Your message dated Tue, 10 Mar 2026 11:48:33 +0000
with message-id <[email protected]>
and subject line Bug#1130059: fixed in gst-plugins-bad1.0 1.28.1-2
has caused the Debian Bug report #1130059,
regarding gstreamer1.0-plugins-bad: Multiple security vulnerabilities fixed
upstream (possible RCE)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130059
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gstreamer1.0-plugins-bad
Version: 1.26.2-3
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Dear Maintainer, the version of gstreamer1.0-plugins-bad currently shipped in
Debian appears to be affected by multiple security vulnerabilities that have
already been fixed in upstream releases.
The following CVEs were addressed in upstream version 1.28.1:
- ZDI-CAN-28840 - It might be possible for a malicious third party to trigger a
crash in the application, and possibly also effect code execution through heap
manipulation.
- ZDI-CAN-28838 - It is possible for a malicious third party to trigger out-of-
bounds reads and writes to heap memory, which can result in a crash of the
application.
- ZDI-CAN-28911 - It is possible for a malicious third party to trigger a
buffer overflow that can result in a crash of the application and possibly also
allow code execution through stack manipulation.
- ZDI-CAN-28839 - A stack overflow in the H.266 video bitstream parser when
parsing pic_timing SEIs can cause crashes for certain input files, and could
possibly also allow code execution through stack manipulation.
- ZDI-CAN-28910 - An out-of-bound write in the H.266 video bitstream parser
when parsing picture partitions can cause crashes for certain input files, and
could possibly also allow code execution through heap manipulation.
- GStreamer-SA-2026-0012 - A missing bounds check in the H.265 video parser
could cause a crash for certain malformed input files through memory
exhaustion.
References:
https://gstreamer.freedesktop.org/releases/1.28/#1.28.1
https://gstreamer.freedesktop.org/security/
Patches:
ZDI-CAN-28840 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10885.patch
ZDI-CAN-28838 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10884.patch
ZDI-CAN-28911 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10888.patch
ZDI-CAN-28839 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10889.patch
ZDI-CAN-28910 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10887.patch
GStreamer-SA-2026-0012 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10902.patch
-- System Information:
Debian Release: 13.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.73+deb13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gstreamer1.0-plugins-bad depends on:
ii gstreamer1.0-plugins-base 1.26.2-1
ii gstreamer1.0-plugins-good 1.26.2-1
ii libaom3 3.12.1-1
ii libass9 1:0.17.3-1+b1
ii libavtp0 0.2.0-2
ii libbs2b0 3.1.0+dfsg-8+b1
ii libbz2-1.0 1.0.8-6
ii libc6 2.41-12+deb13u1
ii libcairo2 1.18.4-1+b1
ii libchromaprint1 1.5.1-7
ii libcurl3t64-gnutls 8.14.1-2+deb13u2
ii libdc1394-25 2.2.6-5
ii libdca0 0.0.7-2+b2
ii libde265-0 1.0.15-1+b3
ii libdrm2 2.4.124-2
ii libdvdnav4 6.1.1-3+b1
ii libdvdread8t64 6.1.3-2
ii libfaad2 2.11.2-1
ii libflite1 2.2-7
ii libfluidsynth3 2.4.4+dfsg-1+deb13u1
ii libfreeaptx0 0.2.2-1
ii libgcc-s1 14.2.0-19
ii libglib2.0-0t64 2.84.4-3~deb13u2
ii libgme0 0.6.3-7+b2
ii libgsm1 1.0.22-1+b2
ii libgstreamer-gl1.0-0 1.26.2-1
ii libgstreamer-plugins-bad1.0-0 1.26.2-3
ii libgstreamer-plugins-base1.0-0 1.26.2-1
ii libgstreamer1.0-0 1.26.2-2
ii libgtk-3-0t64 3.24.49-3
ii libgudev-1.0-0 238-6
ii libimath-3-1-29t64 3.1.12-1+b3
ii libjson-glib-1.0-0 1.10.6+ds-2
ii liblc3-1 1.1.3+dfsg-1
ii liblcms2-2 2.16-2
ii libldacbt-enc2 2.0.2.3+git20200429+ed310a0-5
ii liblilv-0-0 0.24.26-1
ii liblrdf0 0.6.1-4+b2
ii libltc11 1.3.2-1+b2
ii libmjpegutils-2.1-0t64 1:2.1.0+debian-8.1+b1
ii libmodplug1 1:0.8.9.0-3+b2
ii libmpcdec6 2:0.1~r495-3
ii libmpeg2encpp-2.1-0t64 1:2.1.0+debian-8.1+b1
ii libmplex2-2.1-0t64 1:2.1.0+debian-8.1+b1
ii libneon27t64 0.34.2-1
ii libnettle8t64 3.10.1-1
ii libonnxruntime1.21 1.21.0+dfsg-1
ii libopenal1 1:1.24.2-1
ii libopenexr-3-1-30 3.1.13-2
ii libopenh264-8 2.6.0+dfsg-2
ii libopenjp2-7 2.5.3-2.1~deb13u1
ii libopenmpt0t64 0.7.13-1+b1
ii libopenni2-0 2.2.0.33+dfsg-18+b2
ii libopus0 1.5.2-2
ii liborc-0.4-0t64 1:0.4.41-1
ii libpango-1.0-0 1.56.3-1
ii libpangocairo-1.0-0 1.56.3-1
ii libqrencode4 4.1.1-2
ii librsvg2-2 2.60.0+dfsg-1
ii librtmp1 2.4+20151223.gitfa8646d.1-2+b5
ii libsbc1 2.1-1
ii libsndfile1 1.2.2-2+b1
ii libsoundtouch1 2.4.0+ds-1
ii libspandsp2t64 0.0.6+dfsg-2.2
ii libsrt1.5-gnutls 1.5.4-1
ii libsrtp2-1 2.7.0-3
ii libssl3t64 3.5.4-1~deb13u2
ii libstdc++6 14.2.0-19
ii libsvtav1enc2 2.3.0+dfsg-1
ii libusb-1.0-0 2:1.0.28-1
ii libva2 2.22.0-3
ii libvo-aacenc0 0.1.3-3
ii libvo-amrwbenc0 0.1.3-2+b2
ii libvulkan1 1.4.309.0-1
ii libwayland-client0 1.23.1-3
ii libwebp7 1.5.0-0.1
ii libwebpmux3 1.5.0-0.1
ii libwebrtc-audio-processing-1-3 1.3-3+b1
ii libwildmidi2 0.4.3-1+b3
ii libx11-6 2:1.8.12-1
ii libx265-215 4.1-2
ii libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2
ii libzbar0t64 0.23.93-8
ii libzvbi0t64 0.2.44-1
ii libzxing3 2.3.0-4
gstreamer1.0-plugins-bad recommends no packages.
Versions of packages gstreamer1.0-plugins-bad suggests:
pn frei0r-plugins <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gst-plugins-bad1.0
Source-Version: 1.28.1-2
Done: Marc Leeman <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gst-plugins-bad1.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Leeman <[email protected]> (supplier of updated gst-plugins-bad1.0
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Mar 2026 10:53:38 +0100
Source: gst-plugins-bad1.0
Architecture: source
Version: 1.28.1-2
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of GStreamer packages
<[email protected]>
Changed-By: Marc Leeman <[email protected]>
Closes: 1130059
Changes:
gst-plugins-bad1.0 (1.28.1-2) unstable; urgency=medium
.
* Revert "Build the ONNX neural network plugin"
* Overdue closing of security bug with release of new upstream 1.28.1
(Closes: #1130059)
Checksums-Sha1:
70da06d08afc62f441389af2af2af5ddb31fd298 6404 gst-plugins-bad1.0_1.28.1-2.dsc
84785a049aaeca3b96594b632d4bbc4d860fa0d4 47844
gst-plugins-bad1.0_1.28.1-2.debian.tar.xz
43bb920e118f461518ab6ff79fd15d803064df40 35875
gst-plugins-bad1.0_1.28.1-2_source.buildinfo
Checksums-Sha256:
ca9230e9d0adc821f9e8a756a027d2690b16f3b89172f5c06c2e5ee7d4f97324 6404
gst-plugins-bad1.0_1.28.1-2.dsc
582a39ae8c435f8753661ec610be703cdf9165a51ae4ec27899e20e05f621a92 47844
gst-plugins-bad1.0_1.28.1-2.debian.tar.xz
aad59cf930ce5a369200dd0916ef0631b4e785cfe8153477d4fde391cea7ecda 35875
gst-plugins-bad1.0_1.28.1-2_source.buildinfo
Files:
c7c94f85a735e9e470ffa9ee979d2898 6404 libs optional
gst-plugins-bad1.0_1.28.1-2.dsc
d8f5b431c80441a2f73d0c1f19fa311e 47844 libs optional
gst-plugins-bad1.0_1.28.1-2.debian.tar.xz
f8117f50d338b1120b53854bff70b662 35875 libs optional
gst-plugins-bad1.0_1.28.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEgnz9dLpGgVKgQfOgempPF1mVplsFAmmwAA8WHG1hcmMubGVl
bWFuQGdtYWlsLmNvbQAKCRB6ak8XWZWmW8SbD/9IWKP/QkLzeLzXvCr4Avz899Uh
AL7vTsrHXY+hRrOfJGn5rdPeKvcF8vyAguMRUmFGmE8pZw7MS8LnOmPRYFoo9ipf
eOPTBCyy+PgU/XvWKfXWujYd6arX+o6rQ6Yppe5x5VqMBlMgvneSo3n8FlMGNkI+
1aMm4sn7l1JAyIFspCPVSQWchvOuc3NcPR7AuyDwWc70yRKb/2dskHjiQi4baFRi
1gX7/ChJG38fcPnmDldJFLprrMwLYBx6Rck/z3gftuj7yngRFUDo+EKsG7TJ2VcM
rrAHsM1N6lsqpsWTM/lL+tkZAbweCoCEb3rUtt8USSno8ID/m/0T7STna3dExRF5
18AoHLvKOKV+WKiqVz7YKpvZyNQC3qvwYv5VT1iFmg1ehccFtA5ilmxVjaQxO6Lr
kEx4snaY1sASg8JiVLMwsJwSowwCGxFA+MiC1juDD0WW4V7W9Oow1tTUZI0HUCYO
qXfWLFWrEHrG8Eh5kIXo++IHFgR5Em8R9tdLlZDkb4bdhhqTvamWCfDNhoayWDmg
4a4w69TEfb8nqzuo1GESSQEqAE27jsz2f1tUWH7n0CJzMxhUqtLTA1oCaPQ6H/oI
CdvVClg+t9wdu9lbicGhVrrQj8V5U129vzsv45K02W+hk7tNVskVlQI6SCJYYqfj
XsFoW0fyvkox869XUw==
=SZ08
-----END PGP SIGNATURE-----
pgpHhztM25qtB.pgp
Description: PGP signature
--- End Message ---
