Bug#932131: marked as done (vlc: CVE-2019-13602)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#932131: marked as done (vlc: CVE-2019-13602)

Debian Bug Tracking System
Your message dated Mon, 15 Jul 2019 18:36:20 +0000
with message-id <[hidden email]>
and subject line Bug#932131: fixed in vlc 3.0.7.1-2
has caused the Debian Bug report #932131,
regarding vlc: CVE-2019-13602
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
932131: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932131
Debian Bug Tracking System
Contact [hidden email] with problems

Source: vlc
Version: 3.0.7.1-1
Severity: important
Tags: security upstream
Control: found -1 3.0.7-1
Control: found -1 3.0.7-0+deb9u1

Hi,

The following vulnerability was published for vlc.

CVE-2019-13602[0]:
| An Integer Underflow in MP4_EIA608_Convert() in
| modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1
| allows remote attackers to cause a denial of service (heap-based
| buffer overflow and crash) or possibly have unspecified other impact
| via a crafted .mp4 file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-13602
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13602

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Source: vlc
Source-Version: 3.0.7.1-2

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <[hidden email]> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jul 2019 19:55:05 +0200
Source: vlc
Architecture: source
Version: 3.0.7.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[hidden email]>
Changed-By: Sebastian Ramacher <[hidden email]>
Closes: 932131
Changes:
 vlc (3.0.7.1-2) unstable; urgency=medium
 .
   * debian/: Remove obsolete maintscripts.
   * debian/control:
     - Remove obsolete transitional package.
     - Remove obsolete Breaks+Replaces.
     - Bump Standards-Version.
   * debian/patches: Apply upstream patches to
     - unbreak rendering in subsvtt.
     - fix integer underflows in mp4. (CVE-2019-13602) (Closes: #932131)
Checksums-Sha1:
 4079a2ce1dbe552fd498b05dd1bdf4ec9398c094 6377 vlc_3.0.7.1-2.dsc
 f59d0dea46ccf90c153df98ef4a4fa4c83bb95d7 64296 vlc_3.0.7.1-2.debian.tar.xz
Checksums-Sha256:
 d6c8804fcca8ec2d64c741b0187d12005426dc9edea4125feae9a79a7852ebfe 6377 vlc_3.0.7.1-2.dsc
 e3bf6c8c16d59aa35caae349dd9398d55f43e76f605443a4e705d05b77f0bf79 64296 vlc_3.0.7.1-2.debian.tar.xz
Files:
 ae872decab91bb343536dff2c48e8594 6377 video optional vlc_3.0.7.1-2.dsc
 12bb2c674ea886309b100a714518fb6b 64296 video optional vlc_3.0.7.1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl0sxNMACgkQafL8UW6n
GZMkfA/8CjR2SzACk0bg7Fp4n0TY7xPk66tixWJQWIj+fREuT5M8t4rvPOvPaiJX
vGKkt8wlocaLQQBst8HnMMRgsBM89FRFwZQfn4jKXWpUHGRuN+x/wylmWMhhHg44
3rijvRSbT42nxf3XbRB0vQ2v/Nlw7+zhneJEZVJFWXtsPTtgzRXlklGn/YZ+a1Af
lItuI7bTfK/r8JmODuJOnsbFYFsJYbD4K3t8TI1lKgdhrmOO0Z67sRSzOiJp0WE6
xqHm06IrdQlU2oeIRwv8VrCHhnlzGGdxTFsZHRKtpV/qTDi+rg+t3quyB4eNnH+B
1oH4J56LAspqiDp6OWDqXb1QPKf9lQ/Doy4UgkJKcJq3LqrIGp85lxQxttTSBbm9
I4nxAoeAPRQVviDTfG2Y7WM/7SX6FVuB2qbc4yBAiPaGuZ90+rOkhLyX0oKEi8qI
swnSWO6h5Rob8CqtVjNLRjMc873CWczq4Lk//q14OMB1Q3qA/h9rJMiSbg3HcPBN
66R4c1ld7fAKeTXrUNE+Yd8ymGRX+wah5IXTxFdIMNOPtWRWjcQpUVVpgU4BJ3Kc
zA6FEUkTxQoKQQ5mCBp+ST5lbtdgoea3A4ayySEj7RolTEtKdZ13Dy4B9DH6iVGW
kq9Kh9eZul509dAsYRHTUprh0ptQNNKT5CWwg/5DAHq6cdd1esU=
=dK+7
-----END PGP SIGNATURE-----