Debian Bug report logs -
#926963
gpac: CVE-2019-11221: buffer-overflow issue in gf_import_message() in media_import.c
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 12 Apr 2019 20:27:02 UTC
Severity: important
Tags: security, upstream
Found in versions gpac/0.5.2-426-gc5ad4e4+dfsg5-3, gpac/0.5.2-426-gc5ad4e4+dfsg5-4.1, gpac/0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
Fixed in versions gpac/0.5.2-426-gc5ad4e4+dfsg5-5, gpac/0.7.1+dfsg1-3
Done: Reinhard Tartler <siretart@tauware.de>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/gpac/gpac/issues/1203
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#926963; Package src:gpac.
(Fri, 12 Apr 2019 20:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Fri, 12 Apr 2019 20:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpac
Version: 0.5.2-426-gc5ad4e4+dfsg5-4.1
Severity: important
Tags: security upstream
Forwarded: https://github.com/gpac/gpac/issues/1203
Control: found -1 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
Control: found -1 0.5.2-426-gc5ad4e4+dfsg5-3
Hi,
The following vulnerability was published for gpac.
CVE-2019-11221[0]:
| GPAC 0.7.1 has a buffer overflow issue in gf_import_message() in
| media_import.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11221
[1] https://github.com/gpac/gpac/issues/1203
[2] https://github.com/gpac/gpac/commit/f4616202e5578e65746cf7e7ceeba63bee1b094b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions gpac/0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 12 Apr 2019 20:27:04 GMT) (full text, mbox, link).
Marked as found in versions gpac/0.5.2-426-gc5ad4e4+dfsg5-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 12 Apr 2019 20:27:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#926963.
(Sat, 13 Apr 2019 20:39:05 GMT) (full text, mbox, link).
Message #12 received at 926963-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #926963 in gpac reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/gpac/commit/5f5a3bea41849286d8431e558367bbf97368c613
------------------------------------------------------------------------
Prepare new upload
* Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
to Salvatore Bonaccorso (Closes: #926961).
* Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/926963
Added tag(s) pending.
Request was from Reinhard Tartler <noreply@salsa.debian.org>
to 926963-submitter@bugs.debian.org.
(Sat, 13 Apr 2019 20:39:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#926963.
(Sat, 13 Apr 2019 21:03:13 GMT) (full text, mbox, link).
Message #17 received at 926963-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #926963 in gpac reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/gpac/commit/5f5a3bea41849286d8431e558367bbf97368c613
------------------------------------------------------------------------
Prepare new upload
* Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
to Salvatore Bonaccorso (Closes: #926961).
* Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/926963
Reply sent
to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(Sat, 13 Apr 2019 21:06:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 13 Apr 2019 21:06:06 GMT) (full text, mbox, link).
Message #22 received at 926963-close@bugs.debian.org (full text, mbox, reply):
Source: gpac
Source-Version: 0.5.2-426-gc5ad4e4+dfsg5-5
We believe that the bug you reported is fixed in the latest version of
gpac, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926963@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated gpac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Apr 2019 16:41:15 -0400
Source: gpac
Architecture: source
Version: 0.5.2-426-gc5ad4e4+dfsg5-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 926961 926963
Changes:
gpac (0.5.2-426-gc5ad4e4+dfsg5-5) unstable; urgency=medium
.
[ Moritz Muehlenhoff ]
* Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
to Salvatore Bonaccorso (Closes: #926961).
* Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
Checksums-Sha1:
87ee388ad9fc8d3602c02b8b52a67ae45786ef69 2707 gpac_0.5.2-426-gc5ad4e4+dfsg5-5.dsc
1704c931348d58dba7778007e88569690a7f3afc 43692 gpac_0.5.2-426-gc5ad4e4+dfsg5-5.debian.tar.xz
Checksums-Sha256:
8d2584c04673ff9ca9b235d42bb3ce37caaaf71205d4bc1a5ca549bdaae6ed7a 2707 gpac_0.5.2-426-gc5ad4e4+dfsg5-5.dsc
a827ba9c1fdc64ef9a04515e306cba8f614eafa2730b83eea3cf6a57cfbfcbd4 43692 gpac_0.5.2-426-gc5ad4e4+dfsg5-5.debian.tar.xz
Files:
e8fb23750dea9aed3c8617a85a2d3151 2707 graphics optional gpac_0.5.2-426-gc5ad4e4+dfsg5-5.dsc
5aa9f8ecce5a70745c10638480b2c42c 43692 graphics optional gpac_0.5.2-426-gc5ad4e4+dfsg5-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAlyySd4UHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuLWg//aWCbEl3s1559yhebhhtJj/Hx92fj
KTMiAstjBtig0vX1sGunzI/qK24aHq+90Ld2kWxk9N7IBL2wcl1GkjuyvtSZQOSh
oaD8v9jjtiGBdETNctG5JKsZXQ60RLJUWmDeiV278jfqFjcWD3YV7pQ9jojFaKJG
SBFE4/f22QVnmJDYQAGBzbIqR3PU6+auYDJianPSvL3qEyFI2AXDN3N/wwIWYkk6
c30Ouqm1Wm3YPQFDp/p7I0DQjM0qukIg9AXLvAHWwjxv9IAVj0fWcz/vDlL+Z4IQ
unXWHWFiOXJe8+kVgXuGPvFR+lDqNwlxjiGM4agPyMdpduRfECzAliWKNq6kIZdr
aIIEOid0mdI33IAG045nqfNPBnoP8RJxZ6Td8y/6zXEPzK/GjsGZ/rh01w1XUo8N
ukz9nK55eIAZXt2HcyPP4bVPOYTwUjudCa8VJIUvlpTeJY6Fq+l4/rQy4fvb2Thg
Es+tA6dHy3fNbHM22Mv+GfFlIFZcnACHf79h4nrJF4R3FXGzcbkUynuhi/F/sQaf
2Kt/mgjwENEiTwtcp4LAedaTgA/EslM1MWsFJ+ukKDfYBOLURpIIs2qV5wdzxbXg
0KfMp5OvzjrHnKH/hEK+4V5mlYse098ekctT/Kk1Qv0RndOwSP5UiUmbl73cex85
N+NrCdXrzm7XID8=
=CYuu
-----END PGP SIGNATURE-----
Reply sent
to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(Sat, 13 Apr 2019 21:21:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 13 Apr 2019 21:21:08 GMT) (full text, mbox, link).
Message #27 received at 926963-close@bugs.debian.org (full text, mbox, reply):
Source: gpac
Source-Version: 0.7.1+dfsg1-3
We believe that the bug you reported is fixed in the latest version of
gpac, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926963@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated gpac package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Apr 2019 16:52:04 -0400
Source: gpac
Architecture: source
Version: 0.7.1+dfsg1-3
Distribution: experimental
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 926961 926963
Changes:
gpac (0.7.1+dfsg1-3) experimental; urgency=medium
.
* Merge security patches from unstable
Closes: #926961, Closes: #926963
Checksums-Sha1:
9666e1ad1d5edc9b7a09be98e4c554dcc600e445 2691 gpac_0.7.1+dfsg1-3.dsc
a20e01d9353bf4dfda445647456084f7d0b66f5d 45448 gpac_0.7.1+dfsg1-3.debian.tar.xz
Checksums-Sha256:
26276b5e08112751122aaad4ae22e826d3552abeb75541450b105e47ef665068 2691 gpac_0.7.1+dfsg1-3.dsc
8b7036374d56a9c9f0dfb3e3a757dac301ecc45ef39d331161bff596bedb9d85 45448 gpac_0.7.1+dfsg1-3.debian.tar.xz
Files:
a15eb462cc2ce70ca570e33e2aeb528e 2691 graphics optional gpac_0.7.1+dfsg1-3.dsc
bda1c51a0d0ce0f13287dbbd9e1c6e7e 45448 graphics optional gpac_0.7.1+dfsg1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAlyyTq4UHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJssD3Q/+KmZz2HFWLTN/2S1ljlWjCzCuJPt8
+CimxsyDPGoMFR4GElCcEdJK/Xi+poAINYlHARxHGJw5ZtbhG7YppaLO2HfNUBQz
Hng7TxE3jlgj6ExeUnRLiu/gcq2COFn1+j9HmdWA1XmejxW2i6UG7rsGuAgii97L
vqpQJmxAJNWmM+fxVJdpkWed+zUb/iB6byhaBSTzdUVcaotu25GPwSEvWkX+jmMC
Xr2GjqDQA/+BpqCfhA8zCQgRDdErZlvUDYfdXTyO3y20VuR+2xI7fKeJHcYVJACe
BoEiE0oipfXhtElzsns7ufHH4oZobs+3mixTxID1BHiZGKuszB1jCDF+dcOwXE+G
rrENJf8kOje3EHiE9i9DMZHQ0nYclqQXlcZrsAXXOya8H0Z+Gwg9i7bPhxHQYS2J
qJErMrAYBLXrr8TwKN6rNFAk1MPGMNZU7k6p5tzS4AgRuv5lMUlQ2sMRV3RPPsKp
qtbAhnMuu5Ebasn0Ro9Mt3T7LznRvTXQHY9UkyIO9rukCZwnR9Hc5eVkL5DJ483P
uZGzsJj0If8SSg5VZdSunACkWEWw7p97wEmaJSAA+mwunyZDNX0cKv0WrzaCJfDc
Claqf4YgPxtQcklKnq4ZAmDUi5utd+ZBms75oCv06/NH8c2ZKWIpaZVot4bI8jal
sRwe53FHxouMQkg=
=jmyP
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 May 2019 07:29:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:35:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon