Discussion:
Bug#865909: faac: CVE-2017-9129 CVE-2017-9130
Add Reply
Salvatore Bonaccorso
2017-06-25 19:16:13 UTC
Reply
Permalink
Raw Message
Source: faac
Version: 1.28+cvs20151130-1
Severity: important
Tags: security upstream

Hi,

the following vulnerabilities were published for faac.

CVE-2017-9129[0]:
| The wav_open_read function in frontend/input.c in Freeware Advanced
| Audio Coder (FAAC) 1.28 allows remote attackers to cause a denial of
| service (large loop) via a crafted wav file.

CVE-2017-9130[1]:
| The faacEncOpen function in libfaac/frame.c in Freeware Advanced Audio
| Coder (FAAC) 1.28 allows remote attackers to cause a denial of service
| (invalid memory read and application crash) via a crafted wav file.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9129
[1] https://security-tracker.debian.org/tracker/CVE-2017-9130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9130
[2] https://www.exploit-db.com/exploits/42207/

Regards,
Salvatore
Debian Bug Tracking System
2017-06-30 18:54:04 UTC
Reply
Permalink
Raw Message
forwarded -1 https://sourceforge.net/p/faac/bugs/208/
Bug #865909 [src:faac] faac: CVE-2017-9129 CVE-2017-9130
Set Bug forwarded-to-address to 'https://sourceforge.net/p/faac/bugs/208/'.
tags -1 +patch
Bug #865909 [src:faac] faac: CVE-2017-9129 CVE-2017-9130
Added tag(s) patch.
--
865909: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865909
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2017-07-05 18:39:06 UTC
Reply
Permalink
Raw Message
Your message dated Wed, 05 Jul 2017 18:34:02 +0000
with message-id <E1dSp7i-00014n-***@fasolo.debian.org>
and subject line Bug#865909: fixed in faac 1.29+git20170704-1
has caused the Debian Bug report #865909,
regarding faac: CVE-2017-9129 CVE-2017-9130
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
865909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865909
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Fabian Greffrath
2017-07-14 09:45:59 UTC
Reply
Permalink
Raw Message
control: tags -1 +patch +fixed-upstream

This has been fixed in upstream GIT.

Please find attached the cumulated patch

- Fabian
Debian Bug Tracking System
2017-07-14 09:48:06 UTC
Reply
Permalink
Raw Message
Post by Fabian Greffrath
tags -1 +patch +fixed-upstream
Bug #865909 {Done: Fabian Greffrath <***@debian.org>} [src:faac] faac: CVE-2017-9129 CVE-2017-9130
Ignoring request to alter tags of bug #865909 to the same tags previously set
Bug #865909 {Done: Fabian Greffrath <***@debian.org>} [src:faac] faac: CVE-2017-9129 CVE-2017-9130
Added tag(s) fixed-upstream.
--
865909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865909
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...