Your message dated Tue, 20 Feb 2024 20:49:08 +0000 with message-id <E1rcX36-002Jf1-9e@fasolo.debian.org> and subject line Bug#1064310: fixed in dav1d 1.4.0-1 has caused the Debian Bug report #1064310, regarding dav1d: CVE-2024-1580 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1064310: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064310 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: dav1d: CVE-2024-1580
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Mon, 19 Feb 2024 22:34:31 +0100
- Message-id: <[🔎] 170837847180.1300657.3046499965779611508.reportbug@eldamar.lan>
Source: dav1d Version: 1.3.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for dav1d. CVE-2024-1580[0]: | An integer overflow in dav1d AV1 decoder that can occur when | decoding videos with large frame size. This can lead to memory | corruption within the AV1 decoder. We recommend upgrading past | version 1.4.0 of dav1d. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1580 https://www.cve.org/CVERecord?id=CVE-2024-1580 [1] https://code.videolan.org/videolan/dav1d/-/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 1064310-close@bugs.debian.org
- Subject: Bug#1064310: fixed in dav1d 1.4.0-1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Tue, 20 Feb 2024 20:49:08 +0000
- Message-id: <E1rcX36-002Jf1-9e@fasolo.debian.org>
- Reply-to: Dylan Aïssi <daissi@debian.org>
Source: dav1d Source-Version: 1.4.0-1 Done: Dylan Aïssi <daissi@debian.org> We believe that the bug you reported is fixed in the latest version of dav1d, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064310@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dylan Aïssi <daissi@debian.org> (supplier of updated dav1d package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 20 Feb 2024 21:21:06 +0100 Source: dav1d Architecture: source Version: 1.4.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Changed-By: Dylan Aïssi <daissi@debian.org> Closes: 1064310 Changes: dav1d (1.4.0-1) unstable; urgency=medium . * New upstream version 1.4.0 - CVE-2024-1580 (Closes: #1064310) * Update VideoLAN Release Signing Key * Remove debian/salsa-ci.yml Checksums-Sha1: 427393946b5b9d97a579b7cb0e1d3011a18e06dd 2287 dav1d_1.4.0-1.dsc 9237df37bf8d1ed5139a1ef3c5bac3d2794ef303 942120 dav1d_1.4.0.orig.tar.xz 585ad0f7524ff76164c328b5f86d333afb9191a9 195 dav1d_1.4.0.orig.tar.xz.asc 6c340b7979aeed872b30d299fae68505e5a97d00 8388 dav1d_1.4.0-1.debian.tar.xz 8c108be1891eb6cafd0630cb31377c0839c87b23 8082 dav1d_1.4.0-1_amd64.buildinfo Checksums-Sha256: d92026b0bce5bcf34cbec24c0ead909ec9907946355347759d42948bae1ee0f1 2287 dav1d_1.4.0-1.dsc ac8f8ff581906c8ef6479370cf6c1465f282fd2e7cfc2c6366c772f84ad9d30e 942120 dav1d_1.4.0.orig.tar.xz 0517b62da109c68bcc03f6c81abcbb65fc3668e1fd0e482e2effb992d67d41a2 195 dav1d_1.4.0.orig.tar.xz.asc d000bf36f5cd79fbd0f9a48ecd346077595f9f771b67ef004ee2663fe3530f85 8388 dav1d_1.4.0-1.debian.tar.xz ad8d51a9ca7253c5912c5e73b817fa28cfa0f40ef9177cce17749039b3323002 8082 dav1d_1.4.0-1_amd64.buildinfo Files: 4ec4e62d96e2cc76a4beff791ea5da68 2287 video optional dav1d_1.4.0-1.dsc 7b68038c6a77803c79e540647d80e8d0 942120 video optional dav1d_1.4.0.orig.tar.xz 2ae18ef04592b851057c8ac88c6637da 195 video optional dav1d_1.4.0.orig.tar.xz.asc 4d2eb2f68ec68f8f202c78c0b096dbf4 8388 video optional dav1d_1.4.0-1.debian.tar.xz 7cbbdae8b6860149ad8e5ca29bf8bec3 8082 video optional dav1d_1.4.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAmXVC0EACgkQYS7xYT4F D1TRsA/6A5WvZbpD9oeP6t18i5jqBAeRQgN/YFJliZNaMMJoyYk5rTcXAg2dZ5xH nNkiwJZzuLaNzJnovbejf6QG/t05GAROGofsQyv+lP2K8JDShi+SqfQYLe1bZ0Hg PUUdaJOjqm/6mhSXHJpJSC1DpBoOcVT4kFOqYfneTs8vW7yG0dK24RgAkdO8MVYi gh3HyVRu+JJ+RqCoPU2/ls8UdDxtjOxjzV3eObKj0tG8MgLTsagTbtdN6jMflj1c 2rRbNKyjb1mgGASNtm198noyEYS49aS/nSAV36ymN4spcXDU9hbDvzeboKrE+3Q3 +4jNfz10wnkaB1gdIYZZYjzwp4BOkv7DDb3nG0gSUAA/Zy5p83Wd7ZvCWteGtwp/ 3K3BueHUgMrJmXq/vScyj+Sl5AKXDtJV3kAnieQPopaQhEfZ4z1UOQ6bmqeEXkMH tikidNBYvAGjbVl/YvevKTZkbob0zhTtKAFZAe5hHtmnvl0Ry0VdQZneJlFr4VUq 6Zk6JhmptD4HZJkKwHaxNzkY3FM0lix2CUD4U4QbtNvlEJjzF4CGgagJrNwpUY1K bSfhTVq95EoKX63PxS6LaVtOfo5KYyLrki4VFNGzpWgMmxFLP2xD4dwscWQeCQx5 zQqCxk1RuKkULojw8RUxYS8wjvvkAzezFcCe+UMmENnSKiEmMJM= =4xl0 -----END PGP SIGNATURE-----Attachment: pgpZYnZnNIpKQ.pgp
Description: PGP signature
--- End Message ---