Debian Bug report logs -
#1038976
gifsicle: CVE-2023-36193
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Gürkan Myczko <gurkan@phys.ethz.ch>:
Bug#1038976; Package src:gifsicle.
(Fri, 23 Jun 2023 21:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Gürkan Myczko <gurkan@phys.ethz.ch>.
(Fri, 23 Jun 2023 21:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gifsicle
Version: 1.93-2
Severity: normal
Tags: security upstream
Forwarded: https://github.com/kohler/gifsicle/issues/191
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for gifsicle.
CVE-2023-36193[0]:
| Gifsicle v1.9.3 was discovered to contain a heap buffer overflow via
| the ambiguity_error component at /src/clp.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-36193
https://www.cve.org/CVERecord?id=CVE-2023-36193
[1] https://github.com/kohler/gifsicle/issues/191
[2] https://github.com/kohler/gifsicle/commit/e21a05a00855b3e647302f06683aca743ae08deb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Gürkan Myczko <tar@debian.org>:
You have taken responsibility.
(Sat, 24 Jun 2023 18:24:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Jun 2023 18:24:03 GMT) (full text, mbox, link).
Message #10 received at 1038976-close@bugs.debian.org (full text, mbox, reply):
Source: gifsicle
Source-Version: 1.94-1
Done: Gürkan Myczko <tar@debian.org>
We believe that the bug you reported is fixed in the latest version of
gifsicle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1038976@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gürkan Myczko <tar@debian.org> (supplier of updated gifsicle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Jun 2023 19:46:49 +0200
Source: gifsicle
Architecture: source
Version: 1.94-1
Distribution: unstable
Urgency: medium
Maintainer: Gürkan Myczko <tar@debian.org>
Changed-By: Gürkan Myczko <tar@debian.org>
Closes: 1038976
Changes:
gifsicle (1.94-1) unstable; urgency=medium
.
* New upstream version, fixes CVE-2023-36193. (Closes: #1038976)
* Update maintainer email.
* Bump standards version to 4.6.2.
Checksums-Sha1:
01da8b7ca45fa105490fd0bd4f55f52f411a94e4 1927 gifsicle_1.94-1.dsc
9eb1d0587c362c9ec78c0e87b5abe65789428c1a 480324 gifsicle_1.94.orig.tar.gz
98c1ae4a8e9b629bb81703dfd974c1127961cb86 6136 gifsicle_1.94-1.debian.tar.xz
88862c215475c57276e40b6a0c4bc70454e505c9 7096 gifsicle_1.94-1_source.buildinfo
Checksums-Sha256:
120cd9e5fd40b3e63f9c4f93b3475433ffe292360e1f5dbd8c36c085479ecb23 1927 gifsicle_1.94-1.dsc
ed3ae1bcb3e69c172e82963b84c260cb0fab00a3ba3587ea2042af4bbefcce6a 480324 gifsicle_1.94.orig.tar.gz
f7c783313895c666ba8bf177d8f560fdd2430b28a437c2bbe8cf2c9bfb5f6402 6136 gifsicle_1.94-1.debian.tar.xz
7efcf7a1f297e2feb4dbce9aafdc6cf97c213b959e96fe3ff5d66c34a0fa0aa1 7096 gifsicle_1.94-1_source.buildinfo
Files:
164e604db5ac63033ed3b2de39546838 1927 graphics optional gifsicle_1.94-1.dsc
44303cd0eebdc5bc1adfc7b742bce130 480324 graphics optional gifsicle_1.94.orig.tar.gz
25a54e6d39f70ecdd4c47446aa8d0916 6136 graphics optional gifsicle_1.94-1.debian.tar.xz
cf888e518bec8fccbb93f95b265420ef 7096 graphics optional gifsicle_1.94-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtgob82PcExn/Co6JEWhSvN91FcAFAmSXLVEACgkQEWhSvN91
FcBmsA//YykInGbIAn5eQDJahw7YwBBimfCUploz22r0PCu9eQMJ9VKlfvuEwum7
EoxHCswd993mpX8vcdsNJiSokEgTRW/OH8d1vMF60bC4Pq34blz5d88jU941l6bm
q7t9GqNR0DXiOns+sYAYpFzkmcclAoveY1QcvKPydEP8NXiGF8Jy8nF63A82+gQh
ywHNQpuHXxk16i2D2ZLC5lMirvtWGFBx5Qc4DmNwsnuBcmqMZAjvmbEUotMnf9Zo
a5LurCngImZkTSpUPD184MM2hk/S8QyZdjfjdpvJ/wrh4Y7J1CSLyFGx7w/SvW/S
w7f4hw4yDp72L84zulkDqvUdSUdNossX2eOFLABvX+vk+OiwWRrSteR0RQBAu0xY
crOmKbaA/2a4f4HzCOyLtIqdvRcXWhGeagwtI9DkbbFjUYBRHejtWJTaWF9vVm7C
KqW2ftyVWAs5C4vGPijEuAx7jQowFZSNXmQ2ij7ffdLlrxCu4IvwhL34AqpfhAPI
SwSC28yZxVOgrc4g/a+3ossIarovxgUIuSQyDKtvv3jMBXFGhTKNg7RvkUbjshCR
BpbvHTYHHEY3v4/qMjBhT0oi89IULsQ/LDD7fc+dy3sEGV5UzpMknWoy/ToUeIDu
RJxed88tuurT54BC9TNyaBJLsx+Lom00wyskbdX7h5+T9WeHLV4=
=d1EZ
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jun 24 18:34:48 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon