8V-0002yc-Un for submit@debbugs.gnu.org; Sat, 03 Aug 2019 13:48:08 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40137) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hty8U-0002xp-FF for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:48:06 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60605) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hty8P-00085d-Aq for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:48:01 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1hty8P-0003mz-1E for control@debbugs.gnu.org; Sat, 03 Aug 2019 13:48:01 -0400 Subject: control message for bug 36909 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Sat, 03 Aug 2019 13:48:01 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) reassign 36909 guix From unknown Mon Aug 18 17:56:43 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: marit@secmail.pro Subject: bug#36909: closed (Re: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian) Message-ID: References: <87sgqen46t.fsf@netris.org> <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> X-Gnu-PR-Message: they-closed 36909 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 36909@debbugs.gnu.org Date: Tue, 06 Aug 2019 07:29:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1565076543-22235-1" This is a multi-part message in MIME format... ------------=_1565076543-22235-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #36909: CVE-2017-837{2,3,4} patches for libmad from Debian which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 36909@debbugs.gnu.org. --=20 36909: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D36909 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1565076543-22235-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 36909-done) by debbugs.gnu.org; 6 Aug 2019 07:28:04 +0000 Received: from localhost ([127.0.0.1]:36381 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hutt6-0005lS-17 for submit@debbugs.gnu.org; Tue, 06 Aug 2019 03:28:04 -0400 Received: from world.peace.net ([64.112.178.59]:45838) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hutt4-0005ky-9W for 36909-done@debbugs.gnu.org; Tue, 06 Aug 2019 03:28:03 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hutsy-0004Xv-7x; Tue, 06 Aug 2019 03:27:56 -0400 From: Mark H Weaver To: marit@secmail.pro Subject: Re: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian In-Reply-To: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> (marit@secmail.pro's message of "Sat, 3 Aug 2019 05:12:24 -0700") References: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) Date: Tue, 06 Aug 2019 03:27:43 -0400 Message-ID: <87sgqen46t.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36909-done Cc: 36909-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, marit@secmail.pro wrote: > I think that package "libmad" should be updated to include fixes for the > following vulnerabilities: > https://security-tracker.debian.org/tracker/CVE-2017-8372, > https://security-tracker.debian.org/tracker/CVE-2017-8373, > https://security-tracker.debian.org/tracker/CVE-2017-8374. > This can be done by applying md_size.diff from Debian and replacing > libmad-frame-length.patch with length-check.diff from Debian. I've applied the updates that you recommended in commit aac6c53a7bc9a8d22e88a490ebc99ec79d64a05b on our 'master' branch. Thanks very much for bringing this to our attention. Best, Mark ------------=_1565076543-22235-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 3 Aug 2019 15:17:43 +0000 Received: from localhost ([127.0.0.1]:59773 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1htvmw-0007VW-Tt for submit@debbugs.gnu.org; Sat, 03 Aug 2019 11:17:43 -0400 Received: from lists.gnu.org ([209.51.188.17]:42562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1htsuA-0002NB-6s for submit@debbugs.gnu.org; Sat, 03 Aug 2019 08:12:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53567) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1htsu9-0003YW-Ae for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:58 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1htsu8-000891-DV for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:57 -0400 Received: from secmail.pro ([146.185.132.44]:57214) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1htsu8-000887-86 for bug-guix@gnu.org; Sat, 03 Aug 2019 08:12:56 -0400 Received: by secmail.pro (Postfix, from userid 33) id 9905CDFFFF; Sat, 3 Aug 2019 11:55:02 +0000 (UTC) Received: from secmailw453j7piv.onion (localhost [IPv6:::1]) by secmail.pro (Postfix) with ESMTP id 0FBC9F239E for ; Sat, 3 Aug 2019 05:12:24 -0700 (PDT) Received: from 127.0.0.1 (SquirrelMail authenticated user marit@secmail.pro) by giyzk7o6dcunb2ry.onion with HTTP; Sat, 3 Aug 2019 05:12:24 -0700 Message-ID: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> Date: Sat, 3 Aug 2019 05:12:24 -0700 Subject: CVE-2017-837{2,3,4} patches for libmad from Debian From: marit@secmail.pro To: bug-guix@gnu.org User-Agent: SquirrelMail/1.4.22 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 146.185.132.44 X-Spam-Score: -0.9 (/) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sat, 03 Aug 2019 11:17:42 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) Package: libmad Version: 0.15.1b Tags: security Severity: important Hello! I think that package "libmad" should be updated to include fixes for the following vulnerabilities: https://security-tracker.debian.org/tracker/CVE-2017-8372, https://security-tracker.debian.org/tracker/CVE-2017-8373, https://security-tracker.debian.org/tracker/CVE-2017-8374. This can be done by applying md_size.diff from Debian and replacing libmad-frame-length.patch with length-check.diff from Debian. ------------=_1565076543-22235-1-- From unknown Mon Aug 18 17:56:43 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: marit@secmail.pro Subject: bug#36910: closed (Re: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian) Message-ID: References: <87sgqen46t.fsf@netris.org> <22bbbfa18093ff3ba1351145a9fe8733.squirrel@giyzk7o6dcunb2ry.onion> X-Gnu-PR-Message: they-closed 36910 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 36910@debbugs.gnu.org Date: Tue, 06 Aug 2019 07:29:04 +0000 Content-Type: multipart/mixed; boundary="----------=_1565076544-22235-3" This is a multi-part message in MIME format... ------------=_1565076544-22235-3 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #36909: CVE patches for libmad which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 36910@debbugs.gnu.org. --=20 36909: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D36909 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1565076544-22235-3 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 36909-done) by debbugs.gnu.org; 6 Aug 2019 07:28:04 +0000 Received: from localhost ([127.0.0.1]:36381 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hutt6-0005lS-17 for submit@debbugs.gnu.org; Tue, 06 Aug 2019 03:28:04 -0400 Received: from world.peace.net ([64.112.178.59]:45838) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hutt4-0005ky-9W for 36909-done@debbugs.gnu.org; Tue, 06 Aug 2019 03:28:03 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hutsy-0004Xv-7x; Tue, 06 Aug 2019 03:27:56 -0400 From: Mark H Weaver To: marit@secmail.pro Subject: Re: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian In-Reply-To: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> (marit@secmail.pro's message of "Sat, 3 Aug 2019 05:12:24 -0700") References: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) Date: Tue, 06 Aug 2019 03:27:43 -0400 Message-ID: <87sgqen46t.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36909-done Cc: 36909-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, marit@secmail.pro wrote: > I think that package "libmad" should be updated to include fixes for the > following vulnerabilities: > https://security-tracker.debian.org/tracker/CVE-2017-8372, > https://security-tracker.debian.org/tracker/CVE-2017-8373, > https://security-tracker.debian.org/tracker/CVE-2017-8374. > This can be done by applying md_size.diff from Debian and replacing > libmad-frame-length.patch with length-check.diff from Debian. I've applied the updates that you recommended in commit aac6c53a7bc9a8d22e88a490ebc99ec79d64a05b on our 'master' branch. Thanks very much for bringing this to our attention. Best, Mark ------------=_1565076544-22235-3 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 3 Aug 2019 15:17:43 +0000 Received: from localhost ([127.0.0.1]:59775 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1htvmx-0007VY-9O for submit@debbugs.gnu.org; Sat, 03 Aug 2019 11:17:43 -0400 Received: from lists.gnu.org ([209.51.188.17]:55779) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1httaN-0007o4-UK for submit@debbugs.gnu.org; Sat, 03 Aug 2019 08:56:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60280) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1httaM-0005YW-W6 for bug-guix@gnu.org; Sat, 03 Aug 2019 08:56:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1httaM-0001JF-3j for bug-guix@gnu.org; Sat, 03 Aug 2019 08:56:34 -0400 Received: from secmail.pro ([146.185.132.44]:58202) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1httaL-0001Gx-SX for bug-guix@gnu.org; Sat, 03 Aug 2019 08:56:34 -0400 Received: by secmail.pro (Postfix, from userid 33) id 5DF5AE0010; Sat, 3 Aug 2019 12:39:10 +0000 (UTC) Received: from secmailw453j7piv.onion (localhost [IPv6:::1]) by secmail.pro (Postfix) with ESMTP id D1414F266A for ; Sat, 3 Aug 2019 05:56:31 -0700 (PDT) Received: from 127.0.0.1 (SquirrelMail authenticated user marit@secmail.pro) by giyzk7o6dcunb2ry.onion with HTTP; Sat, 3 Aug 2019 05:56:31 -0700 Message-ID: <22bbbfa18093ff3ba1351145a9fe8733.squirrel@giyzk7o6dcunb2ry.onion> Date: Sat, 3 Aug 2019 05:56:31 -0700 Subject: CVE patches for libmad From: marit@secmail.pro To: bug-guix@gnu.org User-Agent: SquirrelMail/1.4.22 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 146.185.132.44 X-Spam-Score: -0.9 (/) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sat, 03 Aug 2019 11:17:42 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) Package: libmad Version: 0.15.1b Tags: security Severity: important Hello! I think that package "libmad" should be updated to include fixes for the following vulnerabilities: CVE-2017-8372, CVE-2017-8373, CVE-2017-8374. This can be done by applying md_size.diff and replacing libmad-frame-length.patch with length-check.diff (*.diff are from Debian GNU/Linux). Best regards! ------------=_1565076544-22235-3--