Your message dated Fri, 29 Sep 2023 14:58:43 +0000
with message-id <e1qmex1-005s2p...@fasolo.debian.org>
and subject line Bug#1053182: fixed in libvpx 1.12.0-1.1
has caused the Debian Bug report #1053182,
regarding libvpx: CVE-2023-5217
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053182
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libvpx
Version: 1.12.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libvpx.
CVE-2023-5217[0]:
| Heap buffer overflow in vp8 encoding in libvpx in Google Chrome
| prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker
| to potentially exploit heap corruption via a crafted HTML page.
| (Chromium security severity: High)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5217
https://www.cve.org/CVERecord?id=CVE-2023-5217
[1]
https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
[2]
https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libvpx
Source-Version: 1.12.0-1.1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libvpx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Sep 2023 23:07:11 +0200
Source: libvpx
Architecture: source
Version: 1.12.0-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1053182
Changes:
libvpx (1.12.0-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* encode_api_test: add ConfigResizeChangeThreadCount
* VP8: disallow thread count changes (CVE-2023-5217) (Closes: #1053182)
Checksums-Sha1:
4e470f2563cb689eb5acf849b55125fa09d4eddf 2408 libvpx_1.12.0-1.1.dsc
eccfda27dbb8a997d5a58564ad94c6ea5e1408b9 14072 libvpx_1.12.0-1.1.debian.tar.xz
Checksums-Sha256:
6b6a0a7efcef28b623f84f9e5b33dfbb292d20fa5c0afc2fe45ef3ac1ed1bf98 2408
libvpx_1.12.0-1.1.dsc
296afb181810918c62fc2082106ac0a396dd9c9d804cb52a217c401ca1995812 14072
libvpx_1.12.0-1.1.debian.tar.xz
Files:
01899f23ad787563bca206af97744ed1 2408 video optional libvpx_1.12.0-1.1.dsc
2b4d5b7577c42763dde6640d00872393 14072 video optional
libvpx_1.12.0-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUWT5NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7F0P/RmSNKXBnbZzm9DoQeyoslXamO6GlNo6
DY6V4xXJYRsWErldhznDaY6Ejtn0mU/A6NutZfsxMQLMVVMh/a7FNUK6CTSEIjkR
VfAtuu85tG76E4OAo9pT+Fc34wtjCRzEocZeT/xaJrXUQVxRyemEDubszbE6fL3e
aEHX9K1il5+t0FdcNWcHGi4RTaFAd+uW+ATweisKpvRundOvOkLELbuVtMeNkwA3
9AwPgMwPPWzqDgL9EJagMWk62e8QwgeRSeZZLWEzIAUiO678NFDc8AoWQKPrvauf
80j4MAeZe7q/4hwJe2YG8aGRoYqPh+h4sO01gpQFUcPBPrv1pvVPBUX1Lrn8Byw7
6Pz0dGWibr2hSw9YiS8teL9aLl8AGOurARqJz+c4BBqa8pKGmdT9/RGPDE17F+ZO
l+lkD0B7L2Jb5UVKIXJh9/qioGdJMRNVlrqk7plPy8ptJaVWNXNT0ghtakctv1Ns
zESohVoSO8V99JbHjNsLEBGKqYZLnX4JXu5AcQYDCthtrvoxN/1pRcWXWQ48ksbC
hYjmbrjbbr6OLEkRVa/VYDfVVdy5GTCKeExo7xTwVhg9j92TkxTTUO+o2aF2uHcD
oiScnH49lwdvADQGaf9fhtPNqfuow2NcS97ozPq48qWnlhQUDEUm+gL8WyHE1hyH
k9JBOukudRa5
=5jvj
-----END PGP SIGNATURE-----
--- End Message ---
