Your message dated Wed, 28 Jan 2009 01:17:04 +0000
with message-id <e1lrz3a-0002wi...@ries.debian.org>
and subject line Bug#512818: fixed in gst-plugins-good0.10 0.10.8-4.1
has caused the Debian Bug report #512818,
regarding SA33650: QuickTime Processing Vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
512818: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512818
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gstreamer0.10-plugins-good
Severity: grave
Version: 0.10.8-4
Tags: security
Hi,
The following SA (Secunia Advisory) id was published for interchange.
SA33650[1]:
> Tobias Klein has reported some vulnerabilities in GStreamer Good Plug-ins,
> which can potentially be exploited by malicious people to compromise a
> vulnerable system.
>
> 1) A boundary error occurs within the "qtdemux_parse_samples()" function in
> gst/gtdemux/qtdemux.c when performing QuickTime "ctts" Atom parsing. This
> can be exploited to cause a heap-based buffer overflow via a specially
> crafted QuickTime media file.
>
> 2) An array indexing error exists in the "qtdemux_parse_samples()" function
> in gst/gtdemux/qtdemux.c when performing QuickTime "stss" Atom parsing.
> This can be exploited to corrupt memory via a specially crafted QuickTime
> media file.
>
> 3) A boundary error occurs within the "qtdemux_parse_samples()" function in
> gst/gtdemux/qtdemux.c when performing QuickTime "stts" Atom parsing. This
> can be exploited to cause a heap-based buffer overflow via a specially
> crafted QuickTime media file.
>
> These vulnerabilities are reported in versions prior to 0.10.12.
The original advisory can be found at [2].
If you fix the vulnerability please also make sure to include the CVE id, when
one is assigned, in the changelog entry.
[1]http://secunia.com/Advisories/33650/
[2]http://trapkit.de/advisories/TKADV2009-003.txt
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: gst-plugins-good0.10
Source-Version: 0.10.8-4.1
We believe that the bug you reported is fixed in the latest version of
gst-plugins-good0.10, which is due to be installed in the Debian FTP archive:
gst-plugins-good0.10_0.10.8-4.1.diff.gz
to pool/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.8-4.1.diff.gz
gst-plugins-good0.10_0.10.8-4.1.dsc
to pool/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.8-4.1.dsc
gstreamer0.10-esd_0.10.8-4.1_i386.deb
to pool/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.8-4.1_i386.deb
gstreamer0.10-plugins-good-dbg_0.10.8-4.1_i386.deb
to
pool/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.8-4.1_i386.deb
gstreamer0.10-plugins-good-doc_0.10.8-4.1_all.deb
to
pool/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-doc_0.10.8-4.1_all.deb
gstreamer0.10-plugins-good_0.10.8-4.1_i386.deb
to
pool/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.8-4.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 512...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thadeu Lima de Souza Cascardo <casca...@minaslivre.org> (supplier of updated
gst-plugins-good0.10 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 27 Jan 2009 20:12:10 -0200
Source: gst-plugins-good0.10
Binary: gstreamer0.10-plugins-good-doc gstreamer0.10-esd
gstreamer0.10-plugins-good gstreamer0.10-plugins-good-dbg
Architecture: source all i386
Version: 0.10.8-4.1
Distribution: unstable
Urgency: high
Maintainer: Maintainers of GStreamer packages
<pkg-gstreamer-maintain...@lists.alioth.debian.org>
Changed-By: Thadeu Lima de Souza Cascardo <casca...@minaslivre.org>
Description:
gstreamer0.10-esd - GStreamer plugin for ESD
gstreamer0.10-plugins-good - GStreamer plugins from the "good" set
gstreamer0.10-plugins-good-dbg - GStreamer plugins from the "good" set
gstreamer0.10-plugins-good-doc - GStreamer documentation for plugins from the
"good" set
Closes: 512818
Changes:
gst-plugins-good0.10 (0.10.8-4.1) unstable; urgency=high
.
* NMU
* debian/patches/20_Fix_for_security_advisory_TKADV2009-0xx.patch:
+ Fix SA33650 and TKADV2009-03 (Closes: #512818)
* Urgency set to high due to urgency bug
Checksums-Sha1:
8cca6f20b4db4acd7e6de070e2d34a5ddf8fe5d2 2832
gst-plugins-good0.10_0.10.8-4.1.dsc
fd6290a73e16ec307c6f01831953ae79a5e2379d 29385
gst-plugins-good0.10_0.10.8-4.1.diff.gz
432bfff80c8719d7611c5cc865e66727a6a1e434 171952
gstreamer0.10-plugins-good-doc_0.10.8-4.1_all.deb
ecf494de90bab29aa848fd4bf7f2b728a573e576 46330
gstreamer0.10-esd_0.10.8-4.1_i386.deb
93a55ab4f21f3bc2730eaa7c6fdb698d13785cb1 967976
gstreamer0.10-plugins-good_0.10.8-4.1_i386.deb
00343e210d74545de661bd79778b203df520cc78 2517792
gstreamer0.10-plugins-good-dbg_0.10.8-4.1_i386.deb
Checksums-Sha256:
2a745fdceb7bd350e38b15e624ce6e441db1043448d5679cfec21021a5040a5d 2832
gst-plugins-good0.10_0.10.8-4.1.dsc
987127321c4f41bd6da096516541f73993e151d81c7802813506dd694a8334b8 29385
gst-plugins-good0.10_0.10.8-4.1.diff.gz
4ffea1e58a76074aec945da52d8becffb5d154c33df1f59a0bbe6ecbc9de69ac 171952
gstreamer0.10-plugins-good-doc_0.10.8-4.1_all.deb
32739961378e138d9b9d8ed85d91385299c4e9d42dc1a58af6b28a8023589d5a 46330
gstreamer0.10-esd_0.10.8-4.1_i386.deb
728fe5d01635cfd6cca2a5f86fe01486de24bc0acb813056a9ece0da1b3015d4 967976
gstreamer0.10-plugins-good_0.10.8-4.1_i386.deb
78ab6b1a490143d9e269308a28d6777bbdaaefb613b30e2a5419036a52293e1f 2517792
gstreamer0.10-plugins-good-dbg_0.10.8-4.1_i386.deb
Files:
d08688268842898194f1fdd23a9e97bd 2832 libs optional
gst-plugins-good0.10_0.10.8-4.1.dsc
96f8af61a4c4be6856926372f69c443f 29385 libs optional
gst-plugins-good0.10_0.10.8-4.1.diff.gz
74a69e23a53b01a39fa8c65e0351f6ef 171952 doc optional
gstreamer0.10-plugins-good-doc_0.10.8-4.1_all.deb
98a699f80ff78dc79cc8c440b85cb0c8 46330 libs optional
gstreamer0.10-esd_0.10.8-4.1_i386.deb
d22a834ab82867d6ba290f4e007a23f9 967976 libs optional
gstreamer0.10-plugins-good_0.10.8-4.1_i386.deb
0852c36676b4ace3c2001043688cc9c8 2517792 libdevel extra
gstreamer0.10-plugins-good-dbg_0.10.8-4.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJf7AiAAoJENIA6zCg+12mhFwH/A2vxRoeZDC4X9X/d//kYhiL
2+arROssYTdnKNh3xCr9cPH/sRcuk7I70/cT2fmFANBInWchm4hMgm6kwtag/WTM
vQZnHh6JDajbrYLTvGMkKD1DP7mTUhuxNR/IIZ5f3dDteOn5iTbkbVFUqxWzl7Vf
7heEaImHkHJ96F07xBNVqP9lJ8mXKqxVIuqjboRapDwchH6i1ourDl51fbDEz0ap
NzOWa2iwZVsUe4NJsS0H1nGiQrraq9uDHjiFb95JNUeBOx7f7V6fwcqqX7cNjX4x
hhNfxasTZSrl5GcGX5d9w8ZCwLPVCBi/6wUX2W0fs4+53UQRlkJehpkIRfwd2tw=
=oXkw
-----END PGP SIGNATURE-----
--- End Message ---
