CVE-2017-837{2,3,4} patches for libmad from Debian

  • Done
  • quality assurance status badge
Details
3 participants
  • marit
  • Mark H Weaver
  • Glenn Morris
Owner
unassigned
Submitted by
marit
Severity
important
Merged with
M
M
marit wrote on 3 Aug 2019 14:12
(address . bug-guix@gnu.org)
30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion
Package: libmad
Version: 0.15.1b
Tags: security
Severity: important

Hello!
I think that package "libmad" should be updated to include fixes for the
following vulnerabilities:
This can be done by applying md_size.diff from Debian and replacing
libmad-frame-length.patch with length-check.diff from Debian.
M
M
marit wrote on 3 Aug 2019 19:46
Merge #36910 and #36909
(address . control@debbugs.gnu.org)
ec6df7c6bd6fbdb86970aeb587ec4b33.squirrel@giyzk7o6dcunb2ry.onion
merge 36909 36910
# #36910 is a duplicate of #36909, submitted by mistake.
G
G
Glenn Morris wrote on 3 Aug 2019 19:47
control message for bug 36910
(address . control@debbugs.gnu.org)
E1hty89-0003mS-E1@fencepost.gnu.org
merge 36909 36910
G
G
Glenn Morris wrote on 3 Aug 2019 19:48
control message for bug 36909
(address . control@debbugs.gnu.org)
E1hty8P-0003mz-1E@fencepost.gnu.org
reassign 36909 guix
M
M
Mark H Weaver wrote on 6 Aug 2019 09:27
Re: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian
(address . marit@secmail.pro)(address . 36909-done@debbugs.gnu.org)
87sgqen46t.fsf@netris.org
Hi,

marit@secmail.pro wrote:

Toggle quote (8 lines)
> I think that package "libmad" should be updated to include fixes for the
> following vulnerabilities:
> https://security-tracker.debian.org/tracker/CVE-2017-8372,
> https://security-tracker.debian.org/tracker/CVE-2017-8373,
> https://security-tracker.debian.org/tracker/CVE-2017-8374.
> This can be done by applying md_size.diff from Debian and replacing
> libmad-frame-length.patch with length-check.diff from Debian.

I've applied the updates that you recommended in commit
aac6c53a7bc9a8d22e88a490ebc99ec79d64a05b on our 'master' branch.

Thanks very much for bringing this to our attention.

Best,
Mark
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 36909@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 36909
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch