Your message dated Tue, 21 Sep 2021 08:34:30 +0000
with message-id <[email protected]>
and subject line Bug#994754: fixed in ccextractor 0.93+ds2-1
has caused the Debian Bug report #994754,
regarding ccextractor embeds unpatched and vulnerable source code from gpac
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994754
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ccextractor
Version: 0.93+ds1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
ccextractor embeds source code from the gpac project. Some files are
moved and some files are omitted but the files that remain match the
equivalent files in gpac. In unstable, ccextractor 0.93 embeds gpac 1.0.1.
This embedding has not been declared to the security team and is not
listed on the embedded copies wiki page (yet).
I have a local build which adds gpac to the existing list of ccextractor
dependencies which are removed from the ccextractor source and replaced
with a dependency on libgpac10. This will resolve this bug for unstable
and for bookworm.
The problem affects older versions of ccextractor as well. Version 0.88
and 0.87 of ccextractor embed gpac code in a similar fashion, from gpac
0.7.1 - a version which was packaged for Debian but did not make it into
a stable release. Buster and bullseye have gpac version 0.52, with some
additions. Version 0.52 of gpac is not used in ccextractor.
ccextractor in buster and bullseye therefore embeds newer gpac code than
is currently available in the binaries built from gpac in buster or bullseye.
It is likely that buster and bullseye would need separate updates to
patch the vulnerabilities directly into the embedded gpac code at
v0.7.1 - it should probably be the same patch for each.
Additionally, not all source code files from gpac are embedded into
ccextractor - an AppWizard was used to trim the source to the
functionality expected by the ccextractor upstream. Some CVEs which
affect gpac do not therefore affect ccextractor as the vulnerable source
code has been removed during the embedding process by ccextractor upstream.
An initial check of the ccextractor source code in buster showed that
the following CVEs are applicable to ccextractor in buster and therefore
in bullseye, via embedded gpac code at gpac version 0.7.1.
CVE-2021-33362
CVE-2021-32440
CVE-2021-32139
CVE-2021-32137
CVE-2021-32134
CVE-2021-31260
CVE-2021-31258
CVE-2021-30014
CVE-2021-28300
CVE-2021-21852
CVE-2020-35981
CVE-2020-35980
CVE-2020-24829
CVE-2020-19751
CVE-2020-6631
CVE-2020-6630
CVE-2019-20208
CVE-2019-20171
CVE-2019-20170
CVE-2019-20162
CVE-2019-20161
CVE-2019-13618
CVE-2019-12483
CVE-2019-12482
CVE-2019-12481
CVE-2018-21015
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ccextractor depends on:
ii libavcodec58 7:4.4-6+b1
ii libavformat58 7:4.4-6+b1
ii libavutil56 7:4.4-6+b1
ii libc6 2.32-3
ii libfreetype6 2.10.4+dfsg-1
ii liblept5 1.79.0-1.1
ii libpng16-16 1.6.37-3
ii libswscale5 7:4.4-6+b1
ii libtesseract4 4.1.1-2.1
ii libutf8proc2 2.5.0-1
ii zlib1g 1:1.2.11.dfsg-2
ccextractor recommends no packages.
ccextractor suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: ccextractor
Source-Version: 0.93+ds2-1
Done: Neil Williams <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ccextractor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Neil Williams <[email protected]> (supplier of updated ccextractor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 20 Sep 2021 08:57:51 +0100
Source: ccextractor
Architecture: source
Version: 0.93+ds2-1
Distribution: unstable
Urgency: medium
Maintainer: Freexian Packaging Team <[email protected]>
Changed-By: Neil Williams <[email protected]>
Closes: 994754
Changes:
ccextractor (0.93+ds2-1) unstable; urgency=medium
.
* Team upload
.
* Repacked upstream release to drop embedded gpac sources.
* Use system gpac libraries (Closes: #994754)
- CVE-2021-33362 CVE-2021-32440 CVE-2021-32139
- CVE-2021-32137 CVE-2021-32134 CVE-2021-31260
- CVE-2021-31258 CVE-2021-30014 CVE-2021-28300
- CVE-2021-21852 CVE-2020-35981 CVE-2020-35980
- CVE-2020-24829 CVE-2020-19751 CVE-2020-6631
- CVE-2020-6630 CVE-2019-20208 CVE-2019-20171
- CVE-2019-20170 CVE-2019-20162 CVE-2019-20161
- CVE-2019-13618 CVE-2019-12483 CVE-2019-12482
- CVE-2019-12481 CVE-2018-21015
Checksums-Sha1:
d665d1b154d808bc2393369adbf4962dbff24816 2225 ccextractor_0.93+ds2-1.dsc
efe8a16d660393ce26726e665d741580cb27c9bc 2333944
ccextractor_0.93+ds2.orig.tar.xz
38949fbe8d50fbbb39d26ec220689a1c0360b144 17988
ccextractor_0.93+ds2-1.debian.tar.xz
ff05583ff11412faacb5e7dc82685d4bd5abc59e 12168
ccextractor_0.93+ds2-1_amd64.buildinfo
Checksums-Sha256:
38a6f8bcc9bde678ba88cb2922dc21dc973916c581d78cd69df1fa7abfcee38c 2225
ccextractor_0.93+ds2-1.dsc
91d79a95b4dcf01be661d6ab5f37c77be0d9538dd785377b1d027a7e5a2749e5 2333944
ccextractor_0.93+ds2.orig.tar.xz
04adf624f5361c43ae1fb772133e9bb74076f6f14f7c72ac8ddd6500f4299dde 17988
ccextractor_0.93+ds2-1.debian.tar.xz
3cc4c2730efd062dcd47d47a01d5c0ba88954abd291abe555e0e903c8a2dce89 12168
ccextractor_0.93+ds2-1_amd64.buildinfo
Files:
32a8aad17a81a282ef1ddb4b71485724 2225 utils optional ccextractor_0.93+ds2-1.dsc
bcfed0e1f52820357c3f6aee60b19c15 2333944 utils optional
ccextractor_0.93+ds2.orig.tar.xz
cdac143b70ff6b738fa4fb2dd2b8b606 17988 utils optional
ccextractor_0.93+ds2-1.debian.tar.xz
0e56266ce9c9cfba5ffd831e7069a7be 12168 utils optional
ccextractor_0.93+ds2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEf3HB6ceOc10DYMbM8WfkPIFDtoIFAmFJjfgACgkQ8WfkPIFD
toLCKw/8Ce8BuAoVihsP/M1ag9dG1bJV6GhtESMwxoAmpGPno4rvqAVV+dLEuwjv
Q29SLa5wudmENDMf464Z9ZQd6bJME9V2h7qIsdV7M9Rs9N1gtabsraPwi+BjoSQz
SoLMPZzyi1LlYy4+0e8UHN9MuUzPLpT5l1A1o2wkNYc4Fk+9Ry2HVUGNsV5c5VTK
hJuWU0fG5X6XUZhFtK5YxoEiNaT7BmspXvJwjgFws5Nwj803CKZRLGxHRNEMcWu+
u+ioeuN4/EpNTsGb64fQC03+73lJZzh+7NpI0IJLNe7g/kh5RbxXNeXddcj23N2X
IzmuspaflfaDx07UBzn1rHgmWM6CpMm2IPJRz2+/23Rq9FrEYkiEtPQuzsItXioa
nJyWgLUy2DJ1t7dKgwD6Ax0m31n7zodWKsCH21mbY8WqNdL5wletDb8Z/9xMt0Qq
T8h0fq/mIVnCDFHC4SCDzHD20wmELGOueXxebBd2E+dT5baCGvEghMtGmsGR7VuD
vsx8JmEAMKaDMiRaRodSiuowNWqOdV/jdrVxO1pblDXoiHPA662OGQ3F3WvA1GKf
q4mM2gZgA63mdNWyC0wegknOjzm6l7cuR7egN64wSb5dCrfo+NZoWH6NDTCoo6Fu
yrlxrbr1ldl+AMY+Yvc1w7khuFuwWN4lIRXe669Oqfi8l4CippU=
=sfny
-----END PGP SIGNATURE-----
--- End Message ---
