librecad: denial-of-service CVE-2018-19105

Related Vulnerabilities: CVE-2018-19105  

Debian Bug report logs - #928477
librecad: denial-of-service CVE-2018-19105

version graph

Reported by: Markus Koschany <apo@debian.org>

Date: Sun, 5 May 2019 14:57:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in versions librecad/2.1.3-1.1, librecad/2.1.2-1

Fixed in versions librecad/2.1.3-1.2, librecad/2.1.2-1+deb9u1

Done: Markus Koschany <apo@debian.org>

Forwarded to https://github.com/LibreCAD/LibreCAD/issues/1038

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>:
Bug#928477; Package librecad. (Sun, 05 May 2019 14:57:04 GMT) (full text, mbox, link).


Acknowledgement sent to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>. (Sun, 05 May 2019 14:57:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: submit@bugs.debian.org
Subject: librecad: denial-of-service CVE-2018-19105
Date: Sun, 5 May 2019 16:55:54 +0200
[Message part 1 (text/plain, inline)]
Package: librecad
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for librecad.

CVE-2018-19105[0]:
| LibreCAD 2.1.3 allows remote attackers to cause a denial of service
| (0x89C04589 write access violation and application crash) or possibly
| have unspecified other impact via a crafted file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19105
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19105

Please adjust the affected versions in the BTS as needed.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 May 2019 15:33:02 GMT) (full text, mbox, link).


Marked as found in versions librecad/2.1.3-1.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 May 2019 15:33:02 GMT) (full text, mbox, link).


Marked as found in versions librecad/2.1.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 May 2019 15:33:03 GMT) (full text, mbox, link).


Set Bug forwarded-to-address to 'https://github.com/LibreCAD/LibreCAD/issues/1038'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 May 2019 15:33:03 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 09 May 2019 19:30:06 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>:
Bug#928477; Package librecad. (Thu, 16 May 2019 11:39:03 GMT) (full text, mbox, link).


Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>. (Thu, 16 May 2019 11:39:03 GMT) (full text, mbox, link).


Message #20 received at 928477@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 928477@bugs.debian.org
Subject: Re: librecad: denial-of-service CVE-2018-19105
Date: Thu, 16 May 2019 13:36:36 +0200
[Message part 1 (text/plain, inline)]
Control: tags -1 pending patch

On Sun, 5 May 2019 16:55:54 +0200 Markus Koschany <apo@debian.org> wrote:
> Package: librecad
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for librecad.
> 
> CVE-2018-19105[0]:
> | LibreCAD 2.1.3 allows remote attackers to cause a denial of service
> | (0x89C04589 write access violation and application crash) or possibly
> | have unspecified other impact via a crafted file.

Dear maintainer,

I have uploaded a new revision of librecad to fix CVE-2018-19105. I
intend to file an unblock request as well.

Regards,

Markus
[librecad.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Added tag(s) pending and patch. Request was from Markus Koschany <apo@debian.org> to 928477-submit@bugs.debian.org. (Thu, 16 May 2019 11:39:03 GMT) (full text, mbox, link).


Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Thu, 16 May 2019 11:51:04 GMT) (full text, mbox, link).


Notification sent to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer. (Thu, 16 May 2019 11:51:04 GMT) (full text, mbox, link).


Message #27 received at 928477-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 928477-close@bugs.debian.org
Subject: Bug#928477: fixed in librecad 2.1.3-1.2
Date: Thu, 16 May 2019 11:48:48 +0000
Source: librecad
Source-Version: 2.1.3-1.2

We believe that the bug you reported is fixed in the latest version of
librecad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928477@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated librecad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 16 May 2019 13:11:05 +0200
Source: librecad
Architecture: source
Version: 2.1.3-1.2
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 928477
Changes:
 librecad (2.1.3-1.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2018-19105:
     A vulnerability was found in LibreCAD, a computer-aided design system,
     which could be exploited to crash the application or cause other
     unspecified impact when opening a specially crafted file. (Closes: #928477)
Checksums-Sha1:
 cf70a9a5e868c7017c4eda5c2ee2741cf8cf68d3 2398 librecad_2.1.3-1.2.dsc
 812f06213ad39a79a003216958f8fe5ae59d6dbe 9504 librecad_2.1.3-1.2.debian.tar.xz
 b55431f13ebab0a513b926aad8c077a39f7bffe6 14335 librecad_2.1.3-1.2_amd64.buildinfo
Checksums-Sha256:
 a03ba661a23c0dd17b2beeb2df6f23e87dcccec8de6dcec1b76c7b43641cc760 2398 librecad_2.1.3-1.2.dsc
 fe7ffae947e4cfb9eff6b884a207f8c2dd274fbebf0af2ff91b6b23bb81a7c51 9504 librecad_2.1.3-1.2.debian.tar.xz
 6e10fc2b8d3a51ca590d9255149e83b1c522e363e6ece7dbd9837afdf73d8cba 14335 librecad_2.1.3-1.2_amd64.buildinfo
Files:
 09b3490040e53ccd525f508483063c70 2398 graphics optional librecad_2.1.3-1.2.dsc
 dd8ba08f6072be9d873894d7da7666a3 9504 graphics optional librecad_2.1.3-1.2.debian.tar.xz
 19b9dc6c5eb0c52a11c4f5b92253002e 14335 graphics optional librecad_2.1.3-1.2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzdStFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkc8YP/0w+HkGMZjY+6tdQ8RvZQxhQGpBef3xc0HFp
LBGsQhy8QtWMlgG4JqWT2j3KcvQj/3F6KyX00bl/JE8dMYSFluD2q4j2HoB1P1q4
VVGxdh4oU+kyWsnPJcWY+w98eAjVlQbFttcfuW7EJXssbcdUXiGT2ShYjPXPu065
XwSIR8VL3mGXLFLANHVPPxNVBTaoWJc6cqCuh4pqzixfvcPAWtq83vAviEmxy4Tj
y7Ca6kb6nCl/fT60SJC5qS3hGUQkjiJGrZUkDzgUyjn71XKph9Gs6N0IVH9VNoR4
e50gmnRSmgHL1MihlGZGj9CIw7Z1DtU4jcUli3iLHpXVuDA4TJ5JOWh4B/gXo9yA
D+W8iI+9VJGRsYKrPcaymi0CIgV7ZVVnEBxH9CE2ymufDFKoxAc3+kro3C5dM4iP
9KEGH/xEYI7sSQPTD7TuuHizT5NYk0aMGVKftcMfSy+1PQh5FBFV5DiGUgydmQ5f
X8ozs5xhZQytzC9LXoujzkG5eRzBOS0gk2q90PVWeM2hsPAK5NfhZMxWHYcKuuTa
akAbZPrGzWrHR7JeS31n390KNf60a/VFXfwR+LaX/BCMZsc9jRhUVT9JntpyxVbV
8yLWjbpKWmcU1nJzyIvsJzHBrG3fC9vtPUL4VMPMDTErDpJE6NYAbafb+iwgTvRE
0av45vWX
=/9ml
-----END PGP SIGNATURE-----




Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Thu, 23 May 2019 20:51:03 GMT) (full text, mbox, link).


Notification sent to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer. (Thu, 23 May 2019 20:51:04 GMT) (full text, mbox, link).


Message #32 received at 928477-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 928477-close@bugs.debian.org
Subject: Bug#928477: fixed in librecad 2.1.2-1+deb9u1
Date: Thu, 23 May 2019 20:47:37 +0000
Source: librecad
Source-Version: 2.1.2-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
librecad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928477@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated librecad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 May 2019 23:17:22 +0200
Source: librecad
Binary: librecad librecad-data
Architecture: source
Version: 2.1.2-1+deb9u1
Distribution: stretch
Urgency: high
Maintainer: Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 librecad   - Computer-aided design (CAD) system
 librecad-data - Computer-aided design (CAD) system -- shared files
Closes: 928477
Changes:
 librecad (2.1.2-1+deb9u1) stretch; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2018-19105:
     A vulnerability was found in LibreCAD, a computer-aided design system,
     which could be exploited to crash the application or cause other
     unspecified impact when opening a specially crafted file. (Closes: #928477)
Checksums-Sha1:
 12a0d36e30e939bab22c0f7a9e6b2ca42e9f981f 2412 librecad_2.1.2-1+deb9u1.dsc
 8bc72dd86fb69cf044ef40a6c8ab21f8afccfd6e 8760 librecad_2.1.2-1+deb9u1.debian.tar.xz
 136467b266eb93ae08e180808531ff4b7eafcb1c 13719 librecad_2.1.2-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 54b6f8b8416fce6533392ba057bde1eca5328832db22db60de46e0dc02a88b15 2412 librecad_2.1.2-1+deb9u1.dsc
 85b049c35bcaa72d4507bb17595d5a8b4d502a8bc6e2db870bd761d8b9db66c4 8760 librecad_2.1.2-1+deb9u1.debian.tar.xz
 843664444ea76e0fbba6734c7e5b8917adafacbc93def291ab436d6f16b90a6b 13719 librecad_2.1.2-1+deb9u1_amd64.buildinfo
Files:
 bf0088bc6fd2f34e5c511edb0644d204 2412 graphics optional librecad_2.1.2-1+deb9u1.dsc
 72d50abee414b7c36b49e00bef584d53 8760 graphics optional librecad_2.1.2-1+deb9u1.debian.tar.xz
 9740d8a467d720eda644b4efa12f998c 13719 graphics optional librecad_2.1.2-1+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzhyvNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkRNYQAJcu+2Nv2l4HgQkjt7jUtliZ8S3TPRJQMW2U
puaD/46xxuRrsMd5TORkJi3g52CuZISoF+tqynwUprP432vMVCcl37rhuwEw/MWr
l1zWYjyzael0FMQa7VwzLE9w/nrkH/tfU7Xi3sT4m0uQ4hX2eVHnMX3B3cKFKw7X
IVfEcPqc9lFWMEJ9wpnH8m2i2mlsMBkyrVcRwOT1eNtB8dIlDyYQ9Za0WWMV1ode
HjTAAwInzonZGGwMyesAHUanS55Z8AMKeMKdMOX9flOwFAxd/TPLHGrDXqY2RTbw
kSMsA4r6jk5Tklrgycz0FxOMFRBDYv6XeDZV6s0K2MavRYvAzEgQlsAnMgAF9+9u
u/crk0LAQZFgZEpD1MgAcMtmNVj19nGHD4Pua0QxaJBDjvfTIPQMnbjXmUYdwzYM
KmrzmLL+7quaycZU6DAwLw9Wd1QDUQil6n/RsHL1L8mK8vqjO/bswbVTRfql+6sY
7BFIp9j2ZzkLpPbLGFcczGclMZOptUXqM+MwAku1VVIMonzm33ss8JnK39m8oO01
WUZLaJKH3JCrNAK7tIB/yJ23oj62HwAYHi9LrL5kT0EDud4laRP7XtglundVWq3V
1qTaQY/EEHdcOtMWYgb1sccf24v2r4Hu0edTgz6Dk7B6fybofDOqUMPjXnE+opSB
UJI9nonV
=VWgI
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:18:34 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.