CVE-2017-837{2,3,4} patches for libmad from Debian

  • Done
  • quality assurance status badge
Details
3 participants
  • marit
  • Mark H Weaver
  • Glenn Morris
Owner
unassigned
Submitted by
marit
Severity
important
Merged with
M
M
marit wrote on 3 Aug 2019 14:12
(address . bug-guix@gnu.org)
30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion
Package: libmad
Version: 0.15.1b
Tags: security
Severity: important

Hello!
I think that package "libmad" should be updated to include fixes for the
following vulnerabilities:
This can be done by applying md_size.diff from Debian and replacing
libmad-frame-length.patch with length-check.diff from Debian.
M
M
marit wrote on 3 Aug 2019 19:46
Merge #36910 and #36909
(address . control@debbugs.gnu.org)
ec6df7c6bd6fbdb86970aeb587ec4b33.squirrel@giyzk7o6dcunb2ry.onion
merge 36909 36910
# #36910 is a duplicate of #36909, submitted by mistake.
G
G
Glenn Morris wrote on 3 Aug 2019 19:47
control message for bug 36910
(address . control@debbugs.gnu.org)
E1hty89-0003mS-E1@fencepost.gnu.org
merge 36909 36910
G
G
Glenn Morris wrote on 3 Aug 2019 19:48
control message for bug 36909
(address . control@debbugs.gnu.org)
E1hty8P-0003mz-1E@fencepost.gnu.org
reassign 36909 guix
M
M
Mark H Weaver wrote on 6 Aug 2019 09:27
Re: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian
(address . marit@secmail.pro)(address . 36909-done@debbugs.gnu.org)
87sgqen46t.fsf@netris.org
Hi,

marit@secmail.pro wrote:

Toggle quote (8 lines)
> I think that package "libmad" should be updated to include fixes for the
> following vulnerabilities:
> https://security-tracker.debian.org/tracker/CVE-2017-8372,
> https://security-tracker.debian.org/tracker/CVE-2017-8373,
> https://security-tracker.debian.org/tracker/CVE-2017-8374.
> This can be done by applying md_size.diff from Debian and replacing
> libmad-frame-length.patch with length-check.diff from Debian.

I've applied the updates that you recommended in commit
aac6c53a7bc9a8d22e88a490ebc99ec79d64a05b on our 'master' branch.

Thanks very much for bringing this to our attention.

Best,
Mark
Closed
?