Bug#1064310: marked as done (dav1d: CVE-2024-1580)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 20 Feb 2024 20:49:08 +0000
with message-id <E1rcX36-002Jf1-9e@fasolo.debian.org>
and subject line Bug#1064310: fixed in dav1d 1.4.0-1
has caused the Debian Bug report #1064310,
regarding dav1d: CVE-2024-1580
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1064310: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064310
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: dav1d: CVE-2024-1580
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Mon, 19 Feb 2024 22:34:31 +0100
• Message-id: <[🔎] 170837847180.1300657.3046499965779611508.reportbug@eldamar.lan>

Source: dav1d
Version: 1.3.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for dav1d.

CVE-2024-1580[0]:
| An integer overflow in dav1d AV1 decoder that can occur when
| decoding videos with large frame size. This can lead to memory
| corruption within the AV1 decoder. We recommend upgrading past
| version 1.4.0 of dav1d.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-1580
    https://www.cve.org/CVERecord?id=CVE-2024-1580
[1] https://code.videolan.org/videolan/dav1d/-/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1064310-close@bugs.debian.org
• Subject: Bug#1064310: fixed in dav1d 1.4.0-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 20 Feb 2024 20:49:08 +0000
• Message-id: <E1rcX36-002Jf1-9e@fasolo.debian.org>
• Reply-to: Dylan Aïssi <daissi@debian.org>

Source: dav1d
Source-Version: 1.4.0-1
Done: Dylan Aïssi <daissi@debian.org>

We believe that the bug you reported is fixed in the latest version of
dav1d, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1064310@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dylan Aïssi <daissi@debian.org> (supplier of updated dav1d package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 20 Feb 2024 21:21:06 +0100
Source: dav1d
Architecture: source
Version: 1.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Dylan Aïssi <daissi@debian.org>
Closes: 1064310
Changes:
 dav1d (1.4.0-1) unstable; urgency=medium
 .
   * New upstream version 1.4.0
     - CVE-2024-1580 (Closes: #1064310)
   * Update VideoLAN Release Signing Key
   * Remove debian/salsa-ci.yml
Checksums-Sha1:
 427393946b5b9d97a579b7cb0e1d3011a18e06dd 2287 dav1d_1.4.0-1.dsc
 9237df37bf8d1ed5139a1ef3c5bac3d2794ef303 942120 dav1d_1.4.0.orig.tar.xz
 585ad0f7524ff76164c328b5f86d333afb9191a9 195 dav1d_1.4.0.orig.tar.xz.asc
 6c340b7979aeed872b30d299fae68505e5a97d00 8388 dav1d_1.4.0-1.debian.tar.xz
 8c108be1891eb6cafd0630cb31377c0839c87b23 8082 dav1d_1.4.0-1_amd64.buildinfo
Checksums-Sha256:
 d92026b0bce5bcf34cbec24c0ead909ec9907946355347759d42948bae1ee0f1 2287 dav1d_1.4.0-1.dsc
 ac8f8ff581906c8ef6479370cf6c1465f282fd2e7cfc2c6366c772f84ad9d30e 942120 dav1d_1.4.0.orig.tar.xz
 0517b62da109c68bcc03f6c81abcbb65fc3668e1fd0e482e2effb992d67d41a2 195 dav1d_1.4.0.orig.tar.xz.asc
 d000bf36f5cd79fbd0f9a48ecd346077595f9f771b67ef004ee2663fe3530f85 8388 dav1d_1.4.0-1.debian.tar.xz
 ad8d51a9ca7253c5912c5e73b817fa28cfa0f40ef9177cce17749039b3323002 8082 dav1d_1.4.0-1_amd64.buildinfo
Files:
 4ec4e62d96e2cc76a4beff791ea5da68 2287 video optional dav1d_1.4.0-1.dsc
 7b68038c6a77803c79e540647d80e8d0 942120 video optional dav1d_1.4.0.orig.tar.xz
 2ae18ef04592b851057c8ac88c6637da 195 video optional dav1d_1.4.0.orig.tar.xz.asc
 4d2eb2f68ec68f8f202c78c0b096dbf4 8388 video optional dav1d_1.4.0-1.debian.tar.xz
 7cbbdae8b6860149ad8e5ca29bf8bec3 8082 video optional dav1d_1.4.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAmXVC0EACgkQYS7xYT4F
D1TRsA/6A5WvZbpD9oeP6t18i5jqBAeRQgN/YFJliZNaMMJoyYk5rTcXAg2dZ5xH
nNkiwJZzuLaNzJnovbejf6QG/t05GAROGofsQyv+lP2K8JDShi+SqfQYLe1bZ0Hg
PUUdaJOjqm/6mhSXHJpJSC1DpBoOcVT4kFOqYfneTs8vW7yG0dK24RgAkdO8MVYi
gh3HyVRu+JJ+RqCoPU2/ls8UdDxtjOxjzV3eObKj0tG8MgLTsagTbtdN6jMflj1c
2rRbNKyjb1mgGASNtm198noyEYS49aS/nSAV36ymN4spcXDU9hbDvzeboKrE+3Q3
+4jNfz10wnkaB1gdIYZZYjzwp4BOkv7DDb3nG0gSUAA/Zy5p83Wd7ZvCWteGtwp/
3K3BueHUgMrJmXq/vScyj+Sl5AKXDtJV3kAnieQPopaQhEfZ4z1UOQ6bmqeEXkMH
tikidNBYvAGjbVl/YvevKTZkbob0zhTtKAFZAe5hHtmnvl0Ry0VdQZneJlFr4VUq
6Zk6JhmptD4HZJkKwHaxNzkY3FM0lix2CUD4U4QbtNvlEJjzF4CGgagJrNwpUY1K
bSfhTVq95EoKX63PxS6LaVtOfo5KYyLrki4VFNGzpWgMmxFLP2xD4dwscWQeCQx5
zQqCxk1RuKkULojw8RUxYS8wjvvkAzezFcCe+UMmENnSKiEmMJM=
=4xl0
-----END PGP SIGNATURE-----

Attachment: pgpZYnZnNIpKQ.pgp
Description: PGP signature

--- End Message ---