Debian Bug report logs -
#1033202
liblouis: CVE-2023-26767 CVE-2023-26768 CVE-2023-26769
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Accessibility Team <pkg-a11y-devel@alioth-lists.debian.net>:
Bug#1033202; Package src:liblouis.
(Sun, 19 Mar 2023 16:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Accessibility Team <pkg-a11y-devel@alioth-lists.debian.net>.
(Sun, 19 Mar 2023 16:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: liblouis
Version: 3.24.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for liblouis.
CVE-2023-26767[0]:
| Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a
| remote attacker to cause a denial of service via the lou_logFile
| function at logginc.c endpoint.
CVE-2023-26768[1]:
| Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a
| remote attacker to cause a denial of service via the
| compileTranslationTable.c and lou_setDataPath functions.
CVE-2023-26769[2]:
| Buffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0
| allows a remote attacker to cause a denial of service via the
| resolveSubtable function at compileTranslationTabel.c.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-26767
https://www.cve.org/CVERecord?id=CVE-2023-26767
[1] https://security-tracker.debian.org/tracker/CVE-2023-26768
https://www.cve.org/CVERecord?id=CVE-2023-26768
[2] https://security-tracker.debian.org/tracker/CVE-2023-26769
https://www.cve.org/CVERecord?id=CVE-2023-26769
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <pkg-a11y-devel@alioth-lists.debian.net>:
Bug#1033202; Package src:liblouis.
(Sun, 19 Mar 2023 16:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Samuel Thibault <sthibault@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <pkg-a11y-devel@alioth-lists.debian.net>.
(Sun, 19 Mar 2023 16:30:02 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Control: severity -1 normal
Hello,
I don't think any of these is an actual security issue.
Salvatore Bonaccorso, le dim. 19 mars 2023 17:09:09 +0100, a ecrit:
> The following vulnerabilities were published for liblouis.
>
> CVE-2023-26767[0]:
> | Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a
> | remote attacker to cause a denial of service via the lou_logFile
> | function at logginc.c endpoint.
lou_logFile is not the kind of thing that is supposed to be usable
by attackers. If it was it would be *way* more serious than a buffer
overflow is.
> CVE-2023-26768[1]:
> | Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a
> | remote attacker to cause a denial of service via the
> | compileTranslationTable.c and lou_setDataPath functions.
It is the user that is in control of loading the translation table. The
content of the table *has* to be under the control of the user. If an
attacker was able to change the able, it would be *way* more problematic
than just buffer overflows.
> CVE-2023-26769[2]:
> | Buffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0
> | allows a remote attacker to cause a denial of service via the
> | resolveSubtable function at compileTranslationTabel.c.
lou_trace is a debugging tool.
Samuel
Severity set to 'normal' from 'important'
Request was from Samuel Thibault <sthibault@debian.org>
to submit@bugs.debian.org.
(Sun, 19 Mar 2023 16:30:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <pkg-a11y-devel@alioth-lists.debian.net>:
Bug#1033202; Package src:liblouis.
(Sun, 19 Mar 2023 16:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Samuel Thibault <sthibault@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <pkg-a11y-devel@alioth-lists.debian.net>.
(Sun, 19 Mar 2023 16:30:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Samuel Thibault <sthibault@debian.org>
to control@bugs.debian.org.
(Sun, 19 Mar 2023 16:36:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <pkg-a11y-devel@alioth-lists.debian.net>:
Bug#1033202; Package src:liblouis.
(Sun, 19 Mar 2023 16:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <pkg-a11y-devel@alioth-lists.debian.net>.
(Sun, 19 Mar 2023 16:57:03 GMT) (full text, mbox, link).
Message #24 received at 1033202@bugs.debian.org (full text, mbox, reply):
Hi Samuel,
On Sun, Mar 19, 2023 at 05:27:39PM +0100, Samuel Thibault wrote:
> Control: severity -1 normal
>
> Hello,
>
> I don't think any of these is an actual security issue.
>
> Salvatore Bonaccorso, le dim. 19 mars 2023 17:09:09 +0100, a ecrit:
> > The following vulnerabilities were published for liblouis.
> >
> > CVE-2023-26767[0]:
> > | Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a
> > | remote attacker to cause a denial of service via the lou_logFile
> > | function at logginc.c endpoint.
>
> lou_logFile is not the kind of thing that is supposed to be usable
> by attackers. If it was it would be *way* more serious than a buffer
> overflow is.
>
> > CVE-2023-26768[1]:
> > | Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a
> > | remote attacker to cause a denial of service via the
> > | compileTranslationTable.c and lou_setDataPath functions.
>
> It is the user that is in control of loading the translation table. The
> content of the table *has* to be under the control of the user. If an
> attacker was able to change the able, it would be *way* more problematic
> than just buffer overflows.
>
> > CVE-2023-26769[2]:
> > | Buffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0
> > | allows a remote attacker to cause a denial of service via the
> > | resolveSubtable function at compileTranslationTabel.c.
>
> lou_trace is a debugging tool.
Thanks, makes all sense. I ammended the entries in security-tracker to
note the negligible security impact.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Mar 20 13:09:00 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon