Your message dated Mon, 26 Apr 2021 07:33:30 +0000 with message-id <E1lavkI-000CqB-Hy@fasolo.debian.org> and subject line Bug#986839: fixed in mpv 0.32.0-3 has caused the Debian Bug report #986839, regarding mpv: CVE-2021-30145 - demux_mf: improve format string processing to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 986839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986839 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: mpv: New upstream version 0.33.1 fixes CVE-2021-30145
- From: Wessel Dankers <wsl-debbugs-mpv@fruit.je>
- Date: Mon, 12 Apr 2021 19:39:14 +0200
- Message-id: <[🔎] 20210412173914.GS231672@fruit.je>
Package: mpv Version: 0.32.0-2+b1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <team@security.debian.org> Dear Maintainer, Version 0.33.1 was released on Mon, 5 Apr 2021. Apparently this fixes a security problem (CVE-2021-30145) that affects every version since 2002. A description of the problem can be found at: https://github.com/mpv-player/mpv/commit/cb3fa04bcb2ba9e0d25788480359157208c13e0b The release can be found at: https://github.com/mpv-player/mpv/releases Thanks, Wessel Dankers -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-5-amd64 (SMP w/4 CPU threads) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages mpv depends on: ii libarchive13 3.4.3-2+b1 ii libasound2 1.2.4-1.1 ii libass9 1:0.15.0-1 ii libavcodec58 7:4.3.2-0+deb11u1 ii libavdevice58 7:4.3.2-0+deb11u1 ii libavfilter7 7:4.3.2-0+deb11u1 ii libavformat58 7:4.3.2-0+deb11u1 ii libavutil56 7:4.3.2-0+deb11u1 ii libbluray2 1:1.2.1-4 ii libc6 2.31-11 ii libcaca0 0.99.beta19-2.2 ii libcdio-cdda2 10.2+2.0.0-1+b2 ii libcdio-paranoia2 10.2+2.0.0-1+b2 ii libcdio19 2.1.0-2 ii libdrm2 2.4.104-1 ii libdvdnav4 6.1.0-1+b1 ii libegl1 1.3.2-1 ii libgbm1 20.3.4-1 ii libgl1 1.3.2-1 ii libjack-jackd2-0 [libjack-0.125] 1.9.17~dfsg-1 ii libjpeg62-turbo 1:2.0.6-4 ii liblcms2-2 2.12~rc1-2 ii liblua5.2-0 5.2.4-1.1+b3 ii libpulse0 14.2-2 ii librubberband2 1.9.0-1 ii libsdl2-2.0-0 2.0.14+dfsg2-3 ii libsmbclient 2:4.13.5+dfsg-1 ii libsndio7.0 1.5.0-3 ii libswresample3 7:4.3.2-0+deb11u1 ii libswscale5 7:4.3.2-0+deb11u1 ii libuchardet0 0.0.7-1 ii libva-drm2 2.10.0-1 ii libva-wayland2 2.10.0-1 ii libva-x11-2 2.10.0-1 ii libva2 2.10.0-1 ii libvdpau1 1.4-3 ii libwayland-client0 1.18.0-2~exp1.1 ii libwayland-cursor0 1.18.0-2~exp1.1 ii libwayland-egl1 1.18.0-2~exp1.1 ii libx11-6 2:1.7.0-2 ii libxext6 2:1.3.3-1.1 ii libxinerama1 2:1.1.4-2 ii libxkbcommon0 1.0.3-2 ii libxrandr2 2:1.5.1-1 ii libxss1 1:1.2.3-1 ii libxv1 2:1.0.11-1 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages mpv recommends: pn xdg-utils <none> pn youtube-dl <none> mpv suggests no packages. -- no debconf informationAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 986839-close@bugs.debian.org
- Subject: Bug#986839: fixed in mpv 0.32.0-3
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 26 Apr 2021 07:33:30 +0000
- Message-id: <E1lavkI-000CqB-Hy@fasolo.debian.org>
- Reply-to: Sebastian Ramacher <sramacher@debian.org>
Source: mpv Source-Version: 0.32.0-3 Done: Sebastian Ramacher <sramacher@debian.org> We believe that the bug you reported is fixed in the latest version of mpv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 986839@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Ramacher <sramacher@debian.org> (supplier of updated mpv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 26 Apr 2021 09:10:40 +0200 Source: mpv Architecture: source Version: 0.32.0-3 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Changed-By: Sebastian Ramacher <sramacher@debian.org> Closes: 986839 Changes: mpv (0.32.0-3) unstable; urgency=medium . * debian/patches: Apply upstream fix for CVE-2021-30145 (Closes: #986839) Thanks to Jan Ekström. Checksums-Sha1: 6b3312b0fef6c47223cd3da7e5a0946596d66be4 2842 mpv_0.32.0-3.dsc b7fca706e67a7c8aae69343ad8da8e7a65b6f26a 109560 mpv_0.32.0-3.debian.tar.xz Checksums-Sha256: 703e92acab10dc2d121cd4939c382ec300bfac427bbef12cb03a95516679f2c4 2842 mpv_0.32.0-3.dsc 98d0a993dc7382ba02f09d81ece32fd31da2e09b0abef036ef5335cc8cc22929 109560 mpv_0.32.0-3.debian.tar.xz Files: b67f7869158a1ec21311484505546da4 2842 video optional mpv_0.32.0-3.dsc 3f2ea80d2626845cd99db55c2343af17 109560 video optional mpv_0.32.0-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAmCGaOwACgkQafL8UW6n GZNhrA//ZSHOpgS6tQ0JKFU+pyvvkpEW2eMiMmBU8si3tZEI01iBEBd6KI3twI3O AfyKafQ2XR2+sMCCrIv7kc8p34HZb39WGGYVXL1mSo8eMknPOuFUMm7ag/LwMk2X hpPTw2uH60iyARUnMS/c1ByEH3wkYZVGb3rqnEJWLw0rgtXUnjg7HacJuJXYpIk4 lLuqkO3GowlVM3n6qhJ45dO6Y0ChMsy6dN7IEqYfjUa+JrW4OmBDXC3dPZY5e8s0 KQ5mh5i3MxHHJlGEwy2TC3uaEt54SNrWm6OMW2AeUCgzYl79Vq5rHgYW78UcXgBL JV+yGtDSP3UB+4L9Hu24Ga5zM/X9SsCHem8/r362b4lHf0O90mCdpGCM65W6jHQm p99NvH/lYHxoDfA5fH4Zdmi+QLrpgp2oFUpyx0voUuNxdQDHN+DwHsMvNK+yFTtE MxCsECUz0QOueBQhmjjSgZQNWLIqeL8J7VD5aw8fPdQpf+1aJ1Q+TM4f4DaEqYIt LejeAb4Wnol5jS3XF4ZELi5UfFVsa01C4HTcyYvTbj93oC3/p5JopkPEs9+Kz7lX dysaTGRC+LI91+qqoEJBnKFP8I8rfppKWL/B82BpEbK8CN+pzhTaGO7lg7U/V+XO 0rcSqfjtU/cQmd9rFOdXASslE//JldXC+kZRoIrTyU+C5nDM20c= =9gc/ -----END PGP SIGNATURE-----
--- End Message ---