Debian Bug report logs -
#862446
lepton: CVE-2017-8891
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#862446; Package src:lepton.
(Fri, 12 May 2017 19:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Fri, 12 May 2017 19:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lepton
Version: 1.2.1-2
Severity: important
Tags: upstream security
Forwarded: https://github.com/dropbox/lepton/issues/87
Hi,
the following vulnerability was published for lepton.
CVE-2017-8891[0]:
| Dropbox Lepton 1.2.1 allows DoS (SEGV and application crash) via a
| malformed lepton file because the code does not ensure setup of a
| correct number of threads.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8891
[1] https://github.com/dropbox/lepton/issues/87
Regards,
Salvatore
Reply sent
to ChangZhuo Chen (陳昌倬) <czchen@debian.org>:
You have taken responsibility.
(Sat, 13 May 2017 16:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 13 May 2017 16:51:03 GMT) (full text, mbox, link).
Message #10 received at 862446-close@bugs.debian.org (full text, mbox, reply):
Source: lepton
Source-Version: 1.2.1+20170405-1
We believe that the bug you reported is fixed in the latest version of
lepton, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <czchen@debian.org> (supplier of updated lepton package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 May 2017 00:16:01 +0800
Source: lepton
Binary: lepton
Architecture: source
Version: 1.2.1+20170405-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Description:
lepton - tool to compress JPEGs losslessly
Closes: 862446
Changes:
lepton (1.2.1+20170405-1) unstable; urgency=medium
.
* Use git snapshot 6d940eb00576f2b262e9c478c8dfed1559d32563 for
CVE-2017-8891 (Closes: #862446).
Checksums-Sha1:
a6eb688157d737aea1bf8205d51062c3cd2ecc81 2096 lepton_1.2.1+20170405-1.dsc
38a42d8dfe839a4feaf98ddc35bbd0810fca7e96 51828804 lepton_1.2.1+20170405.orig.tar.xz
cef76a68cef0ef63769c4a0b4715dab08bc4faa2 5456 lepton_1.2.1+20170405-1.debian.tar.xz
05d739b4d0d256fa9e5610c43c2e03905f5bce0e 6297 lepton_1.2.1+20170405-1_source.buildinfo
Checksums-Sha256:
72c418a0acc6964dc2aff5e1b4814e764abc80c77ac202d80e7a0a4d4e639c67 2096 lepton_1.2.1+20170405-1.dsc
a2f3f76603d0fc37fcde4d616e405b820912b1c28b952969e60c93314baccb55 51828804 lepton_1.2.1+20170405.orig.tar.xz
ff939c3670623e0f126566749c4279ac33fa2aefd74b6ca91aae8f58bc857cf4 5456 lepton_1.2.1+20170405-1.debian.tar.xz
23d91e552f63c1c531bf59ba6465e19f3aa744f9ce582195cdd4b2c9c07d95c8 6297 lepton_1.2.1+20170405-1_source.buildinfo
Files:
f1776008a2ecbb90a00bbb7e6fc205d7 2096 graphics optional lepton_1.2.1+20170405-1.dsc
a9a4645754f1a53611e335a6888ca67b 51828804 graphics optional lepton_1.2.1+20170405.orig.tar.xz
1605f641db603f77876f62d339b3848e 5456 graphics optional lepton_1.2.1+20170405-1.debian.tar.xz
72e8e3e209f73e15263b8bb1db7ce8db 6297 graphics optional lepton_1.2.1+20170405-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEE5H9tOJ8ReWWaF1PGrc2MXdaTaQFAlkXNOMACgkQGrc2MXda
TaR63A//bRdE5WCNVWMZjQNUSNVu6iFGCstg/ErcBYyFqqwJJu+DpDtTAb2AjQhK
Ao6vFOn46pe7SzwKv4wKwPPdl8rsb9AVgXDbwKjlVVaEMdhLVpISpCDf0MInp/O3
JRljlhfzB6miXI+o/LRaljU7XDwIsrbuEQHyvEsnwidWh88+fYeTc9N73V9c5lUm
rZmSQoui6MsaSXR3a5hVrZi6RSW2SvnFR2t8oLrUP5+x/Qiaa6BQgxrV9KM10waq
LgZ1i6VmvpMirEElI1pjUZUfuUwWJx2ZaMG3PdpLKFyFMZUO9Pmxh+HkW6mW0YR2
bIW0RWbeAC79hUDIBg2ZTEX7AXd1Qr/98kr+qfNrN0hHlnPKFEoZRrFXChzXmF0T
BTlSahJ0ixmXeBv8cG65HrcG/MVWo4frvuPxsgCmcMAvIzeIQ/jxEqG0QXLp4t9C
EtqC6hCQuRL2VdbE4qEoBZ6dRtQZF9FqLdomjrr4F/h4xeNDov8Q+9cLSHxra7hE
qmH4Et/h4pvMrO03fnWunksUJhe/0MHzYGCjkC3Y4fBkUbEqn4ljwyzdNMjmxbJo
RLphUh4585tMWpGGRVa/gQ28+R4aXBceH2M3kq3FqydMfot1d6mncWTlpc+p9y5u
SbnNBXrCwocX0urz6ref8OYFtAprXyidwz0PwL8INNb0op89+3M=
=lKqp
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 01 Jul 2017 07:25:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:38:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon