Discussion:
Bug#867724: Multiple security issues
Add Reply
Moritz Muehlenhoff
2017-07-08 22:07:40 UTC
Reply
Permalink
Raw Message
Source: faad2
Severity: important
Tags: security

Multiple vulnerabilities in faad2, please see:
http://seclists.org/fulldisclosure/2017/Jun/32

Cheers,
Moritz
Fabian Greffrath
2017-07-14 09:32:42 UTC
Reply
Permalink
Raw Message
control: tags -1 +patch +fixed-upstream

This has been fixed in upstream GIT.

Please find attached the cumulated patch

- Fabian
Debian Bug Tracking System
2017-07-14 09:36:04 UTC
Reply
Permalink
Raw Message
Post by Fabian Greffrath
tags -1 +patch +fixed-upstream
Bug #867724 [src:faad2] Multiple security issues
Added tag(s) patch.
Bug #867724 [src:faad2] Multiple security issues
Added tag(s) fixed-upstream.
--
867724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867724
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2017-07-17 21:09:13 UTC
Reply
Permalink
Raw Message
Your message dated Mon, 17 Jul 2017 21:04:36 +0000
with message-id <E1dXDC0-0006cR-***@fasolo.debian.org>
and subject line Bug#867724: fixed in faad2 2.8.1-1
has caused the Debian Bug report #867724,
regarding Multiple security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
867724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867724
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Markus Koschany
2017-08-27 18:33:50 UTC
Reply
Permalink
Raw Message
On Fri, 14 Jul 2017 11:32:42 +0200 "Fabian Greffrath"
Post by Fabian Greffrath
control: tags -1 +patch +fixed-upstream
This has been fixed in upstream GIT.
Please find attached the cumulated patch
Hi Fabian,

I am currently working on a security update for faad2 in Wheezy. I saw
that upstream did another commit three days after you attached your
patch to this bug report.

https://sourceforge.net/p/faac/faad2/ci/a67c75ed600cf4b41205d69664d3d9106e9c5380/

Apparently there were some issues with an earlier version of your patch.
However beside from the changes in two additional header files I don't
see a difference between your patch in this bug report and upstream's
latest commit to address the security vulnerabilities.

Are you aware of any issues with your patch?

Regards,

Markus
Fabian Greffrath
2017-08-27 19:29:43 UTC
Reply
Permalink
Raw Message
Post by Markus Koschany
Are you aware of any issues with your patch?
Yes, there was an issue with my patch! I added a field to a struct to
keep track of reading errors, but the struct was defined in two
different places in the source code. This led to a crash when free()ing
a pointer to this struct on Linux, but not on Windows which I used to
develop the patch (don't ask).

Applying this patch on top of the one I sent to the Debian BTS should
fix this issue, although upstream decided to go a different way
and entirely replace the mp4ff library.

https://sourceforge.net/p/faac/bugs/209/?limit=25&page=1#d838

- Fabian
Markus Koschany
2017-08-30 20:23:08 UTC
Reply
Permalink
Raw Message
Post by Fabian Greffrath
Post by Markus Koschany
Are you aware of any issues with your patch?
Yes, there was an issue with my patch! I added a field to a struct to
keep track of reading errors, but the struct was defined in two
different places in the source code. This led to a crash when free()ing
a pointer to this struct on Linux, but not on Windows which I used to
develop the patch (don't ask).
Applying this patch on top of the one I sent to the Debian BTS should
fix this issue, although upstream decided to go a different way
and entirely replace the mp4ff library.
https://sourceforge.net/p/faac/bugs/209/?limit=25&page=1#d838
- Fabian
Hi,

I uploaded a security update for faad2 to wheezy-security a few hours
ago. I am attaching the debdiff to this bug report.

Do you intend to fix the issue in Stretch too? I could prepare the
update for Jessie and ask the release team for a jessie-pu.

Markus
Fabian Greffrath
2017-09-01 09:12:32 UTC
Reply
Permalink
Raw Message
Hi Markus,
Post by Markus Koschany
I uploaded a security update for faad2 to wheezy-security a few hours
ago. I am attaching the debdiff to this bug report.
thank you very much for that!
Post by Markus Koschany
Do you intend to fix the issue in Stretch too? I could prepare the
update for Jessie and ask the release team for a jessie-pu.
I don't have any plans to do that.

Cheers,

- Fabian

Loading...