Bug#1053182: marked as done (libvpx: CVE-2023-5217)
Your message dated Sun, 01 Oct 2023 12:17:28 +0000
with message-id <E1qmvO4-00Gnj2-0t@fasolo.debian.org>
and subject line Bug#1053182: fixed in libvpx 1.9.0-1+deb11u1
has caused the Debian Bug report #1053182,
regarding libvpx: CVE-2023-5217
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1053182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053182
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libvpx: CVE-2023-5217
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 28 Sep 2023 22:43:40 +0200
- Message-id: <169593382045.2193762.14977946022692273202.reportbug@eldamar.lan>
Source: libvpx
Version: 1.12.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for libvpx.
CVE-2023-5217[0]:
| Heap buffer overflow in vp8 encoding in libvpx in Google Chrome
| prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker
| to potentially exploit heap corruption via a crafted HTML page.
| (Chromium security severity: High)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5217
https://www.cve.org/CVERecord?id=CVE-2023-5217
[1] https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
[2] https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libvpx
Source-Version: 1.9.0-1+deb11u1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvpx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Sep 2023 23:35:53 +0200
Source: libvpx
Architecture: source
Version: 1.9.0-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1053182
Changes:
libvpx (1.9.0-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* VP8: disallow thread count changes (CVE-2023-5217) (Closes: #1053182)
Checksums-Sha1:
c1a7620b9db943781f683b291529ca9651dd3fb1 2434 libvpx_1.9.0-1+deb11u1.dsc
2ab8203ad8922bdf3256e4a197d1348fa8db9a62 5326239 libvpx_1.9.0.orig.tar.gz
b34952e3f584bb0dc3c8a392b8a7eafc0e405f70 12396 libvpx_1.9.0-1+deb11u1.debian.tar.xz
Checksums-Sha256:
7331d30483207cdb23c67a6be7f711190aee2f8470a0afe4252681e8631c9977 2434 libvpx_1.9.0-1+deb11u1.dsc
d279c10e4b9316bf11a570ba16c3d55791e1ad6faa4404c67422eb631782c80a 5326239 libvpx_1.9.0.orig.tar.gz
7514508f3829028ea6ae4fcf0f2812b989214f4e871500d1f3cd05e334f68fb5 12396 libvpx_1.9.0-1+deb11u1.debian.tar.xz
Files:
823dee50d4cf5b4d845fce89bb47dc0e 2434 video optional libvpx_1.9.0-1+deb11u1.dsc
e5fab59896984392124d0bfaffc36e14 5326239 video optional libvpx_1.9.0.orig.tar.gz
ace31b57417a4ee0fb308a29aeb6418c 12396 video optional libvpx_1.9.0-1+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUV8stfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHQQP/3ybbebRSMZ8O++OHKvZrUk5iiJUCjYF
VRoBpbASgQDs25XuE/QPL7E2aXOhtMCt+8LHvib1WjdvLMXLXfidlucMsxBdnQZB
AY/ljWvfzIgQQYsdJPIXhUT+pseTd4hmYB/hj+G0DB8MjVoYan2nAM9dcAT53Sn8
6G2SjAeYaunrLx6WdjZmIhhQrcDrexWcYIhcVuZ8MfEEiioPokU0OGLds2y6AS1K
lOCSUEy+yUPST5ct6eO7cDv77542H6bv/RzPHGB0GEAIzJVkjsjpozOnbFq4ilxt
X5R1TCKegtl6yCJ/HLWYWGLpni/HHaavGTOtl+msXbxihRH6NMHtsRrEDTdLzJsN
CkPyVKHk9/XBvm3FobkrZSsmjPzLLyvEcDhcRpkdZebLrrUO4dU9+0KtlhSGuwFl
xeFKETFJ7PJQAp1vPuiReQG2vGbh5L2KUrvxi3691GgNIvaOwyAi3n6QhvBnttFW
wSoDLwY9p/9Lk4GiL8IE5gMsrSwivnrWathhU9olMjmMw4x08szHHaCG1IqCzWWR
p/hB7TxZlfqGkVfzvLlabU2VWqWa0nByKK67U+du5o1RNxV8T6p1WYFqaRedHkWL
S8caMyxLSuWLpbntweON+UCnrCLheXOwtcLc8Ob8npdR3wcFuxBZzg55G/DsBjRv
UgxdFQMJkzOm
=B9hT
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: