Your message dated Wed, 13 Sep 2023 07:49:09 +0000 with message-id <E1qgKcX-00HAYs-V7@fasolo.debian.org> and subject line Bug#1034187: fixed in gpac 2.2.1+dfsg1-2 has caused the Debian Bug report #1034187, regarding gpac: CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1034187: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034187 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gpac: CVE-2023-0841 CVE-2023-1448 CVE-2023-1449 CVE-2023-1452 CVE-2023-1654 CVE-2023-1655
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Mon, 10 Apr 2023 19:45:09 +0200
- Message-id: <ZDRLJazWmSLnbSqE@pisco.westfalen.local>
Source: gpac X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2023-1448[1]: | A vulnerability, which was classified as problematic, was found in | GPAC 2.3-DEV-rev35-gbbca86917-master. This affects the function | gf_m2ts_process_sdt of the file media_tools/mpegts.c. The manipulation | leads to heap-based buffer overflow. Attacking locally is a | requirement. The exploit has been disclosed to the public and may be | used. It is recommended to apply a patch to fix this issue. The | identifier VDB-223293 was assigned to this vulnerability. https://github.com/gpac/gpac/issues/2388 https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463 CVE-2023-1449[2]: | A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master | and classified as problematic. This vulnerability affects the function | gf_av1_reset_state of the file media_tools/av_parsers.c. The | manipulation leads to double free. It is possible to launch the attack | on the local host. The exploit has been disclosed to the public and | may be used. It is recommended to apply a patch to fix this issue. | VDB-223294 is the identifier assigned to this vulnerability. https://github.com/gpac/gpac/issues/2387 https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9 CVE-2023-1452[3]: | A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It | has been declared as critical. Affected by this vulnerability is an | unknown functionality of the file filters/load_text.c. The | manipulation leads to buffer overflow. Local access is required to | approach this attack. The exploit has been disclosed to the public and | may be used. It is recommended to apply a patch to fix this issue. The | identifier VDB-223297 was assigned to this vulnerability. https://github.com/gpac/gpac/issues/2386 https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f CVE-2023-1654[4]: | Denial of Service in GitHub repository gpac/gpac prior to 2.4.0. https://huntr.dev/bounties/33652b56-128f-41a7-afcc-10641f69ff14 https://github.com/gpac/gpac/commit/2c055153d401b8c49422971e3a0159869652d3da CVE-2023-1655[5]: | Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to | 2.4.0. https://huntr.dev/bounties/05f1d1de-bbfd-43fe-bdf9-7f73419ce7c9 https://github.com/gpac/gpac/commit/e7f96c2d3774e4ea25f952bcdf55af1dd6e919f4 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-0841 https://www.cve.org/CVERecord?id=CVE-2023-0841 [1] https://security-tracker.debian.org/tracker/CVE-2023-1448 https://www.cve.org/CVERecord?id=CVE-2023-1448 [2] https://security-tracker.debian.org/tracker/CVE-2023-1449 https://www.cve.org/CVERecord?id=CVE-2023-1449 [3] https://security-tracker.debian.org/tracker/CVE-2023-1452 https://www.cve.org/CVERecord?id=CVE-2023-1452 [4] https://security-tracker.debian.org/tracker/CVE-2023-1654 https://www.cve.org/CVERecord?id=CVE-2023-1654 [5] https://security-tracker.debian.org/tracker/CVE-2023-1655 https://www.cve.org/CVERecord?id=CVE-2023-1655 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1034187-close@bugs.debian.org
- Subject: Bug#1034187: fixed in gpac 2.2.1+dfsg1-2
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 13 Sep 2023 07:49:09 +0000
- Message-id: <E1qgKcX-00HAYs-V7@fasolo.debian.org>
- Reply-to: Shengjing Zhu <zhsj@debian.org>
Source: gpac Source-Version: 2.2.1+dfsg1-2 Done: Shengjing Zhu <zhsj@debian.org> We believe that the bug you reported is fixed in the latest version of gpac, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1034187@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Shengjing Zhu <zhsj@debian.org> (supplier of updated gpac package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 13 Sep 2023 14:56:05 +0800 Source: gpac Architecture: source Version: 2.2.1+dfsg1-2 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Shengjing Zhu <zhsj@debian.org> Closes: 1033116 1034187 1034732 1034890 1036701 1041380 Changes: gpac (2.2.1+dfsg1-2) unstable; urgency=medium . * QA upload. * Set maintainer to Debian QA Group <packages@qa.debian.org> (See #1038784) * Upload to unstable. * Backport patch to build with ffmpeg 6.0 (Closes: #1041380) . gpac (2.2.1+dfsg1-1) experimental; urgency=medium . * New upstream version, closes: #1033116, #1034732, #1034187, #1036701, #1034890 * soname bump libgpac11 -> libgpac12 Checksums-Sha1: 515d078cd5d15d313aee64dbd9f4e67cf8f3cef7 1792 gpac_2.2.1+dfsg1-2.dsc 9d039fa233084402316bd9cb408c07e638b9e1d0 37648 gpac_2.2.1+dfsg1-2.debian.tar.xz 701e4931c4284d79759357714aec8292f05c1236 5325 gpac_2.2.1+dfsg1-2_source.buildinfo Checksums-Sha256: fec96c4cc0e5b24291bd9c057959f945bd70f3eff64e19059cebee6f4c71b5cc 1792 gpac_2.2.1+dfsg1-2.dsc af3728f8e7f919a92f63013a2b8c77143202f68d2320fb1c3bede45696cb133b 37648 gpac_2.2.1+dfsg1-2.debian.tar.xz e1f7d5b34b614d5575a1935c714b3deef8e6a3f752888a5e1e793d13c0e842fd 5325 gpac_2.2.1+dfsg1-2_source.buildinfo Files: 97d4a6d4b6b9495e9d629076fdc3f00a 1792 graphics optional gpac_2.2.1+dfsg1-2.dsc 59c4c28301588d18b2772b4d7d2c01d1 37648 graphics optional gpac_2.2.1+dfsg1-2.debian.tar.xz 13e61d51c866f3a27f2b029ed6e9b2b4 5325 graphics optional gpac_2.2.1+dfsg1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSRhdT1d2eu7mxV1B5/RPol6lUUywUCZQFiHAAKCRB/RPol6lUU y1LPAP46U6+EIJ9QVlkB7/alzOVjS8rwJtv3AXCP8hiN1MQmzwD/eA+xNfWYmjYC ttFLF72wb/NNs+Jvc+UX71Z/j73NJwQ= =4Rgn -----END PGP SIGNATURE-----
--- End Message ---