Your message dated Thu, 10 Jul 2025 08:34:24 +0000
with message-id <e1uzmjy-00gqxb...@fasolo.debian.org>
and subject line Bug#1108973: fixed in gst-plugins-bad1.0 1.26.2-3
has caused the Debian Bug report #1108973,
regarding gst-plugins-bad1.0: CVE-2025-6663
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108973
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gst-plugins-bad1.0
Version: 1.26.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for gst-plugins-bad1.0.
CVE-2025-6663[0]:
| GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of GStreamer.
| Interaction with this library is required to exploit this
| vulnerability but attack vectors may vary depending on the
| implementation. The specific flaw exists within the parsing of H266
| sei messages. The issue results from the lack of proper validation
| of the length of user-supplied data prior to copying it to a fixed-
| length stack-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current process.
| Was ZDI-CAN-27381.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-6663
https://www.cve.org/CVERecord?id=CVE-2025-6663
[1] https://www.zerodayinitiative.com/advisories/ZDI-25-467/
[2]
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/596cf19c0c4c92b31c4ef315a0278586b0772b93
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gst-plugins-bad1.0
Source-Version: 1.26.2-3
Done: Marc Leeman <marc.lee...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
gst-plugins-bad1.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Leeman <marc.lee...@gmail.com> (supplier of updated gst-plugins-bad1.0
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Jul 2025 10:07:14 +0200
Source: gst-plugins-bad1.0
Architecture: source
Version: 1.26.2-3
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of GStreamer packages
<gst-plugins-bad...@packages.debian.org>
Changed-By: Marc Leeman <marc.lee...@gmail.com>
Closes: 1108973
Changes:
gst-plugins-bad1.0 (1.26.2-3) unstable; urgency=medium
.
* d/patches: 0001-h266parser-Fix-overflow-when-parsing-subpic_level_in.patch
- Fix CVE-2025-6663 (Closes: #1108973)
Fix overflow when parsing subpic_level_info in H.266 parser
Checksums-Sha1:
0cc063398d1d0c0a6000009d0be0217914a7559f 6083 gst-plugins-bad1.0_1.26.2-3.dsc
3d79c72bea95d537c71493bf8858d273b5e702a0 40772
gst-plugins-bad1.0_1.26.2-3.debian.tar.xz
682b17f41ac1294010cc48e9b440be301df081b6 34833
gst-plugins-bad1.0_1.26.2-3_source.buildinfo
Checksums-Sha256:
c021bcf09d0c4b0a1e52045e58b31d735cd50ec375c67eca0a7a9cad56f6e3d5 6083
gst-plugins-bad1.0_1.26.2-3.dsc
69bfc66543d92618889768633cab0e49acacae72d35b0248e8c722b4c712b365 40772
gst-plugins-bad1.0_1.26.2-3.debian.tar.xz
17ebe0884d922f9ca966c1ab5b0c3f4df7b568dec312353e40ab8345e90a19b6 34833
gst-plugins-bad1.0_1.26.2-3_source.buildinfo
Files:
b637200a501b94534dbdbe47361fa553 6083 libs optional
gst-plugins-bad1.0_1.26.2-3.dsc
a0c755cbf011cd427690bacdb81f87a9 40772 libs optional
gst-plugins-bad1.0_1.26.2-3.debian.tar.xz
5bfdc0ce6e81931a0ff570e6faa98825 34833 libs optional
gst-plugins-bad1.0_1.26.2-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEgnz9dLpGgVKgQfOgempPF1mVplsFAmhvdXYWHG1hcmMubGVl
bWFuQGdtYWlsLmNvbQAKCRB6ak8XWZWmW9WlD/4nH9N8s7kBfhg4X/yoe3bHS9zX
VlwZ/S3hUmwsePDgh3oq7kQ06b/ZB8zbwn8+EwE1BjD8OvKpobWs80Zyu3wzuJRJ
t4kQoqYW8IqwJqtm0WaFzXfaLs+WsWuECeBAUIKungqJj0zCSthO7sC5hEMOyFi0
rkUSlBMrJhNOIM25ZUdHMRJJp+IiN/AxJf1C7kovhfzUFyTi9KDjhCntIXR7bkl0
QJCQoLb9FEi23kB2McIF8s+ldoA4cyrawE8MVwDi71YiT4je9kMlvQ+b261nVcVB
ZGScsfvprISHabmyCnvuZdjgYHyGYlcKjSoyLB+c1RLPI4JWhz4qbYpUNDQ3rj8z
4SlAvL+PJMDCm4q79dMitgo2GxQnZeJrcNrQhrYujvvXacssPQtQvI5LhEGfpLeo
Bd+3tOKxZhPfL7aAAaFQE9XfAcvU1SvsLwYtc6CNb10DzYXE5lphh1tnNilVCD2T
IR7Rr+d+fDapFFczGnldF13Zt1Sj8bb3Gn1ip+SWrDL4h6W5aLevQRZR2yTiwe04
3Co4JowstDeBkQ9QgW2hzzwQy8Syx0g5wBEk/yereMUbkEW+Z64FiVX31JqO9dfg
Inbay/Z4asWAsN/QtwPXl/4reOjG4+JzSQ0mLosHxilR9SQrz2UARJHcz2y6N9yI
V2T+su0Amt3vwrnLMQ==
=1SKt
-----END PGP SIGNATURE-----
pgprqPqmHyaeh.pgp
Description: PGP signature
--- End Message ---
