Your message dated Tue, 08 Feb 2011 11:17:45 +0000
with message-id <e1pmlzp-0001dx...@franck.debian.org>
and subject line Bug#610510: fixed in libvpx 0.9.5-2
has caused the Debian Bug report #610510,
regarding CVE-2010-4489: Integer Overflow in VP8 decoding leads to memory
corruption
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
610510: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610510
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libvpx
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libvpx.
CVE-2010-4489[0]:
| Google Chrome before 8.0.552.215 does not properly handle WebM video,
| which allows remote attackers to cause a denial of service
| (out-of-bounds read) via unspecified vectors. NOTE: this vulnerability
| exists because of a regression.
Please ask upstream for an isolated patch for squeeze.
- From the chromium side, they fixed this isssue with the following commits:
http://src.chromium.org/viewvc/chrome?view=rev&revision=65287
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c?r1=65147&r2=65287&pathrev=65287
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libvpx/source/libvpx/vp8/decoder/decodframe.c?r1=65147&r2=65287&pathrev=65287
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4489
http://security-tracker.debian.org/tracker/CVE-2010-4489
Cheers,
Giuseppe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk02uNoACgkQNxpp46476ao4YQCeIqJuuWg6L1VSQz1iebm49sUz
ddEAn33+fQlL4Ytg7XglpS7SlGd3Z50W
=WEhI
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: libvpx
Source-Version: 0.9.5-2
We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive:
libvpx-dev_0.9.5-2_amd64.deb
to main/libv/libvpx/libvpx-dev_0.9.5-2_amd64.deb
libvpx-doc_0.9.5-2_all.deb
to main/libv/libvpx/libvpx-doc_0.9.5-2_all.deb
libvpx0-dbg_0.9.5-2_amd64.deb
to main/libv/libvpx/libvpx0-dbg_0.9.5-2_amd64.deb
libvpx0_0.9.5-2_amd64.deb
to main/libv/libvpx/libvpx0_0.9.5-2_amd64.deb
libvpx_0.9.5-2.debian.tar.gz
to main/libv/libvpx/libvpx_0.9.5-2.debian.tar.gz
libvpx_0.9.5-2.dsc
to main/libv/libvpx/libvpx_0.9.5-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 610...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Dröge <sl...@debian.org> (supplier of updated libvpx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 08 Feb 2011 11:59:42 +0100
Source: libvpx
Binary: libvpx-dev libvpx0 libvpx0-dbg libvpx-doc
Architecture: source all amd64
Version: 0.9.5-2
Distribution: unstable
Urgency: low
Maintainer: Sebastian Dröge <sl...@debian.org>
Changed-By: Sebastian Dröge <sl...@debian.org>
Description:
libvpx-dev - VP8 video codec (development files)
libvpx-doc - VP8 video codec (API documentation)
libvpx0 - VP8 video codec (shared library)
libvpx0-dbg - VP8 video codec (debugging symbols)
Closes: 610510
Changes:
libvpx (0.9.5-2) unstable; urgency=low
.
* Upload to unstable.
* debian/patches/02_cve-2010-4489.patch:
+ SECURITY -- CVE 2010-4489: Fix integer overflow in decoder
Patch taken from upstream GIT (Closes: #610510).
Checksums-Sha1:
76aa7e7919c92588b2028c51533740652a84e480 1155 libvpx_0.9.5-2.dsc
3331ab9a02ddca8e519083441643e9f42151354b 10391 libvpx_0.9.5-2.debian.tar.gz
7cda2bc8817748ed8f9faa0f9760658ef4c2bd15 254112 libvpx-doc_0.9.5-2_all.deb
a32628a8cb76a928ab34c2ab32b6819038c56280 331490 libvpx-dev_0.9.5-2_amd64.deb
88fed259a664041f451770d6fa4566012b7657c8 257572 libvpx0_0.9.5-2_amd64.deb
37895cd43cc8c7ed6c921d6ef344c6a8cd8e0dd1 535000 libvpx0-dbg_0.9.5-2_amd64.deb
Checksums-Sha256:
13424e4b915d74c0bd88e1c81623a081fb695e3adcc2542a88195d727c8a5c40 1155
libvpx_0.9.5-2.dsc
cd5e2a0c5ac398631350a671847c56655ffbbc193c9fc5a56785ec27abdf5f84 10391
libvpx_0.9.5-2.debian.tar.gz
5635a879bb550c3272e9b3a00b80a5b7f2e67b91c6410979fb4f389d4dc1128d 254112
libvpx-doc_0.9.5-2_all.deb
4e79915b1470c90b74eb76555bfcfae4cc7832e6ab25137f8e6535b00350c764 331490
libvpx-dev_0.9.5-2_amd64.deb
4cc500a6db9ac1433dbaed87e838b0b5059bb60d7df25ad22307fb5b591e1b99 257572
libvpx0_0.9.5-2_amd64.deb
0f8164c290706f5c9ba78659c98b2cde3d93e3c5f55a4dc15cbfae5cf8c05b52 535000
libvpx0-dbg_0.9.5-2_amd64.deb
Files:
45c92d708c8048e0a5c811be001b147f 1155 video optional libvpx_0.9.5-2.dsc
b8d3194fe04a16a34ec10d89bd90b36e 10391 video optional
libvpx_0.9.5-2.debian.tar.gz
365693d3ae036adc7cd0dd9389ff60a9 254112 doc optional libvpx-doc_0.9.5-2_all.deb
ec15eb9c9e79b873a1c9692d48513af3 331490 libdevel optional
libvpx-dev_0.9.5-2_amd64.deb
926a79848a2902c4759cfae2797d5ed6 257572 libs optional libvpx0_0.9.5-2_amd64.deb
cec9742688c4f70bdf5a1529a258c30f 535000 debug extra
libvpx0-dbg_0.9.5-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEUEARECAAYFAk1RI6YACgkQBsBdh1vkHyENQgCY2vBKGvJ6lOMVX5af/zeHZHOM
LgCfQsXTpcgiXwU89/1LvkVih1YdkEg=
=em94
-----END PGP SIGNATURE-----
--- End Message ---
