Bug#932241: marked as done (libebml: CVE-2019-13615)

To: Sebastian Ramacher <sramacher@debian.org>
Subject: Bug#932241: marked as done (libebml: CVE-2019-13615)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 14 Aug 2019 18:48:19 +0000
Message-id: <[🔎] handler.932241.D932241.156580846710675.ackdone@bugs.debian.org>
Reply-to: 932241@bugs.debian.org
References: <E1hxyJG-0005Ld-7z@fasolo.debian.org> <156330941012.28174.3740412849077578936.reportbug@eldamar.local>

Your message dated Wed, 14 Aug 2019 18:47:46 +0000
with message-id <E1hxyJG-0005Ld-7z@fasolo.debian.org>
and subject line Bug#932241: fixed in libebml 1.3.4-1+deb9u1
has caused the Debian Bug report #932241,
regarding libebml: CVE-2019-13615
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
932241: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932241
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vlc: CVE-2019-13615
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 16 Jul 2019 22:36:50 +0200
Message-id: <156330941012.28174.3740412849077578936.reportbug@eldamar.local>

Source: vlc
Version: 3.0.7.1-2
Severity: important
Tags: security upstream
Forwarded: https://trac.videolan.org/vlc/ticket/22474
Control: found -1 3.0.7.1-1
Control: found -1 3.0.7-1
Control: found -1 3.0.7-0+deb9u1

Hi,

The following vulnerability was published for vlc, sorry another one.
For buster, stretch I think we can follow the usual strategy and
release a new upstream stable version once available.

CVE-2019-13615[0]:
| VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in
| mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when
| called from mkv::Open in modules/demux/mkv/mkv.cpp.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-13615
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13615
[1] https://trac.videolan.org/vlc/ticket/22474

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 932241-close@bugs.debian.org
Subject: Bug#932241: fixed in libebml 1.3.4-1+deb9u1
From: Sebastian Ramacher <sramacher@debian.org>
Date: Wed, 14 Aug 2019 18:47:46 +0000
Message-id: <E1hxyJG-0005Ld-7z@fasolo.debian.org>

Source: libebml
Source-Version: 1.3.4-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
libebml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 932241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated libebml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 11 Aug 2019 22:09:57 +0200
Source: libebml
Binary: libebml4v5 libebml-dev
Architecture: source
Version: 1.3.4-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
 libebml-dev - access library for the EBML format (development files)
 libebml4v5 - access library for the EBML format (shared library)
Closes: 932241
Changes:
 libebml (1.3.4-1+deb9u1) stretch; urgency=medium
 .
   * debian/patches: Apply upstream fixes for heap-based buffer over-reads.
     (CVE-2019-13615) (Closes: #932241)
Checksums-Sha1:
 2ff6efe1257670c25077b492995d70f2687120e8 2149 libebml_1.3.4-1+deb9u1.dsc
 6585b316d3e2762abaada7208546a0e3a8a346f9 6688 libebml_1.3.4-1+deb9u1.debian.tar.xz
Checksums-Sha256:
 0fe45d348207ac780b2a92faedc75b9ab05447940ef26ce5990b26219fd6d785 2149 libebml_1.3.4-1+deb9u1.dsc
 17f025fd56e3d121415d7b03ef3a1050d9bd5565bbef0252af9c3ece22a2c878 6688 libebml_1.3.4-1+deb9u1.debian.tar.xz
Files:
 672f6d62dd91fc7b00f655bf311a9176 2149 devel optional libebml_1.3.4-1+deb9u1.dsc
 1daf8629896836bd936bc1fa93f02fc6 6688 devel optional libebml_1.3.4-1+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl1S+2gACgkQafL8UW6n
GZMGMhAAnnTlmZs2azkMuumqV4criN3NYBo37TlM7TEBp74ZHePil3Ccu0D203a2
oZ5BomHMzJzkr4ohPZJf8uKjh+RH7UNw//lf2k+UMEWzijTqWFLqMxU28WAJcZZj
xeXTU6H9m2OgmgJqXymMkvanAkhfBDgvfu3AAXMqnZ6Tvy/HEzgARAzVV6YKf4hA
8R5kOGTX/3vjvfSlo89ibYjYPEYfVNYiJ6o6a6RL/+NffFm/mOUReMFJITHg44/8
zFRC3WjBCTGu0oHDLeT6LDdu8joxEmo8dQNpKnoknin94SYQqI1uwKD355Ul8SC/
kTVJHXDmNQqnmpnhhBpOrsQL9H7bLodo7DHh5uyp2/HPPnm5mvS7guD2svrGnVmQ
V1M18uMBpfD4HsUy7J8Q8PKhALD3kERJ7W0fG9s819kjkCZ7tBc753QcIqMBEwIM
IPPu4MAhNpmnMwV8ioR9cv8YbMNg7+yXARP7EQj+E+Q5TD2LBdYQzlJtY3BOyq9Y
PHbMe1wmeJGfOumdZoBzOyd2dR3GpFmlx2UwWP8GykO7bmUvbMxKo4l/l4KWXSsA
YrxqmHGpAcn5pCKI313xGiQxXI6wqI5t801OAH8K3kmbYcW/BrabBE9Cva7d+JJD
v4WU/7ccXUOZVS1vUmShTUy5lC8CsIwYrJ7N/tju0aF2udPF3J0=
=5f+5
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#931591: Bug update
Next by Date: Processed: closing 910203
Previous by thread: Processed: Re: Bug#900705 closed by Ross Gammon <rossgammon@debian.org> (Bug#900705: fixed in x42-plugins 20190714-1)
Next by thread: Processed: closing 910203
Index(es):
- Date
- Thread