Bug#602693: marked as done (Memory corruption in libvpx)

[Debian Bug Tracking System]

Your message dated Fri, 12 Nov 2010 08:32:37 +0000
with message-id <e1pgp3l-0005m4...@franck.debian.org>
and subject line Bug#602693: fixed in libvpx 0.9.1-2
has caused the Debian Bug report #602693,
regarding Memory corruption in libvpx
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
602693: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602693
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libvpx
Version: 0.9.1-1
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Christoph Diehl discovered a memory corruption in libvpx.
(see the chromium blog post[0],
[$1000] [60055] High Memory corruption in libvpx. Credit to Christoph Diehl.)

Patch: https://review.webmproject.org/#change,928


[0] http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzWcQAACgkQNxpp46476arvJACggX5WwHL8bAtBD45YFbD4VokK
rO8Anj9dRhk/WUWk2kg8XJ55QlCdVJS8
=8Jj8
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: libvpx
Source-Version: 0.9.1-2

We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive:

libvpx-dev_0.9.1-2_amd64.deb
  to main/libv/libvpx/libvpx-dev_0.9.1-2_amd64.deb
libvpx-doc_0.9.1-2_all.deb
  to main/libv/libvpx/libvpx-doc_0.9.1-2_all.deb
libvpx0-dbg_0.9.1-2_amd64.deb
  to main/libv/libvpx/libvpx0-dbg_0.9.1-2_amd64.deb
libvpx0_0.9.1-2_amd64.deb
  to main/libv/libvpx/libvpx0_0.9.1-2_amd64.deb
libvpx_0.9.1-2.debian.tar.gz
  to main/libv/libvpx/libvpx_0.9.1-2.debian.tar.gz
libvpx_0.9.1-2.dsc
  to main/libv/libvpx/libvpx_0.9.1-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 602...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Dröge <sl...@debian.org> (supplier of updated libvpx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Nov 2010 08:44:13 +0100
Source: libvpx
Binary: libvpx-dev libvpx0 libvpx0-dbg libvpx-doc
Architecture: source all amd64
Version: 0.9.1-2
Distribution: unstable
Urgency: high
Maintainer: Sebastian Dröge <sl...@debian.org>
Changed-By: Sebastian Dröge <sl...@debian.org>
Description: 
 libvpx-dev - VP8 video codec (development files)
 libvpx-doc - VP8 video codec (API documentation)
 libvpx0    - VP8 video codec (shared library)
 libvpx0-dbg - VP8 video codec (debugging symbols)
Closes: 602693
Changes: 
 libvpx (0.9.1-2) unstable; urgency=high
 .
   * debian/patches/900_CVE-2010-4203.patch:
     + SECURITY CVE-2010-4203:
       Fix heap memory corruption which could lead to denial of service
       or possibly execution of arbitrary code. Properly validate frame
       size and partition sizes (Closes: #602693).
       This patch contains two upstream commits, adjusted to work with
       libvpx 0.9.1. It is fixed upstream in 0.9.5.
Checksums-Sha1: 
 383f3c3207a513b7c4cf5ad9502b2cb1a1631087 1155 libvpx_0.9.1-2.dsc
 310ede953d0d74de67b49b68767e5faee6157727 10830 libvpx_0.9.1-2.debian.tar.gz
 2962cb9dcf4ff008a3a7c8fe9f726d2d93917df4 233540 libvpx-doc_0.9.1-2_all.deb
 2d2c1136acbf6dcb6be2e9ec654b81ab50adf683 301834 libvpx-dev_0.9.1-2_amd64.deb
 8a5d80d0f7238f76830ddba26669ad0f816164e9 232060 libvpx0_0.9.1-2_amd64.deb
 c799da3b3edc9ceeb415ada2ca10666be22345b1 488872 libvpx0-dbg_0.9.1-2_amd64.deb
Checksums-Sha256: 
 f0411465ba821299ca21d3614b156caad495527b8bc4ffd9c15569cce338082f 1155 
libvpx_0.9.1-2.dsc
 aa02e1e4b4ac7e7d493ca6d16134e9ab0b37a5e3d7b629a6a76c3d2489b06d40 10830 
libvpx_0.9.1-2.debian.tar.gz
 3017352a7c6c6c4c7f9b263b815361326abedd604c87e870c5c7538499dbc978 233540 
libvpx-doc_0.9.1-2_all.deb
 50f153a2aa0b50428ae8102f06c4fa3b5a1dac029ca299073bb0700702454e2e 301834 
libvpx-dev_0.9.1-2_amd64.deb
 b7aae8a93cef188bb139aa2e40f09b4bf356bbf4981591ef753fdb06227b72bd 232060 
libvpx0_0.9.1-2_amd64.deb
 71804a61349ea7941e783241185fb2a8fe07cddf624903b36b53377c66c3bd9f 488872 
libvpx0-dbg_0.9.1-2_amd64.deb
Files: 
 76d08b244425e2f4b7a4913f63821a6c 1155 video optional libvpx_0.9.1-2.dsc
 8c61c8ec740baf53ea90145d14dde4a6 10830 video optional 
libvpx_0.9.1-2.debian.tar.gz
 659a7c0ccf281a544c56c1891fc2a0aa 233540 doc optional libvpx-doc_0.9.1-2_all.deb
 69b4851184716c7cdcbafc15d96f390c 301834 libdevel optional 
libvpx-dev_0.9.1-2_amd64.deb
 d0041d740a98a4abe815a8ab648dde0c 232060 libs optional libvpx0_0.9.1-2_amd64.deb
 c2b393af2a5a9ca76e5a36214b92f369 488872 debug extra 
libvpx0-dbg_0.9.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzc+TcACgkQBsBdh1vkHyFAkQCdGsIkwzypzTOitzxvJt3h29S+
KYYAoKH5tQQ5m3Plrc5aC/+DJFbXDn2V
=ZtVc
-----END PGP SIGNATURE-----

--- End Message ---