Debian Bug report logs -
#928054
CVE-2019-11461
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#928054; Package src:nautilus.
(Fri, 26 Apr 2019 21:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Fri, 26 Apr 2019 21:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nautilus
Severity: important
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11461
Cheers,
Moritz
Marked as found in versions nautilus/3.30.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Apr 2019 21:24:02 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Apr 2019 21:24:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 02 May 2019 19:27:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#928054; Package src:nautilus.
(Sun, 26 May 2019 19:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Sun, 26 May 2019 19:21:03 GMT) (full text, mbox, link).
Message #18 received at 928054@bugs.debian.org (full text, mbox, reply):
On Fri, Apr 26, 2019 at 11:14:28PM +0200, Moritz Muehlenhoff wrote:
> Source: nautilus
> Severity: important
> Tags: security
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11461
This is fixed in https://gitlab.gnome.org/GNOME/nautilus/commit/2ddba428ef2b13d0620bd599c3635b9c11044659
Can we please get that fixed for buster?
Cheers,
Moritz
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#928054.
(Wed, 29 May 2019 11:48:03 GMT) (full text, mbox, link).
Message #21 received at 928054-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #928054 in nautilus reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/nautilus/commit/ef52aef24177de524153c2737efecd61e3c8696f
------------------------------------------------------------------------
Update gnome-desktop code
Nautilus contains a copy of this code, originating in gnome-desktop3.
Fixes a potential crash during thumbnailing
Fixes thumbnailer on 32-bit systems where /lib64 is not available. Also
improve handling of usrmerged and non-usrmerged systems. (Related to LP:
Also includes 08c6d9e6cdd903ae67c496ffd7ae3de4619c6f40 from upstream,
which is a build fix. And a corresponding BD on libfontconfig1-dev, to
fetch the needed variable from its pcfile.
Fixes CVE-2019-11461
Closes: #928054
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/928054
Added tag(s) pending.
Request was from Iain Lane <noreply@salsa.debian.org>
to 928054-submitter@bugs.debian.org.
(Wed, 29 May 2019 11:48:03 GMT) (full text, mbox, link).
Reply sent
to Iain Lane <laney@debian.org>:
You have taken responsibility.
(Wed, 29 May 2019 12:21:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 29 May 2019 12:21:04 GMT) (full text, mbox, link).
Message #28 received at 928054-close@bugs.debian.org (full text, mbox, reply):
Source: nautilus
Source-Version: 3.30.5-2
We believe that the bug you reported is fixed in the latest version of
nautilus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928054@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Iain Lane <laney@debian.org> (supplier of updated nautilus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 May 2019 12:47:33 +0100
Source: nautilus
Architecture: source
Version: 3.30.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Iain Lane <laney@debian.org>
Closes: 928054
Changes:
nautilus (3.30.5-2) unstable; urgency=medium
.
* debian/control{,.in}, gbp.conf: Update debian branch to debian/buster
* Update gnome-desktop code. Nautilus contains a copy of this code,
which originated in gnome-desktop3.
+ Fixes a potential crash during thumbnailing
+ Fixes thumbnailer on 32-bit systems where /lib64 is not available.
+ Also improves handling of usrmerged and non-usrmerged systems.
+ Mounts the fontconfig cache dir, to improve performance if fontconfig
is used
- Add a corresponding BD on libfontconfig1-dev, to fetch the needed
variable from its pcfile.
+ Fixes seccomp filter bypass. CVE-2019-11461
+ Closes: #928054
Checksums-Sha1:
f328ca6854824cd309cc652222d5e065f1549857 3050 nautilus_3.30.5-2.dsc
7b6866e0c9619c13bd323a55e64090870c28d99d 25772 nautilus_3.30.5-2.debian.tar.xz
09cf378adaf4e4ce319fb5a06f0d921e9d9f0f75 20162 nautilus_3.30.5-2_source.buildinfo
Checksums-Sha256:
9575ee1b4a3c14cd2f4e37de2252903f440d98501910d8ad703c87c2ca892532 3050 nautilus_3.30.5-2.dsc
36f44b48f70f00158d31a32221cc95e1564b28ded91067c3952f29a56e45ee33 25772 nautilus_3.30.5-2.debian.tar.xz
16204bb961abbd60c293c31c49494363534b54819f550e4f091633511dd1fa25 20162 nautilus_3.30.5-2_source.buildinfo
Files:
c36340a3c75c591a17481d5c77154e53 3050 gnome optional nautilus_3.30.5-2.dsc
edd1a0cf30d1e4386fdecd3acf16ee6e 25772 gnome optional nautilus_3.30.5-2.debian.tar.xz
8b6e1f3c77b16fc59260c2e4b3becccb 20162 gnome optional nautilus_3.30.5-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPQ77lee1I38W6CJY41LVxRxQQdQFAlzudJwACgkQ41LVxRxQ
QdS5eA/8DOG3GyV16GvqQ8DXM8+kY31za8jF0u5Dk9u2Bc5/70IO6ox9BfJrR4bN
wyaPDoSLKr2Bw5u+q0Gi6Y/8QuqVU55P6os0UlQG4SgxSmTftcLh4JI5eQDn1TRJ
WxesjK5DwmXjqTVw60xGVLWXCdvu4mZXjwieVb5WCqIdzxKBJef5ZDy9LnNXRQNZ
jKerta8UJmu3XlZARF61V2zymbwfIt5xc8bjFFBDp6cbYjLF4CaU9NS9HzPkLL7K
qoeBaZWLBdAFnqboRxzk7hMAdU5D1tB1XQKQdWdpc+4vs5U1eqy2xy7sKyYDEOnd
bF5aqdGmMOns/XGzx9FmljN75FHqdKnNOiPhRG0cL1ue1u2vyswCNst7tCkh6rM0
ct9byvCJk+Jevesos62yHTk9nPK8QKzJw2U20hk+bnyUNv6p0PUOYRUzQWOfHgDy
v0Oa49y9Dkk3RdMVxgtIXNXSvReZsdV5aP4rwozrZfqK7qaUPGYD+M6Asyw6egsm
IFJM61jRcZodQ5Dlrt0//ZLAVWyWG2bAJCX65OuMmmEUFevMPOznhfVVgrRI22M7
6hgDUB2J9JLcu8w8p8jSYklDaDw4Dr7A7gedCZHKWJTDBVYafD5daEMetldVMVmM
N5qGbaqR4innzaFzvTBuCQJNbHcTuumV+oJIFA+mlNYp9k5+N6w=
=/L2a
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:34:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon