Your message dated Thu, 10 Jul 2025 21:30:53 +0000
with message-id <e1uzyqz-00eifu...@respighi.debian.org>
and subject line unblock gst-plugins-bad1.0
has caused the Debian Bug report #1109074,
regarding unblock: gst-plugins-bad1.0/1.26.2-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1109074: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109074
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: gst-plugins-bad...@packages.debian.org
Control: affects -1 + src:gst-plugins-bad1.0
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package gst-plugins-bad1.0
GStreamer 1.26.3 includes a fix for CVE-2025-6663 [1], but because of
the trixie freeze, we do not want to upload a new version to unstable
and testing.
Therefore, we are requesting an unblock for the latest version in
unstable, which is 1.26.2-3, which includes the fix for CVE-2025-6663
[2].
[1] https://security-tracker.debian.org/tracker/CVE-2025-6663
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108973
[ Reason ]
security fix for CVE-2025-6663
[ Description ]
[ Impact ]
GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code
Execution Vulnerability. This vulnerability allows remote attackers to
execute arbitrary code on affected installations of GStreamer. Interaction
with this library is required to exploit this vulnerability but attack
vectors may vary depending on the implementation. The specific flaw
exists within the parsing of H266 sei messages. The issue results
from the lack of proper validation of the length of user-supplied data
prior to copying it to a fixed-length stack-based buffer. An attacker
can leverage this vulnerability to execute code in the context of the
current process. Was ZDI-CAN-27381.
[ Tests ]
[ Risks ]
none
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
none
unblock gst-plugins-bad1.0/1.26.2-3
gst-plugins-bad1.0_1.26.2-3.debdiff.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Unblocked gst-plugins-bad1.0.
--- End Message ---
