Debian Bug report logs -
#933075
fig2dev: CVE-2019-14275
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Roland Rosenfeld <roland@debian.org>:
Bug#933075; Package src:fig2dev.
(Fri, 26 Jul 2019 11:51:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Roland Rosenfeld <roland@debian.org>.
(Fri, 26 Jul 2019 11:51:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: fig2dev
Version: 1:3.2.7a-6
Severity: normal
Tags: security upstream
Forwarded: https://sourceforge.net/p/mcj/tickets/52/
Control: found -1 1:3.2.7a-5
Hi,
The following vulnerability was published for fig2dev.
CVE-2019-14275[0]:
| Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the
| calc_arrow function in bound.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14275
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14275
[1] https://sourceforge.net/p/mcj/tickets/52/
Regards,
Salvatore
Marked as found in versions fig2dev/1:3.2.7a-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 26 Jul 2019 11:51:11 GMT) (full text, mbox, link).
Reply sent
to Roland Rosenfeld <roland@debian.org>:
You have taken responsibility.
(Sat, 27 Jul 2019 08:42:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 27 Jul 2019 08:42:03 GMT) (full text, mbox, link).
Message #12 received at 933075-close@bugs.debian.org (full text, mbox, reply):
Source: fig2dev
Source-Version: 1:3.2.7a-7
We believe that the bug you reported is fixed in the latest version of
fig2dev, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 933075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Rosenfeld <roland@debian.org> (supplier of updated fig2dev package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 27 Jul 2019 09:42:52 +0200
Source: fig2dev
Architecture: source
Version: 1:3.2.7a-7
Distribution: unstable
Urgency: medium
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Roland Rosenfeld <roland@debian.org>
Closes: 933075
Changes:
fig2dev (1:3.2.7a-7) unstable; urgency=medium
.
* 40_circle_arrowhead: Do not segfault on circle/half circle arrowheads
with a magnification larger 42. This fixes CVE-2019-14275.
(Closes: #933075).
Checksums-Sha1:
d42809818f414aab43072875f47719a75803f936 2232 fig2dev_3.2.7a-7.dsc
170cf702816927298404a03ee053e8a27c022811 219824 fig2dev_3.2.7a-7.debian.tar.xz
65a7af3b0b8cf20c2b954e1563934cb4e2748dd2 8694 fig2dev_3.2.7a-7_source.buildinfo
Checksums-Sha256:
3d65fa20ae15e1d0ff0092f0df56cc94d72164a8743e33b4e216dfff092ac1f2 2232 fig2dev_3.2.7a-7.dsc
dd7d6d55ea82e6ddd04efd49fd8547b424f81da6d2e841e682e4ab8994b92e98 219824 fig2dev_3.2.7a-7.debian.tar.xz
1a105feed94e478c01bcb40046625dbc4b3bba1f6edbe1b04e0ded3b46ab2963 8694 fig2dev_3.2.7a-7_source.buildinfo
Files:
943a9d55d346b656f5aceb2aaa0ee901 2232 graphics optional fig2dev_3.2.7a-7.dsc
f33365bc3af98e8552e92a27bfb74cea 219824 graphics optional fig2dev_3.2.7a-7.debian.tar.xz
90ce9e8c7a027489a91343d1a9a2e4ab 8694 graphics optional fig2dev_3.2.7a-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAl08AMoACgkQAnE7z8pU
ELLn1g/+OEVVkS3aaUwXdaT7nsp68YjYKtvlL1zprHz+GyubIwt96YLD0sdkYGoB
iSkhnY45J3d3j5uNoBucTC/UyW28QTVlnzxq3B2gTxKn5oTp+ttptRc+E/x8QxWp
lLLsT22wEox2D8aJviPj0KcvozjSRo0kJ5ocR/YN5bK0uGzE47xt/vCgBOg1VIHi
xMUHKc+BPXKkjoWDUM9ZYkJzZuWTvcPuUEK6zzA1oOiuDLWbTvuvlCXy24AidHs+
yPiTTqaU9MyBVSrLOl2z1dUzqVjik1d/Cz3ngWFaBYoDZuvRHA9MJfgTHFtDzowk
/fJOgLiTA8k0wY+aBHqTUL+UrC4TFzhOQlOk7xFMG87LxVbCUru9VNFdJMKQCVwp
9Wt5twWoPxwreWmsn4D4WNTuxBrh7zYa9e7R+hCpXcKFelxurt6H/PsW1atsgxu7
UZDX5mcjhxuqPfTQEedm7qLt2ZTRtqO9GHgmWqrbABF+sTYTRdbTksUy7K3IE5ct
2FmVQiHJKILRh/M6T/jqjMMx1NBEuLqZyu8CkMqta8Uvc7hP11g4jkrJY0XV9NQk
vZ/Ox72Gb5xoIje5VgnLNgj/Lj8e3BY+Z55PnQXQRLxFyditH2Q/WcZG5LRu8jGd
uH8sq5/gXpb3kWHeK6uxQ1Ga2OPfpoK/x2zrv1WjIY8tLOVGcRk=
=7pQR
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 27 09:33:53 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon