From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: bug#36909: CVE-2017-837{2,3,4} patches for libmad from Debian Date: Tue, 06 Aug 2019 03:27:43 -0400 Message-ID: <87sgqen46t.fsf@netris.org> References: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:42882) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hutu5-0006tQ-5C for bug-guix@gnu.org; Tue, 06 Aug 2019 03:29:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hutu4-0001fk-3y for bug-guix@gnu.org; Tue, 06 Aug 2019 03:29:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55793) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hutu4-0001fb-0f for bug-guix@gnu.org; Tue, 06 Aug 2019 03:29:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hutu3-0005mm-T1 for bug-guix@gnu.org; Tue, 06 Aug 2019 03:29:03 -0400 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: In-Reply-To: <30c0beda6f616bb829c4590ee4367f7c.squirrel@giyzk7o6dcunb2ry.onion> (marit@secmail.pro's message of "Sat, 3 Aug 2019 05:12:24 -0700") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: marit@secmail.pro Cc: 36909-done@debbugs.gnu.org Hi, marit@secmail.pro wrote: > I think that package "libmad" should be updated to include fixes for the > following vulnerabilities: > https://security-tracker.debian.org/tracker/CVE-2017-8372, > https://security-tracker.debian.org/tracker/CVE-2017-8373, > https://security-tracker.debian.org/tracker/CVE-2017-8374. > This can be done by applying md_size.diff from Debian and replacing > libmad-frame-length.patch with length-check.diff from Debian. I've applied the updates that you recommended in commit aac6c53a7bc9a8d22e88a490ebc99ec79d64a05b on our 'master' branch. Thanks very much for bringing this to our attention. Best, Mark