-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 25 Mar 2017 19:38:02 +0200 Source: gst-plugins-bad1.0 Binary: gstreamer1.0-plugins-bad-doc gstreamer1.0-plugins-bad gstreamer1.0-plugins-bad-dbg libgstreamer-plugins-bad1.0-0 libgstreamer-plugins-bad1.0-dev Architecture: source all amd64 Version: 1.4.4-2.1+deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org> Changed-By: Sebastian Dröge <slomo@debian.org> Description: gstreamer1.0-plugins-bad - GStreamer plugins from the "bad" set gstreamer1.0-plugins-bad-dbg - GStreamer plugins from the "bad" set (debug symbols) gstreamer1.0-plugins-bad-doc - GStreamer documentation for plugins from the "bad" set libgstreamer-plugins-bad1.0-0 - GStreamer development files for libraries from the "bad" set libgstreamer-plugins-bad1.0-dev - GStreamer development files for libraries from the "bad" set Changes: gst-plugins-bad1.0 (1.4.4-2.1+deb8u2) jessie-security; urgency=medium . * debian/patches/0001-psdemux-Rewrite-PSM-parsing-using-GstByteReader.patch + The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. https://bugzilla.gnome.org/show_bug.cgi?id=777957 . Fixes CVE-2017-5848 . * debian/patches/0002-mxfdemux-Set-stream-tags-to-NULL-after-unreffing.patch + Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unref, (2) gst_tag_list_unref, and (3) gst_mxf_demux_update_essence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf. https://bugzilla.gnome.org/show_bug.cgi?id=777503 . Fixes CVE-2017-5843 . * debian/patches/0003-mpegtssection-Fix-PAT-parsing.patch + The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. https://bugzilla.gnome.org/show_bug.cgi?id=775120 . Fixes CVE-2016-9813 . * debian/patches/0004-mpegtssection-Add-more-section-size-checks.patch + The gst_mpegts_section_new function in the mpegts decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a too small section. https://bugzilla.gnome.org/show_bug.cgi?id=775048 . Fixes CVE-2016-9812 . * debian/patches/0005-h264parse-Ensure-codec_data-has-the-required-size-wh.patch, debian/patches/0006-h265parse-Ensure-codec_data-has-the-required-size-wh.patch: + Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read. https://bugzilla.gnome.org/show_bug.cgi?id=774896 . Fixes CVE-2016-9809 Checksums-Sha1: 7f21ea1936194d042d511ec3678ea5e0b7a57f35 4479 gst-plugins-bad1.0_1.4.4-2.1+deb8u2.dsc aeb5a657dfcab066feaa70c9ad1a93fa2c6ad1f6 41272 gst-plugins-bad1.0_1.4.4-2.1+deb8u2.debian.tar.xz 9229619b641972136436b7d88f86bfbc1ca54170 1234524 gstreamer1.0-plugins-bad-doc_1.4.4-2.1+deb8u2_all.deb 2298d44d72752b4a7dd414eb1e9410f8dc1c90b0 2368090 gstreamer1.0-plugins-bad_1.4.4-2.1+deb8u2_amd64.deb 571657b645486029bfeb0bad0e25d20656b2a09f 6699930 gstreamer1.0-plugins-bad-dbg_1.4.4-2.1+deb8u2_amd64.deb 48ccd699345a3113ea1d7240b1aac88f67cd964c 1327078 libgstreamer-plugins-bad1.0-0_1.4.4-2.1+deb8u2_amd64.deb 507118882f68f98d73c3da7a682b9621c21052f0 1109874 libgstreamer-plugins-bad1.0-dev_1.4.4-2.1+deb8u2_amd64.deb Checksums-Sha256: fa5f65c805031440e8f199e69fa02a316131beb7396dcdd55c469f9242702803 4479 gst-plugins-bad1.0_1.4.4-2.1+deb8u2.dsc b23e9ac1e013dea6427d32a29a4c414aee54cd2abad2d427074aa83f9aab79e0 41272 gst-plugins-bad1.0_1.4.4-2.1+deb8u2.debian.tar.xz 8667f358e0db6036a22d4a1f5de990b71ca0bf143065a832ab36adf28ae1d139 1234524 gstreamer1.0-plugins-bad-doc_1.4.4-2.1+deb8u2_all.deb b468962ef9cd63cfdf6cc664e11382562649c25b233ece4574e02958aa442064 2368090 gstreamer1.0-plugins-bad_1.4.4-2.1+deb8u2_amd64.deb 1a9377427e50abe81b7a064c0075454290d6a91e0ab1eea613fe5dd9fef7942a 6699930 gstreamer1.0-plugins-bad-dbg_1.4.4-2.1+deb8u2_amd64.deb 6c50fdeb71ce2804cfd914926c100a7cddb303cee4258ef15cc3856998be97a7 1327078 libgstreamer-plugins-bad1.0-0_1.4.4-2.1+deb8u2_amd64.deb 191b2c8eb64b8ba7fc13191837caefe24164b8aa8cd945e88987f5f7e62912b4 1109874 libgstreamer-plugins-bad1.0-dev_1.4.4-2.1+deb8u2_amd64.deb Files: e54d87f3681318b1a2766ee9157439bf 4479 libs extra gst-plugins-bad1.0_1.4.4-2.1+deb8u2.dsc 7b8383f5f6a65f18cb34575cf61fef9b 41272 libs extra gst-plugins-bad1.0_1.4.4-2.1+deb8u2.debian.tar.xz f0351238301b061b227b85e9187a735e 1234524 doc extra gstreamer1.0-plugins-bad-doc_1.4.4-2.1+deb8u2_all.deb 8a0d13b3e683b649140d77e398a0fd9b 2368090 libs extra gstreamer1.0-plugins-bad_1.4.4-2.1+deb8u2_amd64.deb 6cb24f6e3ad73f037c8e6621dcb29a50 6699930 debug extra gstreamer1.0-plugins-bad-dbg_1.4.4-2.1+deb8u2_amd64.deb 79bb6783459eb3c62ba85b2e8703fcd9 1327078 libs extra libgstreamer-plugins-bad1.0-0_1.4.4-2.1+deb8u2_amd64.deb 6b204a43b43165c4461fdb0c5a3dc157 1109874 libdevel extra libgstreamer-plugins-bad1.0-dev_1.4.4-2.1+deb8u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEEf0vHzDygb5cza7/rBmjMFIbC17UFAljWruRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDdG NEJDN0NDM0NBMDZGOTczMzZCQkZFQjA2NjhDQzE0ODZDMkQ3QjUSHHNsb21vQGNv YXhpb24ubmV0AAoJEAZozBSGwte1uu0QAM56hOR2oXJQnfP2E+ubVDQuK9rvgO+Y EnvNsKOL/vIlpdw80Wsk2m0sITKxkicJvJs50h0znw6Z3XerQW5Doa1DgfzXJwNk 1Mvsm1gfkWak8YLcyDweJihURKW+IL36QEfYEi4cY0GHg7V/lHbqA+7KugMU19XC FXTQVM6TJkyg8S6OIo5MhsQULOJPr/3T54+6gvBxOEifDIq7lPV36mkXLXI4NV13 yTxEnuN5IjgGFaDzpZ5fSNYcM/0wQ4s+JLeHEvTFDO55iQYEX9VMQ8dkc0s+CMyB wF6Uh37OZ9dxxYyNHQvPfy132D3husbEsL/rPyyyvQzT6qj/XPfAaKsLfxuTIF0y aVRhnRHvGwhJinWB0Gk0X11ujvrYOdYq6kNOMEL925py+srvPeE3LBUhZ4XxVCX8 3WbMcdL3/BwKFuKQ5jbH/Vx/XsUUGS6Y+OC9fMABhZYQ1BS5gpRkmG5bn5NmGx0c jx9y4qJPRpWKrDy0DVdnPCAVWh3+Jy9KWa9Y1H21629Aq7nB5w4rJUY2uvuMbT6z uHCLPMCAsmov+xjCwQXA/x8TjfHG9OUZJY0bT926wP9aOA4hw7icdTAvNF6vbmVX kdvCpYFTawUxNmg++gbUWi0+Z+owAoyF9VvSGlUUM3vLHMIzrgFPT8bw/sHPSgXn 73Xt3DzNr+hy =OVXF -----END PGP SIGNATURE-----