Debian Bug report logs -
#704573
libwebp: cve-2012-5127
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Wed, 3 Apr 2013 03:03:02 UTC
Severity: serious
Tags: patch, security
Found in version 0.1.3-3
Fixed in versions 0.3.0-3, libwebp/0.1.3-3+nmu1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>:
Bug#704573; Package libwebp.
(Wed, 03 Apr 2013 03:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Jeff Breidenbach <jab@debian.org>.
(Wed, 03 Apr 2013 03:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libwebp
Severity: serious
Version: 0.1.3-3
Tags: security
Hi,
the following vulnerability was published for libwebp.
CVE-2012-5127[0]:
| Integer overflow in Google Chrome before 23.0.1271.64 allows remote
| attackers to cause a denial of service (out-of-bounds read) or
| possibly have unspecified other impact via a crafted WebP image.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5127
http://security-tracker.debian.org/tracker/CVE-2012-5127
Information forwarded
to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>:
Bug#704573; Package libwebp.
(Wed, 03 Apr 2013 03:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeff Breidenbach <jab@debian.org>.
(Wed, 03 Apr 2013 03:39:04 GMT) (full text, mbox, link).
Message #10 received at 704573@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I've uploaded an nmu fixing this issue to delayed/5. Please see attached patch.
Best wishes,
Mike
[libwebp.patch (application/octet-stream, attachment)]
Added tag(s) patch.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Wed, 03 Apr 2013 03:45:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Wed, 03 Apr 2013 03:45:05 GMT) (full text, mbox, link).
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Mon, 08 Apr 2013 04:06:09 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer.
(Mon, 08 Apr 2013 04:06:09 GMT) (full text, mbox, link).
Message #19 received at 704573-close@bugs.debian.org (full text, mbox, reply):
Source: libwebp
Source-Version: 0.1.3-3+nmu1
We believe that the bug you reported is fixed in the latest version of
libwebp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 704573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated libwebp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 Apr 2013 02:54:20 +0000
Source: libwebp
Binary: libwebp-dev libwebp2 webp
Architecture: source amd64
Version: 0.1.3-3+nmu1
Distribution: unstable
Urgency: high
Maintainer: Jeff Breidenbach <jab@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
libwebp-dev - Lossy compression of digital photographic images.
libwebp2 - Lossy compression of digital photographic images.
webp - Lossy compression of digital photographic images.
Closes: 704573
Changes:
libwebp (0.1.3-3+nmu1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2012-5127: integer overflows in src/dec/webp.c (closes: #704573).
Checksums-Sha1:
ed83641241d320bc3dfc0afac39f63d810955549 2547 libwebp_0.1.3-3+nmu1.dsc
ed3e209c51c5954f52a509077a322c32a34cc7cd 3552 libwebp_0.1.3-3+nmu1.debian.tar.gz
c9772f9085c62cce09e9249bfe63ecd3698cf66b 149714 libwebp-dev_0.1.3-3+nmu1_amd64.deb
cc650d4f837223cad69c8d634829f408f0281d91 113976 libwebp2_0.1.3-3+nmu1_amd64.deb
d738053b39511633cce3329900c800e815043532 28498 webp_0.1.3-3+nmu1_amd64.deb
Checksums-Sha256:
ad0d61554cfd51903ead08a4708d26a717dfbb798b726cf9cd5977b01c643d58 2547 libwebp_0.1.3-3+nmu1.dsc
992fafcfd1eff4c71922e0e59707a7cc1d24f493ac73cb0a25b140562b3e4b57 3552 libwebp_0.1.3-3+nmu1.debian.tar.gz
9c837512864884f5afbb2ea36e7eb21758ffecf0763b8996c0264671a79704af 149714 libwebp-dev_0.1.3-3+nmu1_amd64.deb
f9467c3fa89086ed9f79e412ad54d407ac6bb941b5475775bf1bb16b68a1ac16 113976 libwebp2_0.1.3-3+nmu1_amd64.deb
9951fe6508ea3f18f03da37f81ba2634317f2d5ab80cf508d043e571d27e58dd 28498 webp_0.1.3-3+nmu1_amd64.deb
Files:
31bd74268e6d7d8159142ec8e65ab5ac 2547 libs extra libwebp_0.1.3-3+nmu1.dsc
bcf0e4990bc0af04d9f3282fd6e7a557 3552 libs extra libwebp_0.1.3-3+nmu1.debian.tar.gz
0e7498b0b1ece7c8e7cc2f3ef11bc491 149714 libdevel extra libwebp-dev_0.1.3-3+nmu1_amd64.deb
7c17b7c7310ae9b6989983cd90bbf417 113976 libs extra libwebp2_0.1.3-3+nmu1_amd64.deb
e93fdd32bc9c6b0c219a46de09411e48 28498 graphics extra webp_0.1.3-3+nmu1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQQcBAEBCAAGBQJRW6KmAAoJELjWss0C1vRzji4f/2C5/HYo0cODRLvOmBDmjAel
/c2qJ3E9s46h47/29+wqsaEURQj7LsYXnd9kT3ZB9TBtF4633+7wsC9+B+r6cc5E
YcoNgcMVVB15P/Sm3YbUwEUOo2+3tgRIi0486f9a3//S3g9jmiFWWaVmDjNHjs5W
N36d7IHyuLjLVTU0x9HLmfJq7YYRHWt4sxxWaA8sbk0A5iXzEKSFrP9YXJQMs2Fa
ZiWEyIJEg27AR7r2Dqq9j2Bo9fFls9uBdHdJMOdHFKUeQmC5aybJfs4u1i2L1Nv5
j8abq3sDO8SqmYN+OEvBE2nOdpE8U5nejHMq2TQt1+1CyQRAcrv5Wpv8CHb67ORc
S5b5i4QP/mzjf45g+vX7DPqY6gGKIiIc+B7QrpqrwmYA8x6ly2ESjCezq5K4Lk/b
gYYKd6uRy67Ny2eGxUW1AlA0nNA5nxYX99vxCwwtwwDcjCXWWO75Dp17ThxvocwY
MDIOR+ZIdYZ7tHUbTh4svEoRTko4ECkrA/h4KXn4Eh7Shf/be2vU8M5Jt0lX6KaZ
e7Poxm6qLF3HSeCGMUh+lE7+ONMaA8K/nIRCzZYBKSVgv+5h45zVF43BJ9WBJll/
mNwCKfrHOPCkGgRjWhgMEX72pqsAXIyS2RBYPt+jRRkLRcPd0ya/O3DtSYk4Vwzz
iy5dXQUC706ZhY0zK9AfgvYWF0yJpYB0cVDI5cPkh4BxRa7/1/D395zeV7lN5NE2
rRyJagsz/LMnIKc4Sk62qvXSifgTQ33ESSj2afXOHaSS2hsbhjg6vWmjK7kydjKF
RGTA8J3xNzlYxOvnBsBdEsdAXR3j/pGJxFlqcloTzjEVbfVnElIEdUagN1xXmT6w
pUlFD1/wLVQ3ZWHcS5iDulHaDe4mfCQsO9Igt/KgAHA6n8Q0Ffw3kxw6+Mknyj/R
JdASmaiUNYQ5ehI502iYdujqXBvjKFLyuUQ8efhW9jtv4Xv2DuC/saBciqdCgCJx
MiiUrktNHiNyIdGxp3nN7KygLzis+EPp9964zG856Y9MflU6ZuLSkxwUe1FJEkPL
1zv1Q4uN7ZRJoVaaPQ26bICx0l3hMu0az8U+4HApmemF/0qSNy+i9NZtnoXeiMnW
mNxYD+5njaZScb6JthMA27AiCVfLxsdhVCuUfO46CcVFt0KnCIbWMl28v4Wf1/2M
0NMaQ6Q5EeEodLTsi0+0Z1mcesnpn0e/hqzqA1CVK+bPdsnrgabauQ6PJojQjEXp
5n8G1pmi0id6Cg6qofqtZLrzMunUwNRVcTrBRGS2ilUHJWh4WPyux2oEXm7zhv95
PIWWto7xQFLfSiSjGnr7/yEwxcX8Mfqg+QhQrFILTK854A0zlifHQc0lj20PCZI=
=PSKf
-----END PGP SIGNATURE-----
Marked as fixed in versions 0.3.0-3.
Request was from Jeremy Bicha <jbicha@ubuntu.com>
to control@bugs.debian.org.
(Fri, 21 Jun 2013 22:57:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 20 Jul 2013 07:33:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:11:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon