Debian Bug report logs -
#572950
libtheora: multiple vulnerabilities in lenny
Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Sun, 7 Mar 2010 19:51:01 UTC
Severity: serious
Tags: lenny, security
Found in version 1.0~beta3-1
Fixed in versions 1.1.0-1, libtheora/1.0~beta3-1+lenny1
Done: Michael Gilbert <michael.s.gilbert@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers):
Bug#572950; Package libtheora.
(Sun, 07 Mar 2010 19:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to pkg-xiph-maint@lists.alioth.debian.org (Debian Xiph.org Maintainers).
(Sun, 07 Mar 2010 19:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
package: libtheora
version: 1.0~beta3-1
severity: serious
tags: security
Hi,
I have prepared a lenny package for the theora issues that are
were recently addressed in xulrunner. Note that two of them never got a
CVE (one should probably be requested), but have been fixed ever since
the first release of firefox 3.5. The package is at
http://alioth.debian.org/~gilbert-guest/libtheora and the debdiff is
attached.
These issues are already fixed in unstable. Please coordinate with the
security team to release a DSA for lenny.
Thanks,
Mike
[libtheora-lenny.debdiff (application/octet-stream, attachment)]
Added tag(s) lenny.
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org.
(Tue, 09 Mar 2010 19:09:08 GMT) (full text, mbox, link).
Reply sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
You have taken responsibility.
(Tue, 25 May 2010 02:09:03 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Tue, 25 May 2010 02:09:03 GMT) (full text, mbox, link).
Message #12 received at 572950-close@bugs.debian.org (full text, mbox, reply):
Source: libtheora
Source-Version: 1.0~beta3-1+lenny1
We believe that the bug you reported is fixed in the latest version of
libtheora, which is due to be installed in the Debian FTP archive:
libtheora-bin_1.0~beta3-1+lenny1_i386.deb
to main/libt/libtheora/libtheora-bin_1.0~beta3-1+lenny1_i386.deb
libtheora-dev_1.0~beta3-1+lenny1_i386.deb
to main/libt/libtheora/libtheora-dev_1.0~beta3-1+lenny1_i386.deb
libtheora0_1.0~beta3-1+lenny1_i386.deb
to main/libt/libtheora/libtheora0_1.0~beta3-1+lenny1_i386.deb
libtheora_1.0~beta3-1+lenny1.diff.gz
to main/libt/libtheora/libtheora_1.0~beta3-1+lenny1.diff.gz
libtheora_1.0~beta3-1+lenny1.dsc
to main/libt/libtheora/libtheora_1.0~beta3-1+lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 572950@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <michael.s.gilbert@gmail.com> (supplier of updated libtheora package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 Jan 2010 14:53:59 -0500
Source: libtheora
Binary: libtheora0 libtheora-dev libtheora-bin
Architecture: source i386
Version: 1.0~beta3-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Michael Gilbert <michael.s.gilbert@gmail.com>
Description:
libtheora-bin - The Theora Video Compression Codec (example encoder, decoder)
libtheora-dev - The Theora Video Compression Codec (development files)
libtheora0 - The Theora Video Compression Codec
Closes: 572950
Changes:
libtheora (1.0~beta3-1+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the security team (Closes: #572950).
* Fixes potential arbitrary code execution vulnerability: CVE-2009-3389.
* Fixes two other potential vulnerabilities as applied to xulrunner
since version 1.9.1.
Checksums-Sha1:
de2c4ea51078af9471e43162e9c3e99821770d35 1419 libtheora_1.0~beta3-1+lenny1.dsc
02c7bc20eb41ee6c33ad9909a31c206e46249ed5 1891923 libtheora_1.0~beta3.orig.tar.gz
33dc42908345b6ea4e1fc51f3c389ab129d82097 9211 libtheora_1.0~beta3-1+lenny1.diff.gz
9c8b6b75783489b04fe15b83c07f966d96497107 275724 libtheora0_1.0~beta3-1+lenny1_i386.deb
85dec5d5e22541febdaca9939a1cc7bffcc0ca9f 335386 libtheora-dev_1.0~beta3-1+lenny1_i386.deb
4c8c4b9d6d4ce92145888b4032476cfa5a510a5e 41506 libtheora-bin_1.0~beta3-1+lenny1_i386.deb
Checksums-Sha256:
f06dc5539856f039465edd4281f6440b2e8c81280d151ea8a45cde3fa947fe61 1419 libtheora_1.0~beta3-1+lenny1.dsc
20d41310c7547634c2b38f37b332c8ccce58df7c5c2e673164f8d136960b184f 1891923 libtheora_1.0~beta3.orig.tar.gz
85112d383f3310a107ec6ad33ea600477639dd1fb32bcd86dcbefff22f3b6a74 9211 libtheora_1.0~beta3-1+lenny1.diff.gz
927a5425a1df33f57674655dc5d639a4be1857358f4999a2c2ff2ac90f6d1c29 275724 libtheora0_1.0~beta3-1+lenny1_i386.deb
164d30857d0411c8baee8899158348d76862d506f8b5d8bfbabd775cc764a9b3 335386 libtheora-dev_1.0~beta3-1+lenny1_i386.deb
b6c5a5b788b6ed7c09ffed06d5eee29f3f509bb6e3d72051fd6fcfa58736ef4a 41506 libtheora-bin_1.0~beta3-1+lenny1_i386.deb
Files:
0495edbda8fc19ba77366666b52b3f96 1419 libs optional libtheora_1.0~beta3-1+lenny1.dsc
8bdc4b8586b78ddd19afd7eec90dbaf0 1891923 libs optional libtheora_1.0~beta3.orig.tar.gz
4adde5563c493eb45e1db52ceda77873 9211 libs optional libtheora_1.0~beta3-1+lenny1.diff.gz
2559a2649e90a42a727ea69d4198370f 275724 libs optional libtheora0_1.0~beta3-1+lenny1_i386.deb
05fe606ecc411f6b3fe37423d74c8623 335386 libdevel optional libtheora-dev_1.0~beta3-1+lenny1_i386.deb
8911aa359d16fc2a2680995100e85a7d 41506 utils optional libtheora-bin_1.0~beta3-1+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvhWPYACgkQiZgNKcDdyD+CwgCgjIhwkL/4Q8N2mj89IdbCQCOA
KWcAnjyux5ouf4MxxGgM6XXAbuADtCVS
=HHZR
-----END PGP SIGNATURE-----
Bug Marked as fixed in versions 1.1.0-1.
Request was from Michael Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Sun, 01 Aug 2010 21:54:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 30 Aug 2010 07:34:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:19:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon