[Secure-testing-team] Bug#843928: ming: CVE-2016-9264 CVE-2016-9265 CVE-2016-9266
Salvatore Bonaccorso
carnil at debian.org
Thu Nov 10 19:07:14 UTC 2016
Source: ming
Version: 1:0.4.4-1.1
Severity: important
Tags: security upstream
Hi,
the following vulnerabilities were published for ming.
The issues cannot be seen directly with the given reproducers
apparently since covered by other issues. But according to Agostine
SArubbo they are found in 0.4.7 and there were no changes from 0.4.5
to 0.4.7 in listmp3.c.
CVE-2016-9264[0]:
global-buffer-overflow in printMP3Headers (listmp3.c)
CVE-2016-9265[1]:
divide-by-zero in printMP3Headers (listmp3.c)
CVE-2016-9266[2]:
left shift in listmp3.c
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9264
[1] https://security-tracker.debian.org/tracker/CVE-2016-9265
[2] https://security-tracker.debian.org/tracker/CVE-2016-9266
Btw, should ming be rather be removed completely from Debian? It is
currently not in testing, and will not be in stretch.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list