Bug#1112070: marked as done (bookworm-pu: package gst-plugins-good1.0/1.22.0-5+deb12u3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112070,
regarding bookworm-pu: package gst-plugins-good1.0/1.22.0-5+deb12u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1112070: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112070
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package gst-plugins-good1.0/1.22.0-5+deb12u3
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Mon, 25 Aug 2025 22:35:59 +0200
• Message-id: <175615415954.81484.3955206295999788190.reportbug@soju.westfalen.local>

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gst-plugins-good1.0@packages.debian.org
Control: affects -1 + src:gst-plugins-good1.0
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes a low impact security issues. Tests with various test files
were fine and autopkgtests via debusine also look good. debdiff
below.

Cheers,
        Moritz

diff -Nru gst-plugins-good1.0-1.22.0/debian/changelog gst-plugins-good1.0-1.22.0/debian/changelog
--- gst-plugins-good1.0-1.22.0/debian/changelog	2024-12-21 14:32:49.000000000 +0100
+++ gst-plugins-good1.0-1.22.0/debian/changelog	2025-08-20 20:44:45.000000000 +0200
@@ -1,3 +1,9 @@
+gst-plugins-good1.0 (1.22.0-5+deb12u3) bookworm; urgency=medium
+
+  * CVE-2025-47219
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 20 Aug 2025 20:44:45 +0200
+
 gst-plugins-good1.0 (1.22.0-5+deb12u2) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/CVE-2025-47219.patch gst-plugins-good1.0-1.22.0/debian/patches/CVE-2025-47219.patch
--- gst-plugins-good1.0-1.22.0/debian/patches/CVE-2025-47219.patch	1970-01-01 01:00:00.000000000 +0100
+++ gst-plugins-good1.0-1.22.0/debian/patches/CVE-2025-47219.patch	2025-08-20 20:44:38.000000000 +0200
@@ -0,0 +1,26 @@
+From b80803943388050cb870c95934fc52feeffb94ac Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Sat, 3 May 2025 09:43:32 +0300
+Subject: [PATCH] qtdemux: Check if enough bytes are available for each stsd
+ entry
+
+There must be at least 8 bytes for the length / fourcc of each entry. After
+reading those, the length is already validated against the remaining available
+bytes.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4407
+Fixes CVE-2025-47219
+
+--- gst-plugins-good1.0-1.22.0.orig/gst/isomp4/qtdemux.c
++++ gst-plugins-good1.0-1.22.0/gst/isomp4/qtdemux.c
+@@ -11315,6 +11315,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+     gchar *codec = NULL;
+     QtDemuxStreamStsdEntry *entry = &stream->stsd_entries[stsd_index];
+ 
++    /* needs at least length and fourcc */
++    if (remaining_stsd_len < 8)
++      goto corrupt_file;
++
+     /* and that entry should fit within stsd */
+     len = QT_UINT32 (stsd_entry_data);
+     if (len > remaining_stsd_len)
diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/series gst-plugins-good1.0-1.22.0/debian/patches/series
--- gst-plugins-good1.0-1.22.0/debian/patches/series	2024-12-21 14:32:49.000000000 +0100
+++ gst-plugins-good1.0-1.22.0/debian/patches/series	2025-08-20 20:44:13.000000000 +0200
@@ -30,3 +30,4 @@
 qtdemux-Actually-handle-errors-returns-from-various-.patch
 qtdemux-Check-for-invalid-atom-length-when-extractin.patch
 qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch
+CVE-2025-47219.patch

--- End Message ---

--- Begin Message ---

• To: 1086622-done@bugs.debian.org, 1098225-done@bugs.debian.org, 1098229-done@bugs.debian.org, 1098783-done@bugs.debian.org, 1100607-done@bugs.debian.org, 1100960-done@bugs.debian.org, 1101144-done@bugs.debian.org, 1102091-done@bugs.debian.org, 1102675-done@bugs.debian.org, 1102752-done@bugs.debian.org, 1103926-done@bugs.debian.org, 1103927-done@bugs.debian.org, 1104028-done@bugs.debian.org, 1104154-done@bugs.debian.org, 1104821-done@bugs.debian.org, 1104874-done@bugs.debian.org, 1104882-done@bugs.debian.org, 1105009-done@bugs.debian.org, 1105113-done@bugs.debian.org, 1105816-done@bugs.debian.org, 1105888-done@bugs.debian.org, 1105957-done@bugs.debian.org, 1105971-done@bugs.debian.org, 1105996-done@bugs.debian.org, 1106300-done@bugs.debian.org, 1106328-done@bugs.debian.org, 1106348-done@bugs.debian.org, 1106536-done@bugs.debian.org, 1106721-done@bugs.debian.org, 1106756-done@bugs.debian.org, 1106761-done@bugs.debian.org, 1106867-done@bugs.debian.org, 1107069-done@bugs.debian.org, 1107116-done@bugs.debian.org, 1107147-done@bugs.debian.org, 1107217-done@bugs.debian.org, 1107252-done@bugs.debian.org, 1107253-done@bugs.debian.org, 1107568-done@bugs.debian.org, 1107852-done@bugs.debian.org, 1107902-done@bugs.debian.org, 1108122-done@bugs.debian.org, 1108127-done@bugs.debian.org, 1108137-done@bugs.debian.org, 1108185-done@bugs.debian.org, 1108308-done@bugs.debian.org, 1108353-done@bugs.debian.org, 1108504-done@bugs.debian.org, 1108508-done@bugs.debian.org, 1108543-done@bugs.debian.org, 1108548-done@bugs.debian.org, 1108921-done@bugs.debian.org, 1109012-done@bugs.debian.org, 1109034-done@bugs.debian.org, 1109084-done@bugs.debian.org, 1109087-done@bugs.debian.org, 1109095-done@bugs.debian.org, 1109127-done@bugs.debian.org, 1109147-done@bugs.debian.org, 1109207-done@bugs.debian.org, 1109545-done@bugs.debian.org, 1109611-done@bugs.debian.org, 1109763-done@bugs.debian.org, 1109819-done@bugs.debian.org, 1109943-done@bugs.debian.org, 1109945-done@bugs.debian.org, 1109947-done@bugs.debian.org, 1109995-done@bugs.debian.org, 1110034-done@bugs.debian.org, 1110080-done@bugs.debian.org, 1110114-done@bugs.debian.org, 1110340-done@bugs.debian.org, 1110489-done@bugs.debian.org, 1110643-done@bugs.debian.org, 1110686-done@bugs.debian.org, 1110813-done@bugs.debian.org, 1111034-done@bugs.debian.org, 1111076-done@bugs.debian.org, 1111426-done@bugs.debian.org, 1111486-done@bugs.debian.org, 1111600-done@bugs.debian.org, 1111607-done@bugs.debian.org, 1111653-done@bugs.debian.org, 1111666-done@bugs.debian.org, 1111835-done@bugs.debian.org, 1111859-done@bugs.debian.org, 1111924-done@bugs.debian.org, 1111959-done@bugs.debian.org, 1111966-done@bugs.debian.org, 1111969-done@bugs.debian.org, 1111987-done@bugs.debian.org, 1111989-done@bugs.debian.org, 1112039-done@bugs.debian.org, 1112053-done@bugs.debian.org, 1112070-done@bugs.debian.org, 1112074-done@bugs.debian.org, 1112124-done@bugs.debian.org, 1112129-done@bugs.debian.org, 1112141-done@bugs.debian.org, 1112195-done@bugs.debian.org, 1112239-done@bugs.debian.org, 1112252-done@bugs.debian.org, 1112340-done@bugs.debian.org, 1112347-done@bugs.debian.org, 1112368-done@bugs.debian.org, 1112449-done@bugs.debian.org, 1112459-done@bugs.debian.org, 1112467-done@bugs.debian.org, 1112542-done@bugs.debian.org
• Subject: Closing p-u requests for fixes included in 12.12
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 06 Sep 2025 12:14:50 +0100
• Message-id: <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---