Your message dated Wed, 8 Feb 2023 20:17:42 +0100 with message-id <20230208191741.GA22609@inutil.org> and subject line Re: re-evaluate severity of 1021013 has caused the Debian Bug report #1021013, regarding mplayer: CVE-2022-38600 CVE-2022-38856 CVE-2022-38861 CVE-2022-38862 CVE-2022-38864 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1021013: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021013 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: mplayer: CVE-2022-38600 CVE-2022-38856 CVE-2022-38861 CVE-2022-38862 CVE-2022-38864
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Fri, 30 Sep 2022 16:45:23 +0200
- Message-id: <YzcBA7brSaM3JjM3@pisco.westfalen.local>
Source: mplayer X-Debbugs-CC: team@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mplayer. CVE-2022-38600[0]: | Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and | vf_vo.c. https://trac.mplayerhq.hu/ticket/2390#comment:2 https://git.ffmpeg.org/gitweb/mplayer.git/commit/59792bad144c11b21b27171a93a36e3fbd21eb5e (r38380) Followup: https://git.ffmpeg.org/gitweb/mplayer.git/commit/48ca1226397974bb2bc53de878411f88a80fe1f8 (r38392) CVE-2022-38856[1]: | Certain The MPlayer Project products are vulnerable to Buffer Overflow | via function mov_build_index() of libmpdemux/demux_mov.c. This affects | mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1. https://trac.mplayerhq.hu/ticket/2395 CVE-2022-38861[2]: | The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory | corruption via function free_mp_image() of libmpcodecs/mp_image.c. https://trac.mplayerhq.hu/ticket/2407 https://git.ffmpeg.org/gitweb/mplayer.git/commit/2622e7fbe3605a2f3b4f74900197fefeedc0d2e1 (r38402) CVE-2022-38862[3]: | Certain The MPlayer Project products are vulnerable to Buffer Overflow | via function play() of libaf/af.c:639. This affects mplayer | SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1. https://trac.mplayerhq.hu/ticket/2400 https://trac.mplayerhq.hu/ticket/2404 CVE-2022-38864[4]: | Certain The MPlayer Project products are vulnerable to Buffer Overflow | via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This | affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1. https://trac.mplayerhq.hu/ticket/2406 https://git.ffmpeg.org/gitweb/mplayer.git/commit/36546389ef9fb6b0e0540c5c3f212534c34b0e94 (r38391) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38600 https://www.cve.org/CVERecord?id=CVE-2022-38600 [1] https://security-tracker.debian.org/tracker/CVE-2022-38856 https://www.cve.org/CVERecord?id=CVE-2022-38856 [2] https://security-tracker.debian.org/tracker/CVE-2022-38861 https://www.cve.org/CVERecord?id=CVE-2022-38861 [3] https://security-tracker.debian.org/tracker/CVE-2022-38862 https://www.cve.org/CVERecord?id=CVE-2022-38862 [4] https://security-tracker.debian.org/tracker/CVE-2022-38864 https://www.cve.org/CVERecord?id=CVE-2022-38864 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: Lorenzo <plorenzo@disroot.org>
- Cc: 1021013-done@bugs.debian.org, team@security.debian.org
- Subject: Re: re-evaluate severity of 1021013
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Wed, 8 Feb 2023 20:17:42 +0100
- Message-id: <20230208191741.GA22609@inutil.org>
- In-reply-to: <[🔎] 20230208150231.31252d86@lorenz.fritz.box>
- References: <[🔎] 20230208150231.31252d86@lorenz.fritz.box>
Version: 2:1.5+svn38408-1 Hi Lorenzo! On Wed, Feb 08, 2023 at 03:02:31PM +0100, Lorenzo wrote: > Dear Security Team, > > CVE-2022-38600, CVE-2022-38864, CVE-2022-38861 are fixed in unstable; > > also, according to upstream[1] CVE-2022-38856 seems to be fixed too, > although the exact commit that contains the fix is not identified. > > as for CVE-2022-38862 it can't be reproduced upstream [2] and is > possibly caused by a buggy compiler of the reporter. > > I think this bug can be downgraded to non RC severity (perhaps > important or normal?) until further info comes out. What is your > opinion? Yeah, we can close this one with 2:1.5+svn38408-1. I've synched up the Security Tracker. Cheers, Moritz
--- End Message ---