Discussion:
Bug#940647: buster-pu: package libmysofa/0.6~dfsg0-3
Add Reply
IOhannes m zmoelnig
2019-09-18 12:50:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: buster
User: ***@packages.debian.org
Usertags: pu

Dear release-team,

the binary package libmysofa0 is used by VLC (the ubiquitous media
player) and the ffmpeg framework (the ubiquitous media framework), and
consequently has a popcon of 43382.

The src:libmysofa package has been assigned a number of CVEs and a
cumulative Debian bug #939735.
The issues (NULL-pointer access, out-of-bound reads, invalid reads and
writes) have been promptly fixed by upstream, who have released a new
version (0.8).

I've uploaded the new version to 'sid' yesterday (setting urgency=high; I
hope this is correct).
For buster (which ships 0.6) I need your cooperation in order to get the
package uploaded.

Since there are a number of CVEs involved, I have first contacted the security
I have looked at those now from stable update point of view, and I
think they are somehow limited impact (clearly with posibility to lead
to crashes of reverse dependecies), but would not warrant a DSA on its
own.
I tend to mark those as no-dsa for buster and ask you if you can
schedule an update just for the next buster point release.
I agree with their assassment of the impact of these CVEs, so here I am :-)

Please see the attached debdiff for my proposed changes.
These changes include fixes for the various CVEs and a (small but) cumulative
patch for 3 more security issues fixed upstream, which haven't got a CVE
assigned.

Let me know what I should do.

Cheers and thanks for making Debian a better place.

fgamsdr
IOhannes
Adam D. Barratt
2019-11-08 20:50:02 UTC
Reply
Permalink
Control: tags -1 + confirmed
Post by IOhannes m zmoelnig
the binary package libmysofa0 is used by VLC (the ubiquitous media
player) and the ffmpeg framework (the ubiquitous media framework),
and consequently has a popcon of 43382.
The src:libmysofa package has been assigned a number of CVEs and a
cumulative Debian bug #939735.
The issues (NULL-pointer access, out-of-bound reads, invalid reads
and writes) have been promptly fixed by upstream, who have released a
new version (0.8).
Please go ahead. Sorry for the delay.

Regards,

Adam
Adam D Barratt
2019-12-07 19:50:01 UTC
Reply
Permalink
package release.debian.org
tags 940647 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==============

Package: libmysofa
Version: 0.6~dfsg0-3+deb10u1

Explanation: security fixes [CVE-2019-16091 CVE-2019-16092 CVE-2019-16093 CVE-2019-16094 CVE-2019-16095]
Loading...