Bug#986839: marked as done (mpv: CVE-2021-30145 - demux_mf: improve format string processing)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 26 Apr 2021 07:33:30 +0000
with message-id <E1lavkI-000CqB-Hy@fasolo.debian.org>
and subject line Bug#986839: fixed in mpv 0.32.0-3
has caused the Debian Bug report #986839,
regarding mpv: CVE-2021-30145 - demux_mf: improve format string processing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986839
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: mpv: New upstream version 0.33.1 fixes CVE-2021-30145
• From: Wessel Dankers <wsl-debbugs-mpv@fruit.je>
• Date: Mon, 12 Apr 2021 19:39:14 +0200
• Message-id: <[🔎] 20210412173914.GS231672@fruit.je>

Package: mpv
Version: 0.32.0-2+b1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

Dear Maintainer,

Version 0.33.1 was released on Mon, 5 Apr 2021. Apparently this fixes a
security problem (CVE-2021-30145) that affects every version since 2002.

A description of the problem can be found at:

	https://github.com/mpv-player/mpv/commit/cb3fa04bcb2ba9e0d25788480359157208c13e0b

The release can be found at:

	https://github.com/mpv-player/mpv/releases

Thanks,

Wessel Dankers

-- System Information:
Debian Release: bullseye/sid
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-5-amd64 (SMP w/4 CPU threads)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages mpv depends on:
ii  libarchive13                      3.4.3-2+b1
ii  libasound2                        1.2.4-1.1
ii  libass9                           1:0.15.0-1
ii  libavcodec58                      7:4.3.2-0+deb11u1
ii  libavdevice58                     7:4.3.2-0+deb11u1
ii  libavfilter7                      7:4.3.2-0+deb11u1
ii  libavformat58                     7:4.3.2-0+deb11u1
ii  libavutil56                       7:4.3.2-0+deb11u1
ii  libbluray2                        1:1.2.1-4
ii  libc6                             2.31-11
ii  libcaca0                          0.99.beta19-2.2
ii  libcdio-cdda2                     10.2+2.0.0-1+b2
ii  libcdio-paranoia2                 10.2+2.0.0-1+b2
ii  libcdio19                         2.1.0-2
ii  libdrm2                           2.4.104-1
ii  libdvdnav4                        6.1.0-1+b1
ii  libegl1                           1.3.2-1
ii  libgbm1                           20.3.4-1
ii  libgl1                            1.3.2-1
ii  libjack-jackd2-0 [libjack-0.125]  1.9.17~dfsg-1
ii  libjpeg62-turbo                   1:2.0.6-4
ii  liblcms2-2                        2.12~rc1-2
ii  liblua5.2-0                       5.2.4-1.1+b3
ii  libpulse0                         14.2-2
ii  librubberband2                    1.9.0-1
ii  libsdl2-2.0-0                     2.0.14+dfsg2-3
ii  libsmbclient                      2:4.13.5+dfsg-1
ii  libsndio7.0                       1.5.0-3
ii  libswresample3                    7:4.3.2-0+deb11u1
ii  libswscale5                       7:4.3.2-0+deb11u1
ii  libuchardet0                      0.0.7-1
ii  libva-drm2                        2.10.0-1
ii  libva-wayland2                    2.10.0-1
ii  libva-x11-2                       2.10.0-1
ii  libva2                            2.10.0-1
ii  libvdpau1                         1.4-3
ii  libwayland-client0                1.18.0-2~exp1.1
ii  libwayland-cursor0                1.18.0-2~exp1.1
ii  libwayland-egl1                   1.18.0-2~exp1.1
ii  libx11-6                          2:1.7.0-2
ii  libxext6                          2:1.3.3-1.1
ii  libxinerama1                      2:1.1.4-2
ii  libxkbcommon0                     1.0.3-2
ii  libxrandr2                        2:1.5.1-1
ii  libxss1                           1:1.2.3-1
ii  libxv1                            2:1.0.11-1
ii  zlib1g                            1:1.2.11.dfsg-2

Versions of packages mpv recommends:
pn  xdg-utils   <none>
pn  youtube-dl  <none>

mpv suggests no packages.

-- no debconf information

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 986839-close@bugs.debian.org
• Subject: Bug#986839: fixed in mpv 0.32.0-3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 26 Apr 2021 07:33:30 +0000
• Message-id: <E1lavkI-000CqB-Hy@fasolo.debian.org>
• Reply-to: Sebastian Ramacher <sramacher@debian.org>

Source: mpv
Source-Version: 0.32.0-3
Done: Sebastian Ramacher <sramacher@debian.org>

We believe that the bug you reported is fixed in the latest version of
mpv, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 986839@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated mpv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 26 Apr 2021 09:10:40 +0200
Source: mpv
Architecture: source
Version: 0.32.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 986839
Changes:
 mpv (0.32.0-3) unstable; urgency=medium
 .
   * debian/patches: Apply upstream fix for CVE-2021-30145 (Closes: #986839)
     Thanks to Jan Ekström.
Checksums-Sha1:
 6b3312b0fef6c47223cd3da7e5a0946596d66be4 2842 mpv_0.32.0-3.dsc
 b7fca706e67a7c8aae69343ad8da8e7a65b6f26a 109560 mpv_0.32.0-3.debian.tar.xz
Checksums-Sha256:
 703e92acab10dc2d121cd4939c382ec300bfac427bbef12cb03a95516679f2c4 2842 mpv_0.32.0-3.dsc
 98d0a993dc7382ba02f09d81ece32fd31da2e09b0abef036ef5335cc8cc22929 109560 mpv_0.32.0-3.debian.tar.xz
Files:
 b67f7869158a1ec21311484505546da4 2842 video optional mpv_0.32.0-3.dsc
 3f2ea80d2626845cd99db55c2343af17 109560 video optional mpv_0.32.0-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAmCGaOwACgkQafL8UW6n
GZNhrA//ZSHOpgS6tQ0JKFU+pyvvkpEW2eMiMmBU8si3tZEI01iBEBd6KI3twI3O
AfyKafQ2XR2+sMCCrIv7kc8p34HZb39WGGYVXL1mSo8eMknPOuFUMm7ag/LwMk2X
hpPTw2uH60iyARUnMS/c1ByEH3wkYZVGb3rqnEJWLw0rgtXUnjg7HacJuJXYpIk4
lLuqkO3GowlVM3n6qhJ45dO6Y0ChMsy6dN7IEqYfjUa+JrW4OmBDXC3dPZY5e8s0
KQ5mh5i3MxHHJlGEwy2TC3uaEt54SNrWm6OMW2AeUCgzYl79Vq5rHgYW78UcXgBL
JV+yGtDSP3UB+4L9Hu24Ga5zM/X9SsCHem8/r362b4lHf0O90mCdpGCM65W6jHQm
p99NvH/lYHxoDfA5fH4Zdmi+QLrpgp2oFUpyx0voUuNxdQDHN+DwHsMvNK+yFTtE
MxCsECUz0QOueBQhmjjSgZQNWLIqeL8J7VD5aw8fPdQpf+1aJ1Q+TM4f4DaEqYIt
LejeAb4Wnol5jS3XF4ZELi5UfFVsa01C4HTcyYvTbj93oC3/p5JopkPEs9+Kz7lX
dysaTGRC+LI91+qqoEJBnKFP8I8rfppKWL/B82BpEbK8CN+pzhTaGO7lg7U/V+XO
0rcSqfjtU/cQmd9rFOdXASslE//JldXC+kZRoIrTyU+C5nDM20c=
=9gc/
-----END PGP SIGNATURE-----

--- End Message ---