Debian Bug report logs -
#823723
mplayer: CVE-2016-4352: Mplayer/Mencoder integer overflow parsing gif files
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 8 May 2016 04:21:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions mplayer/2:1.0~rc4.dfsg1+svn34540-1, mplayer/2:1.3.0-1
Fixed in versions mplayer/2:1.0~rc4.dfsg1+svn34540-1+deb7u2, mplayer/2:1.3.0-2
Done: debian.micove@gmail.com (Miguel A. Colón Vélez)
Bug is archived. No further changes may be made.
Forwarded to https://trac.mplayerhq.hu/ticket/2295
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#823723; Package src:mplayer.
(Sun, 08 May 2016 04:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Sun, 08 May 2016 04:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mplayer
Version: 2:1.0~rc4.dfsg1+svn34540-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://trac.mplayerhq.hu/ticket/2295
Control: found -1 2:1.3.0-1
Hi,
the following vulnerability was published for mplayer.
CVE-2016-4352[0]:
Mplayer/Mencoder integer overflow parsing gif files
The issue seems present sourcewise up to 2:1.3.0-1 in unstable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4352
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions mplayer/2:1.3.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 08 May 2016 04:21:07 GMT) (full text, mbox, link).
Marked as fixed in versions mplayer/2:1.0~rc4.dfsg1+svn34540-1+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 08 May 2016 04:27:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Mateusz Łukasik <mati75@linuxmint.pl>
to control@bugs.debian.org.
(Sun, 08 May 2016 18:39:14 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#823723.
(Sun, 08 May 2016 18:39:18 GMT) (full text, mbox, link).
Message #14 received at 823723-submitter@bugs.debian.org (full text, mbox, reply):
tag 823723 pending
thanks
Hello,
Bug #823723 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=pkg-multimedia/mplayer.git;a=commitdiff;h=0e4955c
---
commit 0e4955c6fb56ea86fd6fa26b20923fcdcf61a8ee
Author: Mateusz Łukasik <mati75@linuxmint.pl>
Date: Sun May 8 20:35:26 2016 +0200
Add CVE-2016-4352.patch to fix CVE-2016-4352 - Mplayer/Mencoder integer overflow parsing gif files. (Closes: #823723)
diff --git a/debian/changelog b/debian/changelog
index 278dc58..f4252dd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ mplayer (2:1.3.0-2) UNRELEASED; urgency=medium
* debian/control:
- Add transitional package mplayer2 for upgrades from jessie Jessie.
(Closes: #823589)
+ * debian/patches:
+ - Add CVE-2016-4352.patch to fix CVE-2016-4352 - Mplayer/Mencoder integer
+ overflow parsing gif files. (Closes: #823723)
-- Mateusz Łukasik <mati75@linuxmint.pl> Sun, 08 May 2016 20:19:11 +0200
Reply sent
to debian.micove@gmail.com (Miguel A. Colón Vélez):
You have taken responsibility.
(Thu, 26 May 2016 10:06:38 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 26 May 2016 10:06:38 GMT) (full text, mbox, link).
Message #19 received at 823723-close@bugs.debian.org (full text, mbox, reply):
Source: mplayer
Source-Version: 2:1.3.0-2
We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 823723@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miguel A. Colón Vélez <debian.micove@gmail.com> (supplier of updated mplayer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 May 2016 12:01:48 -0400
Source: mplayer
Binary: mplayer-gui mencoder mplayer mplayer-doc mplayer2
Architecture: source amd64 all
Version: 2:1.3.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Miguel A. Colón Vélez <debian.micove@gmail.com>
Description:
mencoder - MPlayer's Movie Encoder
mplayer - movie player for Unix-like systems
mplayer-doc - documentation for MPlayer
mplayer-gui - movie player for Unix-like systems (GUI variant)
mplayer2 - transitional dummy package for mplayer
Closes: 823589 823723
Changes:
mplayer (2:1.3.0-2) unstable; urgency=medium
.
[ Mateusz Łukasik ]
* debian/control:
- Add transitional package mplayer2 for upgrades from jessie Jessie.
(Closes: #823589, LP: #1580268)
* debian/patches:
- Add 0100_svn37857_CVE-2016-4352.patch to fix CVE-2016-4352 -
Mplayer/Mencoder integer overflow parsing gif files. (Closes: #823723)
.
[ Miguel A. Colón Vélez ]
* debian/patches:
- Refresh patches to fix a FTBFS in GNU/Hurd.
Checksums-Sha1:
f15e4433cbe4097f6b2ce65979d328ab08c53314 3449 mplayer_1.3.0-2.dsc
e86e9b0fd7f1d4b64c38630e5d7577f15da8b6e7 35808 mplayer_1.3.0-2.debian.tar.xz
05d79e6f2a3ab83fce565f011ef4384cae1fcaa9 2141996 mencoder-dbgsym_1.3.0-2_amd64.deb
30109ab8151bdf9b5d7484e6ede7d2bbcd81b10d 825878 mencoder_1.3.0-2_amd64.deb
293c42224e001bd52cc5a8392ced3ad6834af04e 2776498 mplayer-dbgsym_1.3.0-2_amd64.deb
e70c8e1a5240a38fb567518d44bc9c9e1281d070 1336210 mplayer-doc_1.3.0-2_all.deb
4e69ce40c766487bfc12b73f93ebb5c0e9bbf008 3135656 mplayer-gui-dbgsym_1.3.0-2_amd64.deb
9462bf8a95304d25945dada0ef7b633b765ee7dd 1319498 mplayer-gui_1.3.0-2_amd64.deb
2c1daf657903685c1cd3e9a9bdf83752db7d36ed 74356 mplayer2_1.3.0-2_all.deb
e6e95690eea07dd0fe983c935e9b29bd5664d22d 2280480 mplayer_1.3.0-2_amd64.deb
Checksums-Sha256:
67dcfc09b6edf3e8bdcfefc1b03ca0ae99c382aa9c4450d225d0c2c3fc33bee3 3449 mplayer_1.3.0-2.dsc
fb39a400f13fc62a3923cca05643d6ae453bba9a66d0e8ea7f93b69ddb0461a7 35808 mplayer_1.3.0-2.debian.tar.xz
e6fb52a6a1bbb60a9464ecc1417e7dfc88d3c50567ff3d3aa955c74ebd0c36f4 2141996 mencoder-dbgsym_1.3.0-2_amd64.deb
fae1c9105d3ff65a9132b15b3cfee5c246fe0544d5a8b360010503eecfd609a3 825878 mencoder_1.3.0-2_amd64.deb
ec92eca88681c50bf0620c3bb36f228b2fa26484a4e0a5afffe94631458588ee 2776498 mplayer-dbgsym_1.3.0-2_amd64.deb
d4bcaa2580c4d2358907521df92b721362259a8b4e0b1384c1b36c1f752f64e6 1336210 mplayer-doc_1.3.0-2_all.deb
c33525c5512d1783654f4f765851ab77ecf17dc17986af7bca40c6aeb31f7120 3135656 mplayer-gui-dbgsym_1.3.0-2_amd64.deb
4627ca01d93f4cbef41d3033cc77cc7146bb21dd82e8bfc3f2ca22da36fe0c4f 1319498 mplayer-gui_1.3.0-2_amd64.deb
72cc3f166f91e89ac2733bdcb346a7e6a98966de911cd106cef5c12a3c609cc1 74356 mplayer2_1.3.0-2_all.deb
ae11303612389c1a4900353fcbe2fa500c6c03113ad8a05929f2eee2299c2f30 2280480 mplayer_1.3.0-2_amd64.deb
Files:
d5337701155d4d65c081f4c6fe2c53c8 3449 video optional mplayer_1.3.0-2.dsc
192eb3cce4ef7aac0ddb0d605f31d8b6 35808 video optional mplayer_1.3.0-2.debian.tar.xz
3d0a9f579362a825fe2b70785e17dcea 2141996 debug extra mencoder-dbgsym_1.3.0-2_amd64.deb
87d6866cde96d211704497c0b696f937 825878 video optional mencoder_1.3.0-2_amd64.deb
c0df565c62ca3d7c605daf9321b83fbe 2776498 debug extra mplayer-dbgsym_1.3.0-2_amd64.deb
f0f38090ce4b933dbef09bec7f643ce6 1336210 doc optional mplayer-doc_1.3.0-2_all.deb
47afc6fcd3094f1a35f89cfbdb55c2d3 3135656 debug extra mplayer-gui-dbgsym_1.3.0-2_amd64.deb
1dda03af0009654f18eae67fd8a378ee 1319498 video optional mplayer-gui_1.3.0-2_amd64.deb
970f5c2abac48d6f8aa1290c15904620 74356 oldlibs optional mplayer2_1.3.0-2_all.deb
2588024e18a6a07ee12424f644b4e4e2 2280480 video optional mplayer_1.3.0-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXRevGAAoJEGny/FFupxmTzRwQAJMw04ZMkvEhnyAO8G+aWSde
BhMxPdyibVR/eu4APXI/JNd4AE5hoZa0RgsgtE6jF77ZioVyKSk2+rUJ/l5vz/JU
OXM/5H64QOBL5JR0tnXsJmGIXwsc+7TgMumf9MTRK4hU32htk1BtNoUjbBy7Pwiz
YU3ujp5KtfbUSEGbCzUk4K7KJvdmRlCjrmfw2pBQlmWpoi/f83G9j6EhPekytxOT
N30ftpwk0q8/S7PNSeTUAnNjOnRtgrDDPa1FSuuIoR83sU5Y/2borH1yhgAdMqr1
Y26TMGLtNMlyMVSqmZBTQ9m/GeJ8G/5jPuXVLqFkFpd2dkiZSbIMw/2atAO9zCMh
c4Xe0h7ODmCjT4mrQKXwKtcDLrpj19j7AzfhRVIg38Mlujglu/AsBuale0vEMJiB
8ZGSq28YxkJi954nU5bv/Cd0hrpqZs7Ter/3PlmSbneGti6ShoS1Z/zwJSCvvZVw
afwaVbJosOv9154xldWbP5QhRUDVcdNDTL21P2bMGQiuNrbCTVSnxhNlwy80QF3z
PppXK9R30s9PKGozAZpSTjzDI09j6XUH5H6YMuhrxJQu7zTdiT97jo1t0CSfabLP
do2IR9rhwGqlANxP8P2BweSgBya/4f80JriP3m7aiOY9KDLus3qVeKFGQ081ZS0f
pPLsKV2bwGTzpWyrAEMI
=mhgn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 29 Jun 2016 07:27:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:11:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon