Your message dated Tue, 07 Mar 2023 12:04:26 +0000 with message-id <E1pZW3O-00Dkla-Fx@fasolo.debian.org> and subject line Bug#1019595: fixed in gpac 2.0.0+dfsg1-4 has caused the Debian Bug report #1019595, regarding gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1019595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019595 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gpac: CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Mon, 12 Sep 2022 22:34:05 +0200
- Message-id: <Yx+XvRRm6ka5O6N8@pisco.westfalen.local>
Source: gpac X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2022-38530[0]: | GPAC v2.1-DEV-rev232-gfcaa01ebb-master was discovered to contain a | stack overflow when processing ISOM_IOD. https://github.com/gpac/gpac/issues/2216 https://github.com/gpac/gpac/commit/4e56ad72ac1afb4e049a10f2d99e7512d7141f9d CVE-2022-36186[1]: | A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV- | revUNKNOWN-master via the function gf_filter_pid_set_property_full () | at filter_core/filter_pid.c:5250,which causes a Denial of Service | (DoS). This vulnerability was fixed in commit b43f9d1. https://github.com/gpac/gpac/issues/2223 https://github.com/gpac/gpac/commit/b43f9d1a4b4e33d08edaef6d313e6ce4bdf554d3 CVE-2022-36190[2]: | GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free | vulnerability in function gf_isom_dovi_config_get. This vulnerability | was fixed in commit fef6242. https://github.com/gpac/gpac/issues/2220 Fixed along with: https://github.com/gpac/gpac/issues/2218 https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3 CVE-2022-36191[3]: | A heap-buffer-overflow had occurred in function | gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by | MP4Box. This vulnerability was fixed in commit fef6242. https://github.com/gpac/gpac/issues/2218 https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38530 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38530 [1] https://security-tracker.debian.org/tracker/CVE-2022-36186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36186 [2] https://security-tracker.debian.org/tracker/CVE-2022-36190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36190 [3] https://security-tracker.debian.org/tracker/CVE-2022-36191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36191 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1019595-close@bugs.debian.org
- Subject: Bug#1019595: fixed in gpac 2.0.0+dfsg1-4
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Tue, 07 Mar 2023 12:04:26 +0000
- Message-id: <E1pZW3O-00Dkla-Fx@fasolo.debian.org>
- Reply-to: Reinhard Tartler <siretart@tauware.de>
Source: gpac Source-Version: 2.0.0+dfsg1-4 Done: Reinhard Tartler <siretart@tauware.de> We believe that the bug you reported is fixed in the latest version of gpac, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1019595@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler <siretart@tauware.de> (supplier of updated gpac package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Mar 2023 06:41:07 -0500 Source: gpac Architecture: source Version: 2.0.0+dfsg1-4 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Changed-By: Reinhard Tartler <siretart@tauware.de> Closes: 1007224 1015788 1016142 1016443 1019595 Changes: gpac (2.0.0+dfsg1-4) unstable; urgency=medium . * make lintian overrides backwards compatible . gpac (2.0.0+dfsg1-3) unstable; urgency=medium . * Backport security fixes for CVE-2022-29339 CVE-2022-29340 CVE-2022-29537 CVE-2022-30976 CVE-2022-1035 CVE-2022-1172 CVE-2022-1222 CVE-2022-1441 CVE-2022-1795, Closes: 1016443 * Backport more security fixes CVE-2022-2453 CVE-2022-2454, Closes: #1015788 * Backport more security fixes CVE-2022-38530 CVE-2022-36186 CVE-2022-36190 CVE-2022-36191, Closes: #1019595 * Backport more security fixes CVE-2022-2549, closes: #1016142, CVE-2022-26967, Closes: #1007224 * fix some lintian overrides * update build-depends on libfreetype-dev Checksums-Sha1: b6c5b5d9c08e109ba5f13f5b5a282b5306aaefa5 2656 gpac_2.0.0+dfsg1-4.dsc be3e2f904bc5a29cef57ed566d2ba0239f97dc63 44148 gpac_2.0.0+dfsg1-4.debian.tar.xz Checksums-Sha256: 930ca15bda8f5c74350afc37e5530d92b4970bec3c6c2f67cc3e284bc8aef00f 2656 gpac_2.0.0+dfsg1-4.dsc 408d11657cbedeaefb9e72a9e3e03394c482ae990bef041f52a4f613735b88e1 44148 gpac_2.0.0+dfsg1-4.debian.tar.xz Files: 6f651e86a4c39a5a01358de89ae1e372 2656 graphics optional gpac_2.0.0+dfsg1-4.dsc aa25e293541c619cd4c97333004883a2 44148 graphics optional gpac_2.0.0+dfsg1-4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmQHIwMUHHNpcmV0YXJ0 QHRhdXdhcmUuZGUACgkQSadpd5QoJsszURAApGc9Sl8ccQq6k8DL6JuJhyIg5w/Q /jmJ/Z2CLxVzLYavUM1yDYnKa7N+5g9MxIsADhWpgD8xrSVY6CFZqAEWatKRpiII tcCgMgwTljpA9Bbfw/AP3ltjm1ZQRdONMz5sOqpX0UUXeFdXp8R7XDFnSBpJhWeK 3MOTUAdL2fFyWEZ2hnOQFpIu0amsKqAPzTVYNENJTajLyh4DSHwDxilac+O8mfBT Vl+u1nV7EUZXnbNhGrgRvbrW3wlg6EEtbWwqkun9rRS+fK3MYXldyGRkPv904lo9 yBQRr2Ds8eBI3/dpbKSt6T/UF1AePFcozPuzvPCJ+tABX8cISQHKPpH7j8sNG2KH XlqBeS17m5NQTApCMUDdBJ0+yx58yiY/lF7CK6qZypEqVmgxjyGf/0O+bDOfzXhu JGciti3BZ6xpGcWzul0AssuyX4DnHHQZC3tYvgxFXLpqqTjwcBhHzOPI5yU8DCkJ fvupD46gvVoo80jBpiuO453J3PhLZsfyd8UnFcq5U8F2wJKF4NhDDupbw1wU3f7q ajC0EBfdKS6XM/frDCIYNTlgtc+G5f3gOfCcZNnSaAoNMPrAs3/bc4xI1UJbAKH3 mE4ltXuHYI5NOgJ9Vse9/w237mi0vNX9SbwAJZwDdHaeeHutzONffNC1bagxXx3A fBhJ21TBsZ1Xhs4= =77jP -----END PGP SIGNATURE-----
--- End Message ---