Bug#988211: marked as done (CVE-2021-30473)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 26 Oct 2021 18:00:10 +0000
with message-id <E1mfQk6-000J4o-0s@fasolo.debian.org>
and subject line Bug#988211: fixed in aom 3.2.0-1~exp1
has caused the Debian Bug report #988211,
regarding CVE-2021-30473
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988211: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988211
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: CVE-2021-30473
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Fri, 07 May 2021 21:23:19 +0200
• Message-id: <162041539991.335722.12634870251217751438.reportbug@hullmann.westfalen.local>

Source: aom
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

CVE-2021-30473:
| aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.

Unfortunately https://bugs.chromium.org/p/aomedia/issues/detail?id=2998 is private,
but the fix appears to be
https://aomedia.googlesource.com/aom/+/4efe20e99dcd9b6f8eadc8de8acc825be7416578

Cheers,
        Moritz	

--- End Message ---

--- Begin Message ---

• To: 988211-close@bugs.debian.org
• Subject: Bug#988211: fixed in aom 3.2.0-1~exp1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 26 Oct 2021 18:00:10 +0000
• Message-id: <E1mfQk6-000J4o-0s@fasolo.debian.org>
• Reply-to: Boyuan Yang <byang@debian.org>

Source: aom
Source-Version: 3.2.0-1~exp1
Done: Boyuan Yang <byang@debian.org>

We believe that the bug you reported is fixed in the latest version of
aom, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988211@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Boyuan Yang <byang@debian.org> (supplier of updated aom package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 Oct 2021 18:37:31 -0400
Source: aom
Binary: aom-tools aom-tools-dbgsym libaom-dev libaom-doc libaom3 libaom3-dbgsym
Architecture: source amd64 all
Version: 3.2.0-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Boyuan Yang <byang@debian.org>
Description:
 aom-tools  - AV1 Video Codec Library -- Tools
 libaom-dev - AV1 Video Codec Library -- Development Files
 libaom-doc - AV1 Video Codec Library -- Documentation
 libaom3    - AV1 Video Codec Library
Closes: 952564 972467 988211
Changes:
 aom (3.2.0-1~exp1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream release 3.2.0. (Closes: #972467, #952564)
     + Fix various security issues. (CVE-2021-30474, CVE-2021-30475)
     + Fix non-heap memory free. (Closes: #988211, CVE-2021-30473)
   * debian/control:
     + Bump Standards-Version to 4.6.0.
     + Rename library package libaom0 -> libaom3 (SONAME bump).
   * debian/patches: Dropped old patches, merged upstream.
   * debian/patches/0001-mathjax: Use local mathjax js copy from
     libjs-mathjax to prevent privacy breach (lintian error).
   * debian/watch: Update to properly handle RC versions.
   * debian/copyright: Refresh copyright information.
   * debian/libaom3.symbols: Document library symbols.
   * debian/libaom-dev.install: Also install static library.
   * debian/rules:
     + Do not set LIB_INSTALL_DIR since aom upstream is no longer using
       this variable.
Checksums-Sha1:
 8af905dda69df6b0e0923aa38c3ca14624569252 2198 aom_3.2.0-1~exp1.dsc
 d99cfd6a29e2a90aeb2571454365bc83510443e3 4728473 aom_3.2.0.orig.tar.gz
 167fed2e118f50b9c00c44fee5f10092d88b5519 10840 aom_3.2.0-1~exp1.debian.tar.xz
 afd7e75ea9148ec06bb302cccf948ab6f5b2674d 1686240 aom-tools-dbgsym_3.2.0-1~exp1_amd64.deb
 b70b55be92aa4b2fd30268d96136b33b07d72c92 217832 aom-tools_3.2.0-1~exp1_amd64.deb
 96c3e892a69dab1d4ac8867026859a547f63dff4 8190 aom_3.2.0-1~exp1_amd64.buildinfo
 0258a765d6fed96708d57eee01d9acbf520caeb6 1892348 libaom-dev_3.2.0-1~exp1_amd64.deb
 7e8da90ba0d0d330c066b21665e04ba99be45d0b 1150312 libaom-doc_3.2.0-1~exp1_all.deb
 e4c6becae9a46c6251423174fe1e466b3a3c4d72 10751080 libaom3-dbgsym_3.2.0-1~exp1_amd64.deb
 9554eafcad39e6596a8b96b2fdb6de053ffa1eb8 1672904 libaom3_3.2.0-1~exp1_amd64.deb
Checksums-Sha256:
 31750bb56fc0f15cd9b412cdebde26770e507d03401b26ece93085b75f27ee09 2198 aom_3.2.0-1~exp1.dsc
 ef49182f99f73c231e650211584a80fdedd6ab319be06b3fad4ffcb56dbc3627 4728473 aom_3.2.0.orig.tar.gz
 f43148d50f5f5f0ec4a4f811290063d91fe730cc79278b0952a983438078b524 10840 aom_3.2.0-1~exp1.debian.tar.xz
 d1c82cb71c1aafba36636f231cfc825f8cdebaed2c1358ba42019591d9e0dd54 1686240 aom-tools-dbgsym_3.2.0-1~exp1_amd64.deb
 2fcd1bf80f865266cceb8a123669aa81801adb599ee0da3a010ca0c6fa6de743 217832 aom-tools_3.2.0-1~exp1_amd64.deb
 020851d9f9230a151b238547543659eb83042d782d674e1fea94087e1f6b89d6 8190 aom_3.2.0-1~exp1_amd64.buildinfo
 27e8efd97ad4c86f185894f8ae1a034ff125f29af6014c68772b151e758d85e8 1892348 libaom-dev_3.2.0-1~exp1_amd64.deb
 37c4960fd3051551036a3d620ba398a31c07cb9a09a841bcc16892b03651b2e5 1150312 libaom-doc_3.2.0-1~exp1_all.deb
 4a9d6b7d484082258d03a83972f769528a6d6a770841183eb6ebe5629a6915dc 10751080 libaom3-dbgsym_3.2.0-1~exp1_amd64.deb
 9a6447f9a8558556a2d73a5afa9f260161d1a6bf456e76f84d9ab63ccb38135e 1672904 libaom3_3.2.0-1~exp1_amd64.deb
Files:
 43caea356b99fc417cea7c88f52cc3bc 2198 video optional aom_3.2.0-1~exp1.dsc
 1fd066a98a5539deeed497332f459515 4728473 video optional aom_3.2.0.orig.tar.gz
 d3d8432f6cd96066e4403af0e1a5dc9a 10840 video optional aom_3.2.0-1~exp1.debian.tar.xz
 936a7ef0ad03faf94b3ba46955d6bcf8 1686240 debug optional aom-tools-dbgsym_3.2.0-1~exp1_amd64.deb
 2b5ba9db79ceb879070a1e07ad7c3c30 217832 video optional aom-tools_3.2.0-1~exp1_amd64.deb
 1f5ab46e041c98e55b45dd33d5443894 8190 video optional aom_3.2.0-1~exp1_amd64.buildinfo
 812c96658ff21c3a1f262e14631fcfec 1892348 libdevel optional libaom-dev_3.2.0-1~exp1_amd64.deb
 fee8403116b4d3c6e64a69ca409b8e61 1150312 doc optional libaom-doc_3.2.0-1~exp1_all.deb
 fb7572b2b205c69b3870109f8ac22d15 10751080 debug optional libaom3-dbgsym_3.2.0-1~exp1_amd64.deb
 4a8297fd0eac3225f15486419fe46cc6 1672904 libs optional libaom3_3.2.0-1~exp1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmFx7wMACgkQwpPntGGC
Ws7oKRAAj8Zy/FcwkCIDAZRvc6bl+u5DzsxBXngc3VQEMFAdqAGGZAwV3HGoiOuc
DiIUUNfbmozGHFPK+OReOiesF50Roa1QZg1rLa504luXo2EyNjAr5i/6IOb/o1Ho
aMqFtahIkfgALd4II/mNIrnPYrlHb1ep0EQb6+E/84sS5OlF8GKc+LJsx65+q0Kq
d03vt0RVDtdBeyA9TNRiy8ELpPHAw4xbUd0Jp28YHbrcvDTsrkYnsnBHu5gnLA2s
XYxwcSSHLMNLiC9eppjbWVef6ZVOIwxSd/kLGXJ/ggN8WWiOE6UEstiN84rsXhlR
wTioaxiFkyeZB5xczrCPWwUZzLHAxXD2rDVXUQCalJXFM66nf0wnoC/oD8C4icy3
rabZQYq9H5ni62TasgDGxWRa1KZTAgq+6x7kzdPWIV9d92xcDuAAQoOYbg78F5z2
Qnpv1qV5dg5L1Luozu5EP2JiJS3RFHo7ES1YMZX9YDVSI437VQ39E2PVjw7c7A6h
vn4fPGWUz8X6RwpUWcjWrrgeC9BVa6wkCBgUHLRgPhDlYg2GBOOmz7+AdEU2ZDzy
A38IcqhfPtrbIpPrDjCDHtBiMv7bPfXFqfLkpiPyzmOWfvEbAkP4BkdBrYPk/FQu
+JFZvVEIxauRMjEr7AvC3RAo44OUDULvKmCUFu762Oi64RQyYo4=
=/kcS
-----END PGP SIGNATURE-----

--- End Message ---