Bug#343503: marked as done ([CVE-2005-4048] avcodec_default_get_buffer heap overflow)

Debian Bug Tracking System owner at bugs.debian.org
Thu Dec 15 22:19:33 UTC 2005 

Your message dated Thu, 15 Dec 2005 14:02:45 -0800
with message-id <E1En1BV-0007Hd-1x at spohr.debian.org>
and subject line Bug#343503: fixed in gst-ffmpeg 0.8.7-5
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Dec 2005 18:37:32 +0000
>From fw at deneb.enyo.de Thu Dec 15 10:37:32 2005
Return-path: <fw at deneb.enyo.de>
Received: from mail.enyo.de ([212.9.189.167])
	by spohr.debian.org with esmtp (Exim 4.50)
	id 1Emxyu-0004VZ-5F
	for submit at bugs.debian.org; Thu, 15 Dec 2005 10:37:32 -0800
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de)
	by mail.enyo.de with esmtp id 1Emxys-0001nV-Tc
	for submit at bugs.debian.org; Thu, 15 Dec 2005 19:37:30 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.54)
	id 1Emxys-0006yK-11
	for submit at bugs.debian.org; Thu, 15 Dec 2005 19:37:30 +0100
From: Florian Weimer <fw at deneb.enyo.de>
To: submit at bugs.debian.org
Subject: [CVE-2005-4048] avcodec_default_get_buffer heap overflow
Date: Thu, 15 Dec 2005 19:37:30 +0100
Message-ID: <87slsuqk9h.fsf at mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: gst-ffmpeg
Tags: security
Severity: grave

The package embeds a local copy of libavcodec, which is vulnerable to
CVE-2005-4048:

http://article.gmane.org/gmane.comp.video.ffmpeg.devel/26558
http://mplayerhq.hu/pipermail/ffmpeg-cvslog/2005-December/000979.html

Please check if it is necessary to apply the patch to gst-ffmpeg as
well.

---------------------------------------
Received: (at 343503-close) by bugs.debian.org; 15 Dec 2005 22:12:14 +0000
>From katie at ftp-master.debian.org Thu Dec 15 14:12:14 2005
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1En1BV-0007Hd-1x; Thu, 15 Dec 2005 14:02:45 -0800
From: Loic Minier <lool at dooz.org>
To: 343503-close at bugs.debian.org
X-Katie: $Revision: 1.60 $
Subject: Bug#343503: fixed in gst-ffmpeg 0.8.7-5
Message-Id: <E1En1BV-0007Hd-1x at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Thu, 15 Dec 2005 14:02:45 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: gst-ffmpeg
Source-Version: 0.8.7-5

We believe that the bug you reported is fixed in the latest version of
gst-ffmpeg, which is due to be installed in the Debian FTP archive:

gst-ffmpeg_0.8.7-5.diff.gz
  to pool/main/g/gst-ffmpeg/gst-ffmpeg_0.8.7-5.diff.gz
gst-ffmpeg_0.8.7-5.dsc
  to pool/main/g/gst-ffmpeg/gst-ffmpeg_0.8.7-5.dsc
gstreamer0.8-ffmpeg_0.8.7-5_i386.deb
  to pool/main/g/gst-ffmpeg/gstreamer0.8-ffmpeg_0.8.7-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 343503 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Loic Minier <lool at dooz.org> (supplier of updated gst-ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Dec 2005 20:44:36 +0100
Source: gst-ffmpeg
Binary: gstreamer0.8-ffmpeg
Architecture: source i386
Version: 0.8.7-5
Distribution: unstable
Urgency: low
Maintainer: Loic Minier <lool at dooz.org>
Changed-By: Loic Minier <lool at dooz.org>
Description: 
 gstreamer0.8-ffmpeg - FFmpeg plugin for GStreamer
Closes: 343503
Changes: 
 gst-ffmpeg (0.8.7-5) unstable; urgency=low
 .
   * SECURITY: New patch from ffmpeg's CVS to address a heap overflow in
     avcodec_default_get_buffer identified as CVE-2005-4048. (Closes: #343503)
     [debian/patches/32_CVE-2005-4048_avcodec-default-get-buffer-heap-overflow.patch]
Files: 
 d24957e15af7de119559a1705778b863 864 libs optional gst-ffmpeg_0.8.7-5.dsc
 b948585d52f2925c316a7bd0c53a273e 4766 libs optional gst-ffmpeg_0.8.7-5.diff.gz
 7ce9642ececaf3a00e0b67cdf1d9330c 2030940 libs optional gstreamer0.8-ffmpeg_0.8.7-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDock14VUX8isJIMARAtY4AJ9Ahs2026YzULITl87+48eXZAfw9ACfYjTe
iYL0DaPohH42/F/pcp908Qk=
=8hPJ
-----END PGP SIGNATURE-----

More information about the Pkg-gstreamer-maintainers mailing list