[Secure-testing-team] Bug#886503: wildmidi: CVE-2017-1000418
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 6 22:32:12 UTC 2018
Source: wildmidi
Version: 0.4.0-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/Mindwerks/wildmidi/issues/178
Hi,
the following vulnerability was published for wildmidi.
CVE-2017-1000418[0]:
| The WildMidi_Open function in WildMIDI since commit
| d8a466829c67cacbb1700beded25c448d99514e5 allows remote attackers to
| cause a denial of service (heap-based buffer overflow and application
| crash) or possibly have unspecified other impact via a crafted file.
Note the CVE description looks wrong regarding "since commit" because
that's just the preceding commit to the fixing commit, AFAICS.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000418
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000418
[1] https://github.com/Mindwerks/wildmidi/issues/178
[2] https://github.com/Mindwerks/wildmidi/commit/814f31d8eceda8401eb812fc2e94ed143fdad0ab
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list