Debian Bug report logs -
#919529
CVE-2019-6256
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 16 Jan 2019 22:21:02 UTC
Severity: grave
Tags: security, upstream
Found in version liblivemedia/2016.11.28-1
Fixed in version 2018.11.26-1
Done: Sebastian Ramacher <sramacher@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#919529; Package src:liblivemedia.
(Wed, 16 Jan 2019 22:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Wed, 16 Jan 2019 22:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: liblivemedia
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6256
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#919529; Package src:liblivemedia.
(Wed, 16 Jan 2019 23:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Ramacher <sramacher@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Wed, 16 Jan 2019 23:03:08 GMT) (full text, mbox, link).
Message #10 received at 919529@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: found -1 2016.11.28-1
On 2019-01-16 23:19:45, Moritz Muehlenhoff wrote:
> Source: liblivemedia
> Severity: grave
> Tags: security
>
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6256
>
> Cheers,
> Moritz
Not sure if I'm missing something, but the PoC does not seem to work on
buster/sid. On stretch I get segfaults, but only if I abort the PoC. So marking
as found in stable and closing for sid.
Cheers
--
Sebastian Ramacher
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions liblivemedia/2016.11.28-1.
Request was from Sebastian Ramacher <sramacher@debian.org>
to 919529-submit@bugs.debian.org.
(Wed, 16 Jan 2019 23:03:08 GMT) (full text, mbox, link).
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Wed, 16 Jan 2019 23:03:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 16 Jan 2019 23:03:11 GMT) (full text, mbox, link).
Message #17 received at 919529-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2018.11.26-1
On 2019-01-17 00:00:13, Sebastian Ramacher wrote:
> Control: found -1 2016.11.28-1
>
> On 2019-01-16 23:19:45, Moritz Muehlenhoff wrote:
> > Source: liblivemedia
> > Severity: grave
> > Tags: security
> >
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6256
> >
> > Cheers,
> > Moritz
>
> Not sure if I'm missing something, but the PoC does not seem to work on
> buster/sid. On stretch I get segfaults, but only if I abort the PoC. So marking
> as found in stable and closing for sid.
The actual mail to close the bug for sid.
--
Sebastian Ramacher
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#919529; Package src:liblivemedia.
(Fri, 18 Jan 2019 02:36:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Fri, 18 Jan 2019 02:36:08 GMT) (full text, mbox, link).
Message #22 received at 919529@bugs.debian.org (full text, mbox, reply):
On Thu, Jan 17, 2019 at 12:00:13AM +0100, Sebastian Ramacher wrote:
> Control: found -1 2016.11.28-1
>
> On 2019-01-16 23:19:45, Moritz Muehlenhoff wrote:
> > Source: liblivemedia
> > Severity: grave
> > Tags: security
> >
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6256
> >
> > Cheers,
> > Moritz
>
> Not sure if I'm missing something, but the PoC does not seem to work on
> buster/sid.
Quite possible, I hadn't reproduced it myself yet and upstream homepage
wasn't that obvious wrt existing fixes.
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 19 Jan 2019 21:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#919529; Package src:liblivemedia.
(Sat, 19 Jan 2019 21:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Sat, 19 Jan 2019 21:39:04 GMT) (full text, mbox, link).
Message #31 received at 919529@bugs.debian.org (full text, mbox, reply):
Hey!
On Thu, Jan 17, 2019 at 12:00:13AM +0100, Sebastian Ramacher wrote:
> Control: found -1 2016.11.28-1
>
> On 2019-01-16 23:19:45, Moritz Muehlenhoff wrote:
> > Source: liblivemedia
> > Severity: grave
> > Tags: security
> >
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6256
> >
> > Cheers,
> > Moritz
>
> Not sure if I'm missing something, but the PoC does not seem to work on
> buster/sid. On stretch I get segfaults, but only if I abort the PoC. So marking
> as found in stable and closing for sid.
Not having a poc triggering does not necessarly mean the issue needs
to be fixed. Do we know something on the actual fix? Skimming (but
only superficial) in the git repository I have not found something
obvious, but possible I only missed it.
Regards,
Salvatore
Unset Bug forwarded-to-address
Request was from Sebastian Ramacher <sramacher@debian.org>
to control@bugs.debian.org.
(Sun, 20 Jan 2019 14:09:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#919529; Package src:liblivemedia.
(Sun, 20 Jan 2019 14:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Ramacher <sramacher@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Sun, 20 Jan 2019 14:27:03 GMT) (full text, mbox, link).
Message #38 received at 919529@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 2019-01-19 22:36:05, Salvatore Bonaccorso wrote:
> Hey!
>
> On Thu, Jan 17, 2019 at 12:00:13AM +0100, Sebastian Ramacher wrote:
> > Control: found -1 2016.11.28-1
> >
> > On 2019-01-16 23:19:45, Moritz Muehlenhoff wrote:
> > > Source: liblivemedia
> > > Severity: grave
> > > Tags: security
> > >
> > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6256
> > >
> > > Cheers,
> > > Moritz
> >
> > Not sure if I'm missing something, but the PoC does not seem to work on
> > buster/sid. On stretch I get segfaults, but only if I abort the PoC. So marking
> > as found in stable and closing for sid.
>
> Not having a poc triggering does not necessarly mean the issue needs
> to be fixed. Do we know something on the actual fix? Skimming (but
> only superficial) in the git repository I have not found something
> obvious, but possible I only missed it.
http://lists.live555.com/pipermail/live-devel/2018-November/021099.html
explicitely mentions that the issue was fixed in 2018.11.26.
Cheers
--
Sebastian Ramacher
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#919529; Package src:liblivemedia.
(Mon, 21 Jan 2019 16:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Mon, 21 Jan 2019 16:33:06 GMT) (full text, mbox, link).
Message #43 received at 919529@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Jan 20, 2019 at 03:22:31PM +0100, Sebastian Ramacher wrote:
> On 2019-01-19 22:36:05, Salvatore Bonaccorso wrote:
> > Hey!
> >
> > On Thu, Jan 17, 2019 at 12:00:13AM +0100, Sebastian Ramacher wrote:
> > > Control: found -1 2016.11.28-1
> > >
> > > On 2019-01-16 23:19:45, Moritz Muehlenhoff wrote:
> > > > Source: liblivemedia
> > > > Severity: grave
> > > > Tags: security
> > > >
> > > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6256
> > > >
> > > > Cheers,
> > > > Moritz
> > >
> > > Not sure if I'm missing something, but the PoC does not seem to work on
> > > buster/sid. On stretch I get segfaults, but only if I abort the PoC. So marking
> > > as found in stable and closing for sid.
> >
> > Not having a poc triggering does not necessarly mean the issue needs
> > to be fixed. Do we know something on the actual fix? Skimming (but
> > only superficial) in the git repository I have not found something
> > obvious, but possible I only missed it.
>
> http://lists.live555.com/pipermail/live-devel/2018-November/021099.html
> explicitely mentions that the issue was fixed in 2018.11.26.
perfect, thank you!
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:37:34 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon