Debian Bug report logs -
#765435
libvpx: Out-of-bounds write with WebM video [CVE-2014-1578]
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 15 Oct 2014 06:12:01 UTC
Severity: grave
Tags: patch, security
Found in version libvpx/1.3.0-2.1
Fixed in version libvpx/1.3.0-3
Done: Sebastian Dröge <slomo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastian Dröge <slomo@debian.org>:
Bug#765435; Package src:libvpx.
(Wed, 15 Oct 2014 06:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastian Dröge <slomo@debian.org>.
(Wed, 15 Oct 2014 06:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvpx
Version: 1.3.0-2.1
Severity: grave
Tags: security patch
Justification: user security hole
Hi,
an out of bound write vulnerability in libvpx has been fixed in a recent Mozilla
advisory [1], and a patch is also provided [2].
Can you prepare an update for unstable and push it asap?
Also, I'm unsure if the vulnerability affects stable, so it might be
worth checking there too (and coordinate with us for an upload).
If you fix the vulnerability, please add the CVE reference
(CVE-2014-1578) to the changelog.
[1]: https://www.mozilla.org/security/announce/2014/mfsa2014-77.html
[2]: https://hg.mozilla.org/releases/mozilla-esr31/rev/6023f0b4f8ba
Thanks in advance,
--
Yves-Alexis Perez - Debian security team
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply sent
to Sebastian Dröge <slomo@debian.org>:
You have taken responsibility.
(Tue, 21 Oct 2014 10:03:34 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Tue, 21 Oct 2014 10:03:34 GMT) (full text, mbox, link).
Message #10 received at 765435-close@bugs.debian.org (full text, mbox, reply):
Source: libvpx
Source-Version: 1.3.0-3
We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 765435@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated libvpx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 Oct 2014 10:02:18 +0200
Source: libvpx
Binary: libvpx-dev libvpx1 libvpx1-dbg libvpx-doc vpx-tools
Architecture: source all amd64
Version: 1.3.0-3
Distribution: unstable
Urgency: high
Maintainer: Sebastian Dröge <slomo@debian.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description:
libvpx-dev - VP8 and VP9 video codec (development files)
libvpx-doc - VP8 and VP9 video codec (API documentation)
libvpx1 - VP8 and VP9 video codec (shared library)
libvpx1-dbg - VP8 and VP9 video codec (debugging symbols)
vpx-tools - VP8 and VP9 video codec encoding/decoding tools
Closes: 760095 765435
Changes:
libvpx (1.3.0-3) unstable; urgency=high
.
* debian/control:
+ Add VP9 to the short and long package descriptions (Closes: #760095).
* debian/patches/vp9-out-of-bounds-access.patch:
+ Fix out of bounds access in the VP9 codec (CVE-2014-1578) (Closes: #765435).
Checksums-Sha1:
78c3b4edc7f02705b598819b074c8105f3682429 2129 libvpx_1.3.0-3.dsc
720752e919c6345c2a06b3b00c6037673591a268 11248 libvpx_1.3.0-3.debian.tar.xz
fe1fcafaae9c2754559230b24d05e3a7975960b8 191656 libvpx-doc_1.3.0-3_all.deb
e577e2c4f15ed648c3722f29f81e2d663ca026cd 684456 libvpx-dev_1.3.0-3_amd64.deb
88fb188e1cec55341b8a29cf1b145d362db206fd 599482 libvpx1_1.3.0-3_amd64.deb
3f32002a2d97e466e1d86c8e7c561a604d54ce3d 1376324 libvpx1-dbg_1.3.0-3_amd64.deb
c6d98d2a287f4cb7714db5887932714eed2ba3d7 80496 vpx-tools_1.3.0-3_amd64.deb
Checksums-Sha256:
aa468780484234775c62ed22a9e2140f343d7ec4d855dd80d6a6f4625e737431 2129 libvpx_1.3.0-3.dsc
9fe4ff76aeb929f5b6efd999d3e19d7ec5186c13763e05001a552aa4a3b3fce0 11248 libvpx_1.3.0-3.debian.tar.xz
328574eaf5b7795ebef3cc56d75bb12289477fae6f5fd9234ab50b7352374b32 191656 libvpx-doc_1.3.0-3_all.deb
f27ad7fee9451ca83dab4311b302eddb2e948e9497418dc49ba2e2598c922949 684456 libvpx-dev_1.3.0-3_amd64.deb
14820ca6a795ce534a8292338ddda0a5af747a66f8091d88265107b2782cec19 599482 libvpx1_1.3.0-3_amd64.deb
8219e10a622d79abd7d1c0505f81c60c2d5e310299f64f909dd68a63fff276d8 1376324 libvpx1-dbg_1.3.0-3_amd64.deb
0658b634dabf9ffc459d6c64c7630550e6feabd8f526fa165dae6aab66aa0e7f 80496 vpx-tools_1.3.0-3_amd64.deb
Files:
2f5c3f8510c91efaf5a050f36117a203 2129 video optional libvpx_1.3.0-3.dsc
82d573a218cab20465193095790258d7 11248 video optional libvpx_1.3.0-3.debian.tar.xz
da0a52d0107b39cac822eea29ea3c552 191656 doc optional libvpx-doc_1.3.0-3_all.deb
e87f903e8a9f61871eb219fa2e200903 684456 libdevel optional libvpx-dev_1.3.0-3_amd64.deb
a31e1de3bf7d71b02763c7eb194a445f 599482 libs optional libvpx1_1.3.0-3_amd64.deb
b8b87a0da800897aa76c0f1fb167dc38 1376324 debug extra libvpx1-dbg_1.3.0-3_amd64.deb
9edfc9a368e7ccfadda5cb34e9bf6c01 80496 utils optional vpx-tools_1.3.0-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJURhVeXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3RjRCQzdDQzNDQTA2Rjk3MzM2QkJGRUIw
NjY4Q0MxNDg2QzJEN0I1AAoJEAZozBSGwte1TikQALxRWYdkUptkvaxLZ7pVWj7u
GwXpRnADXf3fxs4RajOqfZcAk7K55x4aR58nE4QsASep3GVC4UDl/BZN/fZaL6aT
WbyjFKK2spf/wIA+oHjNUPVzVikd0fEN2+shnY9jAQ034QN3M2ZyvahEG50MxGr1
uVTmuO8q2t88WtXJmbDFwAbeqmN4P8/dqxjEk8+GeqO4h7BqGMlx/PLyP6tT/rbj
+OYZwQeKQ3fzyFqbAnSqinl+rXDe7YJsJKipd2hORUjiT+0o3A65vBVd9IrLCvWb
PZROrzFmiNr5ms5pre4OwdFLbQJHkvy9fQN66Q27Dkm5B+nTaMXrbxMERAVdWrlI
Q9LpD77EQJ+FY1vs7vipUrSCcbfvR1EALkOdip92jzF9TV3NdxxqqFrOhnxRfg7A
WSOmiAHfCxBkNcf1Bj2a7mXvKkLBJR3rfPDtNwY1SUma6fvJwBgbnNLrWpYDKbGM
d0SKts5E2qxYiMgjNPvULvbTQlksynIyg3RTLhQFX+C2s94tlHrUELTla1L8oYim
Wtz73RofqmndQ++WnL2+paYy9mWRkk6R8VN+l4nsdLT15Y1hBidduMONxuA1lnh4
5r0MXjLiAeeUsB5wv1vZhiuehdsHs4fksSv4YpJDfPF70kGA/0Pxq9ZYFQs2UIRr
TOvvT2m8Jib5vZp2NFNU
=SnST
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 19 Nov 2014 07:33:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:13:07 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon