Bug#1021013: marked as done (mplayer: CVE-2022-38600 CVE-2022-38856 CVE-2022-38861 CVE-2022-38862 CVE-2022-38864)

To: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Bug#1021013: marked as done (mplayer: CVE-2022-38600 CVE-2022-38856 CVE-2022-38861 CVE-2022-38862 CVE-2022-38864)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 08 Feb 2023 19:21:03 +0000
Message-id: <[🔎] handler.1021013.D1021013.16758838672022707.ackdone@bugs.debian.org>
Reply-to: 1021013@bugs.debian.org
References: <20230208191741.GA22609@inutil.org> <YzcBA7brSaM3JjM3@pisco.westfalen.local>

Your message dated Wed, 8 Feb 2023 20:17:42 +0100
with message-id <20230208191741.GA22609@inutil.org>
and subject line Re: re-evaluate severity of 1021013
has caused the Debian Bug report #1021013,
regarding mplayer: CVE-2022-38600 CVE-2022-38856 CVE-2022-38861 CVE-2022-38862 CVE-2022-38864
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1021013: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021013
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: mplayer: CVE-2022-38600 CVE-2022-38856 CVE-2022-38861 CVE-2022-38862 CVE-2022-38864
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 30 Sep 2022 16:45:23 +0200
Message-id: <YzcBA7brSaM3JjM3@pisco.westfalen.local>

Source: mplayer
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for mplayer.

CVE-2022-38600[0]:
| Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and
| vf_vo.c.

https://trac.mplayerhq.hu/ticket/2390#comment:2
https://git.ffmpeg.org/gitweb/mplayer.git/commit/59792bad144c11b21b27171a93a36e3fbd21eb5e (r38380)
Followup: https://git.ffmpeg.org/gitweb/mplayer.git/commit/48ca1226397974bb2bc53de878411f88a80fe1f8 (r38392)

CVE-2022-38856[1]:
| Certain The MPlayer Project products are vulnerable to Buffer Overflow
| via function mov_build_index() of libmpdemux/demux_mov.c. This affects
| mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

https://trac.mplayerhq.hu/ticket/2395

CVE-2022-38861[2]:
| The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory
| corruption via function free_mp_image() of libmpcodecs/mp_image.c.

https://trac.mplayerhq.hu/ticket/2407
https://git.ffmpeg.org/gitweb/mplayer.git/commit/2622e7fbe3605a2f3b4f74900197fefeedc0d2e1 (r38402)

CVE-2022-38862[3]:
| Certain The MPlayer Project products are vulnerable to Buffer Overflow
| via function play() of libaf/af.c:639. This affects mplayer
| SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

https://trac.mplayerhq.hu/ticket/2400
https://trac.mplayerhq.hu/ticket/2404

CVE-2022-38864[4]:
| Certain The MPlayer Project products are vulnerable to Buffer Overflow
| via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This
| affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

https://trac.mplayerhq.hu/ticket/2406
https://git.ffmpeg.org/gitweb/mplayer.git/commit/36546389ef9fb6b0e0540c5c3f212534c34b0e94 (r38391)

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-38600
    https://www.cve.org/CVERecord?id=CVE-2022-38600
[1] https://security-tracker.debian.org/tracker/CVE-2022-38856
    https://www.cve.org/CVERecord?id=CVE-2022-38856
[2] https://security-tracker.debian.org/tracker/CVE-2022-38861
    https://www.cve.org/CVERecord?id=CVE-2022-38861
[3] https://security-tracker.debian.org/tracker/CVE-2022-38862
    https://www.cve.org/CVERecord?id=CVE-2022-38862
[4] https://security-tracker.debian.org/tracker/CVE-2022-38864
    https://www.cve.org/CVERecord?id=CVE-2022-38864

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: Lorenzo <plorenzo@disroot.org>

Cc: 1021013-done@bugs.debian.org, team@security.debian.org

Subject: Re: re-evaluate severity of 1021013

From: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 8 Feb 2023 20:17:42 +0100

Message-id: <20230208191741.GA22609@inutil.org>

In-reply-to: <[🔎] 20230208150231.31252d86@lorenz.fritz.box>

References: <[🔎] 20230208150231.31252d86@lorenz.fritz.box>
Version: 2:1.5+svn38408-1

Hi Lorenzo!

On Wed, Feb 08, 2023 at 03:02:31PM +0100, Lorenzo wrote:
> Dear Security Team,
> 
> CVE-2022-38600, CVE-2022-38864, CVE-2022-38861 are fixed in unstable;
> 
> also, according to upstream[1] CVE-2022-38856 seems to be fixed too,
> although the exact commit that contains the fix is not identified.
> 
> as for CVE-2022-38862 it can't be reproduced upstream [2] and is
> possibly caused by a buggy compiler of the reporter.
> 
> I think this bug can be downgraded to non RC severity (perhaps
> important or normal?) until further info comes out. What is your
> opinion?

Yeah, we can close this one with 2:1.5+svn38408-1. I've synched up
the Security Tracker.

Cheers,
        Moritz
--- End Message ---

Reply to:

Prev by Date: Bug#1021013: re-evaluate severity of 1021013
Next by Date: Bug#1030890: libwebm: Provide additional headers to alllow building aom with the system libwebm
Previous by thread: Bug#1021013: re-evaluate severity of 1021013
Next by thread: Bug#1030890: libwebm: Provide additional headers to alllow building aom with the system libwebm
Index(es):
- Date
- Thread