Bug#1053182: marked as done (libvpx: CVE-2023-5217)
Your message dated Sun, 01 Oct 2023 16:47:08 +0000
with message-id <E1qmzb2-000EGh-VX@fasolo.debian.org>
and subject line Bug#1053182: fixed in libvpx 1.12.0-1+deb12u1
has caused the Debian Bug report #1053182,
regarding libvpx: CVE-2023-5217
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1053182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053182
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libvpx: CVE-2023-5217
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 28 Sep 2023 22:43:40 +0200
- Message-id: <169593382045.2193762.14977946022692273202.reportbug@eldamar.lan>
Source: libvpx
Version: 1.12.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for libvpx.
CVE-2023-5217[0]:
| Heap buffer overflow in vp8 encoding in libvpx in Google Chrome
| prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker
| to potentially exploit heap corruption via a crafted HTML page.
| (Chromium security severity: High)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5217
https://www.cve.org/CVERecord?id=CVE-2023-5217
[1] https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
[2] https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libvpx
Source-Version: 1.12.0-1+deb12u1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvpx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Sep 2023 22:55:08 +0200
Source: libvpx
Architecture: source
Version: 1.12.0-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1053182
Changes:
libvpx (1.12.0-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* encode_api_test: add ConfigResizeChangeThreadCount
* VP8: disallow thread count changes (CVE-2023-5217) (Closes: #1053182)
Checksums-Sha1:
610b5eafdc53d2bc2b7dd20cfacd5dedb516b0cc 2432 libvpx_1.12.0-1+deb12u1.dsc
e5f344d28752344d4c6e0c83b055093932b8d2c9 5465627 libvpx_1.12.0.orig.tar.gz
14378c1f536082c3f3a5cbaee8f4a0e008dc653a 14096 libvpx_1.12.0-1+deb12u1.debian.tar.xz
Checksums-Sha256:
22367005f091504f7ec9e26d85336b512a052940e83bcea08fabb4d8a89ccef8 2432 libvpx_1.12.0-1+deb12u1.dsc
f1acc15d0fd0cb431f4bf6eac32d5e932e40ea1186fe78e074254d6d003957bb 5465627 libvpx_1.12.0.orig.tar.gz
06c7ebec276d2a2d2e205b08d3879a8b08b07c32ee374dc3a23b974dd44991cc 14096 libvpx_1.12.0-1+deb12u1.debian.tar.xz
Files:
46ed5989cd840c67e02b3dbe9c6da904 2432 video optional libvpx_1.12.0-1+deb12u1.dsc
10cf85debdd07be719a35ca3bfb8ea64 5465627 video optional libvpx_1.12.0.orig.tar.gz
7c8ef04e6fa16268ccd4fb7e4caf9a8a 14096 video optional libvpx_1.12.0-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUV6eNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7vYP+wVfSIP4mQfw/eVTsE42zg7UieWG/xiN
v+KpeD9U4irQqrrN7zhUBFvbT8Qh3a4IhToB26MqJkPJPJsuAV1Yj4fpLgEfp0Ni
asW+p3BTcaVSwYqw0tULxg3xa1FgMVgDI/54In9/lS+fVyBtdPHFE6lNUaztP+4f
zsWjIBObiz+AwpXJU5EMklxvET1txvMoECV78Tnf7U7c5E5OKNwJbmfqxHHdsfCn
2kl4rV4c+H+KMqhgbof4ybBgRuGobtB4SDKxIAOcUSJF9tWFh+3NP9j3gde403Ip
pL58FZzqlh0ANk2z6w6QzKD3e7JOlkmpLCHMhq38ZZAQ5UkXAeOLg9xRP/iE26W6
K1847V/nqCl8Z/ZIMmW5XUGbRHm74EMxswkcT1IH8Qi+Mm6tjTgr1FwhrnAeG35U
2nz5mN9/vonngpTLzBSl/zR3uhthDWDkybq+z5BfUBZbqumHKFcyQTQMsRTIg1Xb
g9N6qFCA/INUkaAaQKW514cnzPGTFRCOSYqQI3Dol35iaeCwNF+gVEnXgSqM/Rvr
9wLfm2R75V+16CGy4O01HacB3XjNtvbbensxSm8e6PLpxdr5YpWQtI5r9opJzbu5
8cWiuXhlSyvZ1iC4aXFGcS3j/VdnoPP7NM2aTunY6wMkokpm+IZE78/tFfiTLdNf
kDxjfSYEuWD9
=mSa7
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: