Your message dated Wed, 03 Jun 2009 06:47:07 +0000
with message-id <e1mbkff-0006ln...@ries.debian.org>
and subject line Bug#531631: fixed in gst-plugins-good0.10 0.10.15-2
has caused the Debian Bug report #531631,
regarding [SA35205] GStreamer Good Plug-ins PNG Processing Integer Overflow
Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
531631: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531631
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gst-plugins-good0.10
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The following SA (Secunia Advisory) id was published for GStreamer Good
Plug-ins:
SA35205[0]:
Description:
A vulnerability has been discovered in GStreamer Good Plug-ins, which can be
exploited by malicious people to potentially compromise an application using
the library.
The vulnerability is caused due to an integer overflow error in
ext/libpng/gstpngdec.c, which can be exploited to cause a heap-based buffer
overflow via a specially crafted PNG file.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is confirmed in version 0.10.15. Other versions may also be
affected.
If you fix the vulnerability please also make sure to include the CVE id
(if will be available) in the changelog entry.
[0]http://secunia.com/advisories/35205/
Patch:
http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=d9544bcc44adcef769cbdf7f6453e140058a3adc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoljC4ACgkQNxpp46476apAbACfQCKt2JpnLvwauaxT9UkJB4qU
npIAnRJe+IBqfdXFhp9DgQNkLpcNFYeE
=F5iP
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: gst-plugins-good0.10
Source-Version: 0.10.15-2
We believe that the bug you reported is fixed in the latest version of
gst-plugins-good0.10, which is due to be installed in the Debian FTP archive:
gst-plugins-good0.10_0.10.15-2.diff.gz
to pool/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.15-2.diff.gz
gst-plugins-good0.10_0.10.15-2.dsc
to pool/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.15-2.dsc
gstreamer0.10-esd_0.10.15-2_amd64.deb
to pool/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.15-2_amd64.deb
gstreamer0.10-plugins-good-dbg_0.10.15-2_amd64.deb
to
pool/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.15-2_amd64.deb
gstreamer0.10-plugins-good-doc_0.10.15-2_all.deb
to
pool/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-doc_0.10.15-2_all.deb
gstreamer0.10-plugins-good_0.10.15-2_amd64.deb
to
pool/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.15-2_amd64.deb
gstreamer0.10-pulseaudio_0.10.15-2_amd64.deb
to
pool/main/g/gst-plugins-good0.10/gstreamer0.10-pulseaudio_0.10.15-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 531...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Dröge <sl...@debian.org> (supplier of updated gst-plugins-good0.10
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 03 Jun 2009 08:22:36 +0200
Source: gst-plugins-good0.10
Binary: gstreamer0.10-plugins-good-doc gstreamer0.10-esd
gstreamer0.10-pulseaudio gstreamer0.10-plugins-good
gstreamer0.10-plugins-good-dbg
Architecture: source all amd64
Version: 0.10.15-2
Distribution: unstable
Urgency: high
Maintainer: Maintainers of GStreamer packages
<pkg-gstreamer-maintain...@lists.alioth.debian.org>
Changed-By: Sebastian Dröge <sl...@debian.org>
Description:
gstreamer0.10-esd - GStreamer plugin for ESD
gstreamer0.10-plugins-good - GStreamer plugins from the "good" set
gstreamer0.10-plugins-good-dbg - GStreamer plugins from the "good" set
gstreamer0.10-plugins-good-doc - GStreamer documentation for plugins from the
"good" set
gstreamer0.10-pulseaudio - GStreamer plugin for PulseAudio
Closes: 531631
Changes:
gst-plugins-good0.10 (0.10.15-2) unstable; urgency=high
.
* debian/patches/01_equalizer-integer-arithmetic-distortions.patch:
+ Patch from upstream GIT to fix distortions when the integer
arithmetic mode of the equalizer is used.
* debian/patches/02_SA35205-pngdec-integer-overflow.patch:
+ SECURITY: SA35205 - PNG Processing Integer Overflow Vulnerability
Patch from upstream GIT to fix an integer overflow in pngdec:
A malformed (or simply huge) PNG file can lead to integer overflow in
calculating the size of the output buffer, leading to crashes or buffer
overflows later (Closes: #531631).
Checksums-Sha1:
014c372ace8aee0492c0f56fb4f782724e39adbd 2777
gst-plugins-good0.10_0.10.15-2.dsc
43a395154a61c75726157e4b2c3c0ffb31289ea4 27787
gst-plugins-good0.10_0.10.15-2.diff.gz
2a1c6faab7d3e6a361609060ca9113424b9823b5 252198
gstreamer0.10-plugins-good-doc_0.10.15-2_all.deb
e7afdcaf0613468f65f5d4f4a808cf7057306ebb 54026
gstreamer0.10-esd_0.10.15-2_amd64.deb
fdc2a4100f9a872706849bb06ab125a600231317 79588
gstreamer0.10-pulseaudio_0.10.15-2_amd64.deb
6633dc1a6b5bf478f131626b7d687f44136e5b9b 1284016
gstreamer0.10-plugins-good_0.10.15-2_amd64.deb
3b5f755e2a3f0ab9c59ade3d202929358cc1bdbd 3403802
gstreamer0.10-plugins-good-dbg_0.10.15-2_amd64.deb
Checksums-Sha256:
a2fdf7d1c4b73b70d0dd1a3c3e2589015e15be33b1c87d09da8056a25bb69b58 2777
gst-plugins-good0.10_0.10.15-2.dsc
0bdac866ae8f7413ee96e7886342b72bd42378e9e7ffb349181affacd2d297f5 27787
gst-plugins-good0.10_0.10.15-2.diff.gz
cfd37a1fda40c74b9af013f1fe578cb73d5fd2d677799078e77d072b05346e59 252198
gstreamer0.10-plugins-good-doc_0.10.15-2_all.deb
05efe2869cf61458653f593ea2d6a5f8ec69d9de93af5422a8a99feab2a042a8 54026
gstreamer0.10-esd_0.10.15-2_amd64.deb
89af6a3c490badf12e4432bde3b52c5258689c561bd05d7d7c76bca92b9c7b56 79588
gstreamer0.10-pulseaudio_0.10.15-2_amd64.deb
07fe48474f58897c7f741f3cd1952318128579d63da9fce9ce4cab006e80f410 1284016
gstreamer0.10-plugins-good_0.10.15-2_amd64.deb
e3ad78b70efcefb6f87a2a3ee0e068d5d4fb62c88abeeed5acbccf3826f8f36a 3403802
gstreamer0.10-plugins-good-dbg_0.10.15-2_amd64.deb
Files:
d70d336c04b4860f00afda4d4d8b5c59 2777 libs optional
gst-plugins-good0.10_0.10.15-2.dsc
4aeedb22cc6770d35add3cd1907d9414 27787 libs optional
gst-plugins-good0.10_0.10.15-2.diff.gz
bf936789f8ad5d8f7bc1dd8e74b6ba17 252198 doc optional
gstreamer0.10-plugins-good-doc_0.10.15-2_all.deb
406eb8a9326f01b7ba0d9f2271fd760f 54026 libs optional
gstreamer0.10-esd_0.10.15-2_amd64.deb
05f832ef6c942cc91db23aea1ca662d7 79588 sound optional
gstreamer0.10-pulseaudio_0.10.15-2_amd64.deb
209b84f059a3985fc6b68aa25c4dddca 1284016 libs optional
gstreamer0.10-plugins-good_0.10.15-2_amd64.deb
7b2bd32e73a8111bb28d3dd80a0b4c1f 3403802 debug extra
gstreamer0.10-plugins-good-dbg_0.10.15-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkomGeUACgkQBsBdh1vkHyHjTgCdHe7v72zRg/V30anYk+bFNFoM
Hz0AnRYJPfn/7ir5f52fgvhoWbsEO/h8
=a1Rc
-----END PGP SIGNATURE-----
--- End Message ---
