Bug#1091633: marked as done (libtheora: CVE-2024-56431)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 16 Mar 2025 04:19:06 +0000
with message-id <E1ttfSs-009MeT-VK@fasolo.debian.org>
and subject line Bug#1091633: fixed in libtheora 1.2.0~alpha1+dfsg-6
has caused the Debian Bug report #1091633,
regarding libtheora: CVE-2024-56431
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1091633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091633
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: libtheora: CVE-2024-56431
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Sat, 28 Dec 2024 23:17:19 +0100
• Message-id: <Z3B47139txydeSey@pisco.westfalen.local>

Source: libtheora
X-Debbugs-CC: team@security.debian.org
Severity: normal
Tags: security

Hi,

The following vulnerability was published for libtheora.

CVE-2024-56431[0]:
| oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0
| 7180717 has an invalid negative left shift.

https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC
https://github.com/advisories/GHSA-8xp8-gmmj-xc8w
https://github.com/xiph/theora/issues/18

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-56431
    https://www.cve.org/CVERecord?id=CVE-2024-56431

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1091633-close@bugs.debian.org
• Subject: Bug#1091633: fixed in libtheora 1.2.0~alpha1+dfsg-6
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 16 Mar 2025 04:19:06 +0000
• Message-id: <E1ttfSs-009MeT-VK@fasolo.debian.org>
• Reply-to: Petter Reinholdtsen <pere@debian.org>

Source: libtheora
Source-Version: 1.2.0~alpha1+dfsg-6
Done: Petter Reinholdtsen <pere@debian.org>

We believe that the bug you reported is fixed in the latest version of
libtheora, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1091633@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated libtheora package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 16 Mar 2025 04:59:38 +0100
Source: libtheora
Architecture: source
Version: 1.2.0~alpha1+dfsg-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Closes: 923940 1091633
Changes:
 libtheora (1.2.0~alpha1+dfsg-6) unstable; urgency=medium
 .
   * Team upload.
 .
   * Added 0005-drop-inter-library-dep.patch from upstream to avoid
     unwanted library dependency (Closes: #923940).
   * Added 0006-CVE-2024-56431.patch fixing crash on bad input
     (Closes: #1091633).
Checksums-Sha1:
 47b36f231fb8c206d503c7314a34328754684967 2726 libtheora_1.2.0~alpha1+dfsg-6.dsc
 29f4bed5e295fe88ca1354b0875671559e8aa5dc 13448 libtheora_1.2.0~alpha1+dfsg-6.debian.tar.xz
 1a530a5e6acc76c60ae26ca82f73c30b76bab6d6 10983 libtheora_1.2.0~alpha1+dfsg-6_source.buildinfo
Checksums-Sha256:
 86ad6c534984f746de4abccbcc0cf762afbab8848298899bd523d9df100c13a4 2726 libtheora_1.2.0~alpha1+dfsg-6.dsc
 37f7c87dd56059bfe6ed89737476492ccbcc99a9d04b17dd8a275f33e6e469fe 13448 libtheora_1.2.0~alpha1+dfsg-6.debian.tar.xz
 0fbb8bdce5c4f66b21684cc85dcf6abf129d95b1a64974c508c5fd34615180c7 10983 libtheora_1.2.0~alpha1+dfsg-6_source.buildinfo
Files:
 ede9582fcf80fc448711145be2139b1a 2726 libs optional libtheora_1.2.0~alpha1+dfsg-6.dsc
 ce08fe94477227a6e963c5a82eaee37b 13448 libs optional libtheora_1.2.0~alpha1+dfsg-6.debian.tar.xz
 7683d6a5d0862ff07491d06ff7777e67 10983 libs optional libtheora_1.2.0~alpha1+dfsg-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAmfWTYAACgkQgSgKoIe6
+w7b/xAArBr+siHA0OVHgDk7CK4wqtdGkjT3eXgR8QbcGLxyCm9tB1/GSKQREaLE
Jmvet1y0gzEe2xzVlC+Ks3Cn2B7H8dopnw9Ejf/bNCPH64llEi0KxlEufpl5MAKM
j01lvxJe4RqAIl3L/NkNunXcKBw+jIF9YKRCRMg6B5ZOwONESlCaM+aYaZ1+vZb3
d+WXBEK/CyaNjfpbxUay6mMn7izLdLWgps9vzk8EWL2Qgl4YYWW3cxTuKHUIB3ux
NnPBmhWoVOqznpxrK+x8JA6cVxEA32KFI/Bj3K1KUtGGf7TnhmRb8sboIb+klYSm
u7dwnr0z1f1Uj8LGQAKd9nao+i6YuKbXto0MGDrwV3dhHPPjKb+nDSXeqafxERqy
7aGIX8iGEfEFv7XtMDFR0oH6+bUhR8qqRqCukPvElAXI+3LsRHpUjuYHqsaHhjHL
P3z9exjVyOCWLqK7Dm/Cf34BOEVPXbHUQXh0qb8M7VlIOLeJy2hYYQ2CPVQJGGyA
EWQDWkDTraxPmRFTM3KnYaB4lOg4JyNaJkSt54hAbO/Vmp9PgPjgEGKCitFTOL59
THQvxZ2aomG05g2bGzPieUXduPKoTVMPTIsZq4fJNwCxc9AImF2/nTpoP5AvIgdU
xQQB/5O1mHdGmeHXAgHhHRaOdsEj4+XQ+KpTZ7Ig/eBhPkSa7F0=
=HWZ/
-----END PGP SIGNATURE-----

Attachment: pgpNm0TeZOeu9.pgp
Description: PGP signature

--- End Message ---