Bug#870338: marked as done (timidity: CVE-2017-11546 CVE-2017-11547 CVE-2017-11549)

To: Bastien Roucariès <bastien@portable-bastien-2018.roucaries.eu>
Subject: Bug#870338: marked as done (timidity: CVE-2017-11546 CVE-2017-11547 CVE-2017-11549)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 26 Jun 2018 09:39:03 +0000
Message-id: <[🔎] handler.870338.D870338.153000583623523.ackdone@bugs.debian.org>
Reply-to: 870338@bugs.debian.org
References: <E1fXkPR-000AhR-2O@fasolo.debian.org> <150157657482.28822.1722476444207840980.reportbug@eldamar.local>

Your message dated Tue, 26 Jun 2018 09:37:13 +0000
with message-id <E1fXkPR-000AhR-2O@fasolo.debian.org>
and subject line Bug#870338: fixed in timidity 2.14.0-4
has caused the Debian Bug report #870338,
regarding timidity: CVE-2017-11546 CVE-2017-11547 CVE-2017-11549
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
870338: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870338
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: timidity: CVE-2017-11546 CVE-2017-11547 CVE-2017-11549
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 01 Aug 2017 10:36:14 +0200
Message-id: <150157657482.28822.1722476444207840980.reportbug@eldamar.local>

Source: timidity
Version: 2.13.2-40.2
Severity: important
Tags: upstream security

Hi,

the following vulnerabilities were published for timidity. All three
issues seem to affect the same set of versions in Debian, thus filling
only one bugreport:

CVE-2017-11546[0]:
| The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0
| allows remote attackers to cause a denial of service (divide-by-zero
| error and application crash) via a crafted mid file. NOTE: a crash
| might be relevant when using the --background option.

CVE-2017-11547[1]:
| The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows
| remote attackers to cause a denial of service (heap-based buffer
| over-read) via a crafted mid file. NOTE: a crash might be relevant when
| using the --background option. NOTE: the TiMidity++ README.alsaseq
| documentation suggests a setuid-root installation.

CVE-2017-11549[2]:
| The play_midi function in playmidi.c in TiMidity++ 2.14.0 allows remote
| attackers to cause a denial of service (large loop and CPU consumption)
| via a crafted mid file. NOTE: CPU consumption might be relevant when
| using the --background option.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11546
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11546
[1] https://security-tracker.debian.org/tracker/CVE-2017-11547
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11547
[2] https://security-tracker.debian.org/tracker/CVE-2017-11549
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11549
[3] http://seclists.org/fulldisclosure/2017/Jul/83

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 870338-close@bugs.debian.org
Subject: Bug#870338: fixed in timidity 2.14.0-4
From: Bastien Roucariès <bastien@portable-bastien-2018.roucaries.eu>
Date: Tue, 26 Jun 2018 09:37:13 +0000
Message-id: <E1fXkPR-000AhR-2O@fasolo.debian.org>

Source: timidity
Source-Version: 2.14.0-4

We believe that the bug you reported is fixed in the latest version of
timidity, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 870338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <bastien@portable-bastien-2018.roucaries.eu> (supplier of updated timidity package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 26 Jun 2018 11:01:52 +0200
Source: timidity
Binary: timidity timidity-interfaces-extra timidity-el timidity-daemon
Architecture: source
Version: 2.14.0-4
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Bastien Roucariès <bastien@portable-bastien-2018.roucaries.eu>
Description:
 timidity   - Software sound renderer (MIDI sequencer, MOD player)
 timidity-daemon - runs TiMidity++ as a system-wide MIDI sequencer
 timidity-el - Emacs front end to Timidity++
 timidity-interfaces-extra - TiMidity++ extra user interfaces
Closes: 870338 901148 901931
Changes:
 timidity (2.14.0-4) unstable; urgency=high
 .
   * QA upload
   * Suggest only daemon that is pulled by kde, breaking audio output.
     (Closes: #901148, #901931).
   * Bug fix: "CVE-2017-11546 CVE-2017-11547", thanks to
     Salvatore Bonaccorso (Closes: #870338).
Checksums-Sha1:
 78ca5a1269f93d3cf8fd8e97a2444284cf02725d 2292 timidity_2.14.0-4.dsc
 6b88aa373b03b60b072982062c560606120ba22c 29388 timidity_2.14.0-4.debian.tar.xz
 8863efda0d1b57b02ce2814f88e4311e7b2200c7 6058 timidity_2.14.0-4_source.buildinfo
Checksums-Sha256:
 09715b028c287bcff44c72e39dc65280e7b59c64e220ef6fc86b2d475318ae0b 2292 timidity_2.14.0-4.dsc
 188808d2c7737785cfe579f7fc6c220306c97c15e44fa768a0ee964b8d669660 29388 timidity_2.14.0-4.debian.tar.xz
 f6712723db70f00e67b887e862240dd24951637ad05c725ba62ea19b05a0c121 6058 timidity_2.14.0-4_source.buildinfo
Files:
 cbd22b09b8749c37942cbc129e6dfa7a 2292 sound optional timidity_2.14.0-4.dsc
 83ee5b57055d7de6b8004a101028f336 29388 sound optional timidity_2.14.0-4.debian.tar.xz
 968bd13f2af11ab61936e573dba4b7b7 6058 sound optional timidity_2.14.0-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlsyBjUACgkQADoaLapB
CF+iyw/+LsrWeb7oD+ga2PeXZT+NREslWvbjQ/9WISrxuSywXyxPP/n/Q1kSKgU3
nnvGmB1DPVSvjM7Pqm/1Hy8VS7N0CAcb5UskmbK8cEyXIic7P/LvFQOXKy9/2D7j
ooPaXnXswELXXTerkBgLVr+AMX5lHKIwpLHB8PifZWFWw9Es0iwtPRKlPKQ4mAHw
IWIeBy6dzNr4IlC90+unaNwZ5YUKsXeAFzsAcHZflaJkxudA/frneN+Dw4Uy9tKP
5FGZy78+NhsfTT3Kw62SGU6dOWp/FbTiOxWCQ9m6KVmalK0ZOGtOBfCSss5Ne6a4
EEYe+WU+4AYGf5OkbUqckG+KoRXIQ2tyG/2bSl8DtfuY14sS1dEYcn+pBTWBEvTf
1UA2aNQCxx0gBbpodbcIFhNmVf+Eu1wc6PzKl7/FA3gORCcrmoapnXgLV2mjMLMn
9ER86bUoR3wgnkrqXba8/y4Rn7qWoNrZNXouLR+IS4KJ7iB88BOyZIHBak/nEEVm
QNpOvrHOJsfFPNZZE4NRZFdU81EWb1UnYff3vNolHB3keuGd9vQelB77mLqLqt2H
PJytyHPCXEiFKC70w15mWysDCMUCJdkzShYOVNyRwsgMy7cvs6zEnV4qsb/jD1Ov
NXVImxyfwtrBoJVwxkMuh9olIjkph88IhLbqYybzy7OLkzh9W14=
=G8jr
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#870338: CVE-2017-11549
Next by Date: Bug#901148: marked as done (timidity: upgrading to 2.14.0-2 broke sound via pulseaudio)
Previous by thread: Bug#870338: CVE-2017-11549
Next by thread: Processing of timidity_2.14.0-4_source.changes
Index(es):
- Date
- Thread