Your message dated Wed, 13 Sep 2023 07:49:10 +0000 with message-id <E1qgKcY-00HAZ1-1Z@fasolo.debian.org> and subject line Bug#1036701: fixed in gpac 2.2.1+dfsg1-2 has caused the Debian Bug report #1036701, regarding gpac: CVE-2023-2837 CVE-2023-2838 CVE-2023-2839 CVE-2023-2840 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1036701: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036701 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gpac: CVE-2023-2837 CVE-2023-2838 CVE-2023-2839 CVE-2023-2840
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 24 May 2023 15:39:59 +0200
- Message-id: <ZG4Tr+Y3eWe4+fj/@pisco.westfalen.local>
Source: gpac X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2023-2837[0]: | Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to | 2.2.2. https://huntr.dev/bounties/a6bfd1b2-aba8-4c6f-90c4-e95b1831cb17/ https://github.com/gpac/gpac/commit/6f28c4cd607d83ce381f9b4a9f8101ca1e79c611 CVE-2023-2838[1]: | Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. https://huntr.dev/bounties/711e0988-5345-4c01-a2fe-1179604dd07f/ https://github.com/gpac/gpac/commit/c88df2e202efad214c25b4e586f243b2038779ba CVE-2023-2839[2]: | Divide By Zero in GitHub repository gpac/gpac prior to 2.2.2. https://huntr.dev/bounties/42dce889-f63d-4ea9-970f-1f20fc573d5f/ https://github.com/gpac/gpac/commit/047f96fb39e6bf70cb9f344093f5886e51dce0ac CVE-2023-2840[3]: | NULL Pointer Dereference in GitHub repository gpac/gpac prior to | 2.2.2. https://huntr.dev/bounties/21926fc2-6eb1-4e24-8a36-e60f487d0257/ https://github.com/gpac/gpac/commit/ba59206b3225f0e8e95a27eff41cb1c49ddf9a3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-2837 https://www.cve.org/CVERecord?id=CVE-2023-2837 [1] https://security-tracker.debian.org/tracker/CVE-2023-2838 https://www.cve.org/CVERecord?id=CVE-2023-2838 [2] https://security-tracker.debian.org/tracker/CVE-2023-2839 https://www.cve.org/CVERecord?id=CVE-2023-2839 [3] https://security-tracker.debian.org/tracker/CVE-2023-2840 https://www.cve.org/CVERecord?id=CVE-2023-2840 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1036701-close@bugs.debian.org
- Subject: Bug#1036701: fixed in gpac 2.2.1+dfsg1-2
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 13 Sep 2023 07:49:10 +0000
- Message-id: <E1qgKcY-00HAZ1-1Z@fasolo.debian.org>
- Reply-to: Shengjing Zhu <zhsj@debian.org>
Source: gpac Source-Version: 2.2.1+dfsg1-2 Done: Shengjing Zhu <zhsj@debian.org> We believe that the bug you reported is fixed in the latest version of gpac, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036701@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Shengjing Zhu <zhsj@debian.org> (supplier of updated gpac package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 13 Sep 2023 14:56:05 +0800 Source: gpac Architecture: source Version: 2.2.1+dfsg1-2 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Shengjing Zhu <zhsj@debian.org> Closes: 1033116 1034187 1034732 1034890 1036701 1041380 Changes: gpac (2.2.1+dfsg1-2) unstable; urgency=medium . * QA upload. * Set maintainer to Debian QA Group <packages@qa.debian.org> (See #1038784) * Upload to unstable. * Backport patch to build with ffmpeg 6.0 (Closes: #1041380) . gpac (2.2.1+dfsg1-1) experimental; urgency=medium . * New upstream version, closes: #1033116, #1034732, #1034187, #1036701, #1034890 * soname bump libgpac11 -> libgpac12 Checksums-Sha1: 515d078cd5d15d313aee64dbd9f4e67cf8f3cef7 1792 gpac_2.2.1+dfsg1-2.dsc 9d039fa233084402316bd9cb408c07e638b9e1d0 37648 gpac_2.2.1+dfsg1-2.debian.tar.xz 701e4931c4284d79759357714aec8292f05c1236 5325 gpac_2.2.1+dfsg1-2_source.buildinfo Checksums-Sha256: fec96c4cc0e5b24291bd9c057959f945bd70f3eff64e19059cebee6f4c71b5cc 1792 gpac_2.2.1+dfsg1-2.dsc af3728f8e7f919a92f63013a2b8c77143202f68d2320fb1c3bede45696cb133b 37648 gpac_2.2.1+dfsg1-2.debian.tar.xz e1f7d5b34b614d5575a1935c714b3deef8e6a3f752888a5e1e793d13c0e842fd 5325 gpac_2.2.1+dfsg1-2_source.buildinfo Files: 97d4a6d4b6b9495e9d629076fdc3f00a 1792 graphics optional gpac_2.2.1+dfsg1-2.dsc 59c4c28301588d18b2772b4d7d2c01d1 37648 graphics optional gpac_2.2.1+dfsg1-2.debian.tar.xz 13e61d51c866f3a27f2b029ed6e9b2b4 5325 graphics optional gpac_2.2.1+dfsg1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSRhdT1d2eu7mxV1B5/RPol6lUUywUCZQFiHAAKCRB/RPol6lUU y1LPAP46U6+EIJ9QVlkB7/alzOVjS8rwJtv3AXCP8hiN1MQmzwD/eA+xNfWYmjYC ttFLF72wb/NNs+Jvc+UX71Z/j73NJwQ= =4Rgn -----END PGP SIGNATURE-----
--- End Message ---