Debian Bug report logs -
#845375
gst-plugins-good1.0: CVE-2016-9634 CVE-2016-9635 CVE-2016-9636
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>:
Bug#845375; Package src:gst-plugins-good1.0.
(Tue, 22 Nov 2016 21:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>.
(Tue, 22 Nov 2016 21:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gst-plugins-good1.0
Version: 1.4.4-2
Severity: grave
Tags: security upstream patch
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=774834
Hi
See
https://scarybeastsecurity.blogspot.ch/2016/11/0day-exploit-advancing-exploitation.html
(there is no CVE assigned yet).
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=774834
Regards,
Salvatore
Changed Bug title to 'gst-plugins-good1.0: CVE-2016-9634 CVE-2016-9635 CVE-2016-9636' from 'gst-plugins-good1.0: heap corruption vulnerability in the gstreamer decoder for the FLIC file format'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 24 Nov 2016 05:39:09 GMT) (full text, mbox, link).
Reply sent
to Sebastian Dröge <slomo@coaxion.net>:
You have taken responsibility.
(Thu, 24 Nov 2016 11:03:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 24 Nov 2016 11:03:04 GMT) (full text, mbox, link).
Message #12 received at 845375-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.10.1-2
On Tue, 2016-11-22 at 22:00 +0100, Salvatore Bonaccorso wrote:
> Source: gst-plugins-good1.0
> Version: 1.4.4-2
> Severity: grave
> Tags: security upstream patch
> Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=774834
>
> Hi
>
> See
> https://scarybeastsecurity.blogspot.ch/2016/11/0day-exploit-
> advancing-exploitation.html (there is no CVE assigned yet).
>
> Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=774834
Forgot to close this one with my 1.10.1-2 upload. But that one contains
the fixes for these CVEs.
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions gst-plugins-good1.0/1.10.1-2; no longer marked as fixed in versions 1.10.1-2.
Request was from Sebastian Dröge <slomo@coaxion.net>
to control@bugs.debian.org.
(Thu, 24 Nov 2016 11:06:12 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 27 Nov 2016 21:51:48 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 27 Nov 2016 21:51:48 GMT) (full text, mbox, link).
Message #19 received at 845375-close@bugs.debian.org (full text, mbox, reply):
Source: gst-plugins-good1.0
Source-Version: 1.4.4-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
gst-plugins-good1.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 845375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gst-plugins-good1.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Nov 2016 22:35:02 +0100
Source: gst-plugins-good1.0
Binary: gstreamer1.0-plugins-good-doc gstreamer1.0-pulseaudio gstreamer1.0-plugins-good gstreamer1.0-plugins-good-dbg
Architecture: all source
Version: 1.4.4-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 845375
Description:
gstreamer1.0-plugins-good - GStreamer plugins from the "good" set
gstreamer1.0-plugins-good-dbg - GStreamer plugins from the "good" set
gstreamer1.0-plugins-good-doc - GStreamer documentation for plugins from the "good" set
gstreamer1.0-pulseaudio - GStreamer plugin for PulseAudio
Changes:
gst-plugins-good1.0 (1.4.4-2+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* flxdec: add some write bounds checking (Closes: #845375)
* flxdec: fix some warnings comparing unsigned < 0
Checksums-Sha1:
2d709a43bb761f65a7fa76bab49f1fb46ad01528 3610 gst-plugins-good1.0_1.4.4-2+deb8u1.dsc
b2c1691bd13d4567788dcb3af49a99401f057112 3025496 gst-plugins-good1.0_1.4.4.orig.tar.xz
a883de32a13663213a83558c8195d7e4ac137bac 37628 gst-plugins-good1.0_1.4.4-2+deb8u1.debian.tar.xz
883637dffaa2f64667676d9f3c6561d416dbae31 1110386 gstreamer1.0-plugins-good-doc_1.4.4-2+deb8u1_all.deb
Checksums-Sha256:
c8fb866674d9f1ac8dc2a615004c0a2d4337dd253961626adbcd0b122a967a63 3610 gst-plugins-good1.0_1.4.4-2+deb8u1.dsc
2df90e99da45211c7b2525ae4ac34830a9e7784bd48c072c406c0cf014bdb277 3025496 gst-plugins-good1.0_1.4.4.orig.tar.xz
dab857186d65546ca389aad25a023d4336e0e55b2b950d401f53a0654453aab7 37628 gst-plugins-good1.0_1.4.4-2+deb8u1.debian.tar.xz
91a1cd7b8991c64406f3d9440880c13bfd18da24d734db50b3fe188d54c0fc91 1110386 gstreamer1.0-plugins-good-doc_1.4.4-2+deb8u1_all.deb
Files:
18f7f5bf80b4eada8f87a46c3c841cba 3610 libs optional gst-plugins-good1.0_1.4.4-2+deb8u1.dsc
673cf9276952bd3937dafd817c9ead2b 3025496 libs optional gst-plugins-good1.0_1.4.4.orig.tar.xz
7528ba113929d53c6d5ca0f2b54f2f70 37628 libs optional gst-plugins-good1.0_1.4.4-2+deb8u1.debian.tar.xz
050e27937ea9a12696c2180066494870 1110386 doc optional gstreamer1.0-plugins-good-doc_1.4.4-2+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlg0vQ5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWAEP/1eEwwculeIEA7Ddfb8QPpoJMWp9srw4
0lvLl6H+c4XcW5fwt4UHzqdQwsIYzZhRm7Y8ct2GivswgwkFsH0gnDeG1a55Xsez
UdUni+6NWLTFowPj33Dn1sOw6SVCcpOcTY3eHObeo2G1yNEL+vNRp4cUljQ7BGUX
IyaxigSI+iUARjHdtLn7DRWe0IimxV0zEmoCjhntg0sRTn5ntAdHyMhNUUZiEhv6
JCA6Bmfdjvx+J4PTh0vDI9VWstTcAroSnIXqX7ux/bX9Wl4SXy8fKnWeVFeM4h0P
tSN5WBecCfImr9c6FLXZvpNLleXP9dj89JFmz5VHs06qOPWEMnWOuxoVLafwCWYI
YKhaZ5ENuNfjwn8Cafv3LBJzLfkXCzbKx9KVTDu+S2mgfiIIj+aM557yDEAK5m2a
LpVS2/BkPmcUS99DqjykwT4RXfCORfS/5qMZzGpehkS6JLqnMwBbWtRJ0IqbZf5a
hY5d1DkkFjZFlpeHgeIV03KSlMCptcHnjPF3HUNE2iPbh4E4KtzLCWbBXK4nGFas
77uFGXALxQ6pjmGcb7naQMYFxPWxD/fy2VnJgOj7tde1ZemtUXpp1iGpD0KS1i/G
TM+l2bDybiHGUgjgrC8cOPFCtUGbpcIg3z2TNOIK0wL+00XpkndX4dvEtZUilqmB
0FSZrNqtKuUx
=+PNO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Dec 2016 09:20:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:41:20 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon