Bug#986910: marked as done (gst-plugins-good1.0: CVE-2021-3497)
Your message dated Fri, 30 Apr 2021 16:47:22 + with message-id and subject line Bug#986910: fixed in gst-plugins-good1.0 1.14.4-1+deb10u1 has caused the Debian Bug report #986910, regarding gst-plugins-good1.0: CVE-2021-3497 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 986910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986910 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: gst-plugins-good1.0 Version: 1.18.3-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: fixed -1 1.18.4-1 Hi, The following vulnerability was published for gst-plugins-good1.0. CVE-2021-3497[0]: | gstreamer-plugins-good: Use-after-free in matroska demuxing If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497 [1] https://gstreamer.freedesktop.org/security/sa-2021-0002.html [2] https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: gst-plugins-good1.0 Source-Version: 1.14.4-1+deb10u1 Done: Sebastian Dröge We believe that the bug you reported is fixed in the latest version of gst-plugins-good1.0, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 986...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Dröge (supplier of updated gst-plugins-good1.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 22 Apr 2021 21:32:31 +0300 Source: gst-plugins-good1.0 Binary: gstreamer1.0-gtk3 gstreamer1.0-plugins-good gstreamer1.0-plugins-good-dbg gstreamer1.0-plugins-good-doc gstreamer1.0-pulseaudio gstreamer1.0-qt5 Architecture: source amd64 all Version: 1.14.4-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Maintainers of GStreamer packages Changed-By: Sebastian Dröge Description: gstreamer1.0-gtk3 - GStreamer plugin for GTK+3 gstreamer1.0-plugins-good - GStreamer plugins from the "good" set gstreamer1.0-plugins-good-dbg - GStreamer plugins from the "good" set gstreamer1.0-plugins-good-doc - GStreamer documentation for plugins from the "good" set gstreamer1.0-pulseaudio - GStreamer plugin for PulseAudio gstreamer1.0-qt5 - GStreamer plugin for Qt5 Closes: 986910 986911 Changes: gst-plugins-good1.0 (1.14.4-1+deb10u1) buster-security; urgency=high . * debian/patches/0001-matroskademux-Initialize-track-context-out-parameter-to-NULL.patch: + Fix use-after free and stack corruption in Matroska demuxer (CVE-2021-3497) (Closes: #986910). * debian/patches/0002-matroskademux-Fix-extraction-of-multichannel-WavPack.patch: + Fix extraction of multichannel WavPack in Matroska demuxer, which caused heap corruption (CVE-2021-3498) (Closes: #986911). Checksums-Sha1: ee05cd178b4d5da891502933d336b3598fdfb453 4027 gst-plugins-good1.0_1.14.4-1+deb10u1.dsc 382f7e424437ea8a3d1d7701569eddea76b18375 3792524 gst-plugins-good1.0_1.14.4.orig.tar.xz 07de251fde7689e8a849248652b4c03693963f95 39600 gst-plugins-good1.0_1.14.4-1+deb10u1.debian.tar.xz 03e1f9181b54ab7f38bc5959fd3d6565b19ec6a6 21561 gst-plugins-good1.0_1.14.4-1+deb10u1_amd64.buildinfo d0985a06541ea449854d29b01f2923f32a92ae48 1269568 gstreamer1.0-gtk3_1.14.4-1+deb10u1_amd64.deb dcab63498f77ab2dfaf5f613ae750752e86c2e42 10402304 gstreamer1.0-plugins-good-dbg_1.14.4-1+deb10u1_amd64.deb 33fc662a18bb7a25629e2329d0c3e8e13e50547a 1464332 gstreamer1.0-plugins-good-doc_1.14.4-1+deb10u1_all.deb a2b8b9d229ce4fae175cf3b55e73a6fbaad4ee39 2922780 gstreamer1.0-plugins-good_1.14.4-1+deb10u1_amd64.deb 6c8d1fe8ef6a89922a8fbc76952777411a7a96d0 1292596 gstreamer1.0-pulseaudio_1.14.4-1+deb10u1_amd64.deb 636fbcc5bce4be77514b57c459048622d1b7c0f0 1282096
Bug#986910: marked as done (gst-plugins-good1.0: CVE-2021-3497)
Your message dated Thu, 22 Apr 2021 19:18:59 + with message-id and subject line Bug#986910: fixed in gst-plugins-good1.0 1.18.4-2 has caused the Debian Bug report #986910, regarding gst-plugins-good1.0: CVE-2021-3497 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 986910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986910 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: gst-plugins-good1.0 Version: 1.18.3-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: fixed -1 1.18.4-1 Hi, The following vulnerability was published for gst-plugins-good1.0. CVE-2021-3497[0]: | gstreamer-plugins-good: Use-after-free in matroska demuxing If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497 [1] https://gstreamer.freedesktop.org/security/sa-2021-0002.html [2] https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: gst-plugins-good1.0 Source-Version: 1.18.4-2 Done: Sebastian Dröge We believe that the bug you reported is fixed in the latest version of gst-plugins-good1.0, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 986...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Dröge (supplier of updated gst-plugins-good1.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 22 Apr 2021 20:48:09 +0300 Source: gst-plugins-good1.0 Architecture: source Version: 1.18.4-2 Distribution: unstable Urgency: medium Maintainer: Maintainers of GStreamer packages Changed-By: Sebastian Dröge Closes: 986910 986911 Changes: gst-plugins-good1.0 (1.18.4-2) unstable; urgency=medium . * Upload to unstable: + Fixes CVE-2021-3497 (Closes: #986910). + Fixes CVE-2021-3498 (Closes: #986911). Checksums-Sha1: 26b50ba8ae92e8f347c0662f247a671faa82d1d8 3707 gst-plugins-good1.0_1.18.4-2.dsc aaf8f2aa0bb58cad638b32d0d44a183ed7e7f8b0 3277572 gst-plugins-good1.0_1.18.4.orig.tar.xz 5a276ea7a83048554881a316399ebd8938e479a8 34344 gst-plugins-good1.0_1.18.4-2.debian.tar.xz 2a796cef23936a0f5e2faefb38b66d4ee2bcee62 20898 gst-plugins-good1.0_1.18.4-2_amd64.buildinfo Checksums-Sha256: ed7324abbccb9a412cc917d73c7669f2d94b463d5aeb97cef59419f51a5cfc9e 3707 gst-plugins-good1.0_1.18.4-2.dsc b6e50e3a9bbcd56ee6ec71c33aa8332cc9c926b0c1fae995aac8b3040ebe39b0 3277572 gst-plugins-good1.0_1.18.4.orig.tar.xz 97360f928c285a77e623842129f1c34a60f86913bd3d0b43d3703774086b925e 34344 gst-plugins-good1.0_1.18.4-2.debian.tar.xz 829c8f844f48ed66382254e671cfe371d1453636449708c4b04775cf168d5310 20898 gst-plugins-good1.0_1.18.4-2_amd64.buildinfo Files: 4bc13b48f66c4f9054d5d90287954899 3707 libs optional gst-plugins-good1.0_1.18.4-2.dsc 4ecf1ac5cd422d9c13fe05dbf5e3df26 3277572 libs optional gst-plugins-good1.0_1.18.4.orig.tar.xz ed23296d86e1f830e18e991aae070b13 34344 libs optional gst-plugins-good1.0_1.18.4-2.debian.tar.xz 7841e3859789dfde574a164e6075a75f 20898 libs optional gst-plugins-good1.0_1.18.4-2_amd64.buildinfo -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEEf0vHzDygb5cza7/rBmjMFIbC17UFAmCByD1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDdG NEJDN0NDM0NBMDZGOTczMzZCQkZFQjA2NjhDQzE0ODZDMkQ3QjUSHHNsb21vQGNv YXhpb24ubmV0AAoJEAZozBSGwte1CukP/ROIOAPwfZJyvn9p85DoC4utqo/ywc3/ d/IcZZGULIB44WWqdegfxMHogyJZLsNnGe4djKP+LUTONZghukCViig4PfxUTbA3 UaxuTxg4eGW9FifzOaA/wA9w2KHm/Cxi8qjrWaP4IwBIz8QJZbR50Z4pFZ6+4+Eu KZxckHcGa7WVTvu3pWM2U3At+TQ3cpmlisZLhWHjirsILIb/PYBm2CSdC3fZx+eb exnBNteuuXZAAwJkFySXWd0E9yfBvtb1lOtjpza+sonz8ew2xsYAxRMeayUDjt4K ZWp02rGcXcfRTwIpTT8eh65iaCxseVwXqs8ptzVi+hU9zI4t8CbcoRub5ol4wKKT