Bug#1034890: marked as done (gpac: CVE-2023-0841)

To: Shengjing Zhu <zhsj@debian.org>
Subject: Bug#1034890: marked as done (gpac: CVE-2023-0841)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 13 Sep 2023 07:51:09 +0000
Message-id: <[🔎] handler.1034890.D1034890.1694591353258581.ackdone@bugs.debian.org>
Reply-to: 1034890@bugs.debian.org
References: <E1qgKcY-00HAYy-0l@fasolo.debian.org> <ZEliMBSCwV52a58R@pisco.westfalen.local>

Your message dated Wed, 13 Sep 2023 07:49:10 +0000
with message-id <E1qgKcY-00HAYy-0l@fasolo.debian.org>
and subject line Bug#1034890: fixed in gpac 2.2.1+dfsg1-2
has caused the Debian Bug report #1034890,
regarding gpac: CVE-2023-0841
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034890
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: gpac: CVE-2023-0841
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 26 Apr 2023 19:41:04 +0200
Message-id: <ZEliMBSCwV52a58R@pisco.westfalen.local>

Source: gpac
X-Debbugs-CC: team@security.debian.org
Severity: normal
Tags: security

Hi,

The following vulnerability was published for gpac.

CVE-2023-0841[0]:
| A vulnerability, which was classified as critical, has been found in
| GPAC 2.3-DEV-rev40-g3602a5ded. This issue affects the function
| mp3_dmx_process of the file filters/reframe_mp3.c. The manipulation
| leads to heap-based buffer overflow. The attack may be initiated
| remotely. The exploit has been disclosed to the public and may be
| used. The associated identifier of this vulnerability is VDB-221087.

Only reference here is the following, doesn't seem to have been forwarded:
https://github.com/qianshuidewajueji/poc/blob/main/gpac/mp3_dmx_process_poc3

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-0841
    https://www.cve.org/CVERecord?id=CVE-2023-0841

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1034890-close@bugs.debian.org
Subject: Bug#1034890: fixed in gpac 2.2.1+dfsg1-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 13 Sep 2023 07:49:10 +0000
Message-id: <E1qgKcY-00HAYy-0l@fasolo.debian.org>
Reply-to: Shengjing Zhu <zhsj@debian.org>

Source: gpac
Source-Version: 2.2.1+dfsg1-2
Done: Shengjing Zhu <zhsj@debian.org>

We believe that the bug you reported is fixed in the latest version of
gpac, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated gpac package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 13 Sep 2023 14:56:05 +0800
Source: gpac
Architecture: source
Version: 2.2.1+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 1033116 1034187 1034732 1034890 1036701 1041380
Changes:
 gpac (2.2.1+dfsg1-2) unstable; urgency=medium
 .
   * QA upload.
   * Set maintainer to Debian QA Group <packages@qa.debian.org> (See #1038784)
   * Upload to unstable.
   * Backport patch to build with ffmpeg 6.0 (Closes: #1041380)
 .
 gpac (2.2.1+dfsg1-1) experimental; urgency=medium
 .
   * New upstream version,
     closes: #1033116, #1034732, #1034187, #1036701, #1034890
   * soname bump libgpac11 -> libgpac12
Checksums-Sha1:
 515d078cd5d15d313aee64dbd9f4e67cf8f3cef7 1792 gpac_2.2.1+dfsg1-2.dsc
 9d039fa233084402316bd9cb408c07e638b9e1d0 37648 gpac_2.2.1+dfsg1-2.debian.tar.xz
 701e4931c4284d79759357714aec8292f05c1236 5325 gpac_2.2.1+dfsg1-2_source.buildinfo
Checksums-Sha256:
 fec96c4cc0e5b24291bd9c057959f945bd70f3eff64e19059cebee6f4c71b5cc 1792 gpac_2.2.1+dfsg1-2.dsc
 af3728f8e7f919a92f63013a2b8c77143202f68d2320fb1c3bede45696cb133b 37648 gpac_2.2.1+dfsg1-2.debian.tar.xz
 e1f7d5b34b614d5575a1935c714b3deef8e6a3f752888a5e1e793d13c0e842fd 5325 gpac_2.2.1+dfsg1-2_source.buildinfo
Files:
 97d4a6d4b6b9495e9d629076fdc3f00a 1792 graphics optional gpac_2.2.1+dfsg1-2.dsc
 59c4c28301588d18b2772b4d7d2c01d1 37648 graphics optional gpac_2.2.1+dfsg1-2.debian.tar.xz
 13e61d51c866f3a27f2b029ed6e9b2b4 5325 graphics optional gpac_2.2.1+dfsg1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSRhdT1d2eu7mxV1B5/RPol6lUUywUCZQFiHAAKCRB/RPol6lUU
y1LPAP46U6+EIJ9QVlkB7/alzOVjS8rwJtv3AXCP8hiN1MQmzwD/eA+xNfWYmjYC
ttFLF72wb/NNs+Jvc+UX71Z/j73NJwQ=
=4Rgn
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#1034732: marked as done (Keep out of testing)
Next by Date: Bug#1036701: marked as done (gpac: CVE-2023-2837 CVE-2023-2838 CVE-2023-2839 CVE-2023-2840)
Previous by thread: Bug#1034732: marked as done (Keep out of testing)
Next by thread: Bug#1036701: marked as done (gpac: CVE-2023-2837 CVE-2023-2838 CVE-2023-2839 CVE-2023-2840)
Index(es):
- Date
- Thread