Your message dated Thu, 19 Jun 2025 11:17:10 +0000
with message-id <e1usdgy-003syz...@fasolo.debian.org>
and subject line Bug#1106285: fixed in gst-plugins-bad1.0 1.22.0-4+deb12u6
has caused the Debian Bug report #1106285,
regarding gst-plugins-bad1.0: CVE-2025-3887
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106285
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gst-plugins-bad1.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for gst-plugins-bad1.0.
CVE-2025-3887[0]:
| GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of GStreamer.
| Interaction with this library is required to exploit this
| vulnerability but attack vectors may vary depending on the
| implementation. The specific flaw exists within the parsing of H265
| slice headers. The issue results from the lack of proper validation
| of the length of user-supplied data prior to copying it to a fixed-
| length stack-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current process.
| Was ZDI-CAN-26596.
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d0e18d6353e4e448ccf3b06a967b394e664dd0b5
https://www.zerodayinitiative.com/advisories/ZDI-25-267/
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-3887
https://www.cve.org/CVERecord?id=CVE-2025-3887
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: gst-plugins-bad1.0
Source-Version: 1.22.0-4+deb12u6
Done: Moritz Mühlenhoff <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gst-plugins-bad1.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated gst-plugins-bad1.0
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Jun 2025 20:21:59 +0200
Source: gst-plugins-bad1.0
Architecture: source
Version: 1.22.0-4+deb12u6
Distribution: bookworm-security
Urgency: medium
Maintainer: Maintainers of GStreamer packages
<gst-plugins-bad...@packages.debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1106285
Changes:
gst-plugins-bad1.0 (1.22.0-4+deb12u6) bookworm-security; urgency=medium
.
* CVE-2025-3887 (Closes: #1106285)
Checksums-Sha1:
4a82fa8a974adb30299886a501d521d596827117 5828
gst-plugins-bad1.0_1.22.0-4+deb12u6.dsc
a4d323e0ffa79e18abcf7be147690715746a7f70 44460
gst-plugins-bad1.0_1.22.0-4+deb12u6.debian.tar.xz
61be99ddc5a907f43323b723f858651cdcec3b03 38092
gst-plugins-bad1.0_1.22.0-4+deb12u6_amd64.buildinfo
Checksums-Sha256:
f9d231260253270068d3ff54599945a8611c0b62e273d8ced1a6f6589b7330d9 5828
gst-plugins-bad1.0_1.22.0-4+deb12u6.dsc
10fb9edfdf7d5ca902391ba7c8949b729a832650e4f981c1108ab0c1bbb0b805 44460
gst-plugins-bad1.0_1.22.0-4+deb12u6.debian.tar.xz
39e5cd591130d08e79853a1205dcc9037159670425383e584c3a2b9b976b988c 38092
gst-plugins-bad1.0_1.22.0-4+deb12u6_amd64.buildinfo
Files:
868d0075bd51e0f0bc96d66c8a89b76e 5828 libs optional
gst-plugins-bad1.0_1.22.0-4+deb12u6.dsc
fc12ffe3e90547b119fbe395677f6615 44460 libs optional
gst-plugins-bad1.0_1.22.0-4+deb12u6.debian.tar.xz
9aca22a96a9a5ff3fd34ea6ead778f08 38092 libs optional
gst-plugins-bad1.0_1.22.0-4+deb12u6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmhEhaEACgkQEMKTtsN8
Tjbe0g/+JhaQ63c+takVXZ0EZh5fdameze/n7kVRY8wNZDln5W5Mf3pdtH47FiBl
aLb8keYQzPgUfGpbSC66IGiYsQB842gUAQLOXPBfhcH/t7gQ8SeI1g4RE2McUbUd
KdmE8ZdwUJpwiCt5psHRAp63S9pHxj43S48KAh8yTX3Dyjk9v5N/ji3/L/s5bAtB
PWKn6RWNMGNm494pRmouHUUhTvjC5Q8K3uOs9FXzgu8PsnYUFM9iLJgW4pt1gMUE
nDTl0JyDPuaA3Ng93J0iFg9lxRHeDMHsC2hXfDrJW1g2pc3Jf9wD4BOnul+yLbTz
9rRiN3lOJV3su9bpYrBxiHpn2zeuoqgXHr/ber+5q41YNcNxzx6XHV3HVh3ex7vO
dy6eOIf6dFxfvSIYHPat8HlOY0CNX+S5UXYRUzKejBLAA3tepmnIVYZbKfO4dc/1
/uYSiOKtl8luoXPbis9D0MsWDm+8YyPxsAgL5f2LXjE1JCds42wvJPPJO8ri8oiA
s9+sFDh/+S9tt2x5Oeq5xzh+xNc4ZgrOR2XQ51vYrlvfHkt18yBAuVh5OrhxAVmo
YVsLGh/+kp7XwXLWgO3GVOBlT6RxbRb1loqS3kaT7nkb9ZdV8Jw0q7+kYbwl2SOM
My/Z4M3DuBOp61r0wtZoUjfDpDGU/quvlxljqNTiodD+kxxc5N8=
=RPio
-----END PGP SIGNATURE-----
pgp6JtrE9J3kr.pgp
Description: PGP signature
--- End Message ---
