Debian Bug report logs -
#976228
dlt-daemon: CVE-2020-29394
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Aigars Mahinovs <aigarius@debian.org>:
Bug#976228; Package src:dlt-daemon.
(Tue, 01 Dec 2020 20:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Aigars Mahinovs <aigarius@debian.org>.
(Tue, 01 Dec 2020 20:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dlt-daemon
Version: 2.18.5-0.2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/GENIVI/dlt-daemon/issues/274
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.18.0-1
Hi,
The following vulnerability was published for dlt-daemon.
CVE-2020-29394[0]:
| A buffer overflow in the dlt_filter_load function in dlt_common.c in
| dlt-daemon 2.8.5 (GENIVI Diagnostic Log and Trace) allows arbitrary
| code execution because fscanf is misused (no limit on the number of
| characters to be read in a format argument).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-29394
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29394
[1] https://github.com/GENIVI/dlt-daemon/issues/274
[2] https://github.com/GENIVI/dlt-daemon/pull/275
Regards,
Salvatore
Marked as found in versions dlt-daemon/2.18.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 01 Dec 2020 20:39:04 GMT) (full text, mbox, link).
Reply sent
to Gianfranco Costamagna <locutusofborg@debian.org>:
You have taken responsibility.
(Tue, 01 Dec 2020 21:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 01 Dec 2020 21:06:03 GMT) (full text, mbox, link).
Message #12 received at 976228-close@bugs.debian.org (full text, mbox, reply):
Source: dlt-daemon
Source-Version: 2.18.5-0.3
Done: Gianfranco Costamagna <locutusofborg@debian.org>
We believe that the bug you reported is fixed in the latest version of
dlt-daemon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 976228@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofborg@debian.org> (supplier of updated dlt-daemon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 Dec 2020 21:57:59 +0100
Source: dlt-daemon
Architecture: source
Version: 2.18.5-0.3
Distribution: unstable
Urgency: high
Maintainer: Aigars Mahinovs <aigarius@debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg@debian.org>
Closes: 976228
Changes:
dlt-daemon (2.18.5-0.3) unstable; urgency=high
.
* Non-maintainer upload
* debian/patches/275.patch:
- cherry-pick upstream fix for CVE-2020-29394
(Closes: #976228)
Checksums-Sha1:
c3e8cb2dc2b9f2f686de57f534ea2b54d51933b3 2078 dlt-daemon_2.18.5-0.3.dsc
add99c788dd886e7e42f8cafbe54bc5fd40f839c 6808 dlt-daemon_2.18.5-0.3.debian.tar.xz
447bfcbe0912bfbb037a9cd1707bfd268697b0ff 9165 dlt-daemon_2.18.5-0.3_source.buildinfo
Checksums-Sha256:
c10b59253633db95e564df3a9f00e863a5e3efa8fa41fa6b7dc3f57e1aef2d65 2078 dlt-daemon_2.18.5-0.3.dsc
12a21961d2898cb7282cb494351a0520c47d96276d66489c2bec3e5f93596076 6808 dlt-daemon_2.18.5-0.3.debian.tar.xz
3da4b5211237d9187a9892d3b3f0db6f70f49585b2fa8725fe39325b61133081 9165 dlt-daemon_2.18.5-0.3_source.buildinfo
Files:
69ae6748a1a144a7b75298b5b72035f4 2078 libs optional dlt-daemon_2.18.5-0.3.dsc
a5f9758e9135fd6a5fb6417316ba6634 6808 libs optional dlt-daemon_2.18.5-0.3.debian.tar.xz
adc1f20200737b898c4e3b6ac779f6f0 9165 libs optional dlt-daemon_2.18.5-0.3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAl/Grp4ACgkQ808JdE6f
XdkO3g/9EJDT1k+NC+sOyT7thNdHgx0vZ2aYgQK1337tEg96if1kklbJS+2FCQdJ
oDVkSzDuCH5HUS3LVwITDXOcZvJQO3oEhS3m3qDpU3hdlBDZO/CCbU3nOKDl44Su
5udBdcNZ9sNAVhe9wdbNbkLUArYf1M1ovNq/P3DebastfHb2lSFu+LIbtNwb1sCs
Y1M8ZbzDujKoFv5Q3cBPF+DYGUzjC6n1Hgldn1/vBJECiP4HPaVoTPOLfjPmLEjt
oBGT0QkIP9pRSDlyg2Hsm4L50P4ynlEL8QTa+suoOmnWZw/kknexJxzHmqtQYNDW
CZudoNAhSRgjxF+kFP1C7JxAvE87pEF5In64o1RFfZGX7aC5dxkv66IuT/rPgSlH
l0xmchcPQALjO800M1rIB3xxPBYyhgNyyuMygRxfnV4WqeiVr+OSU5H1it0KQne6
VoxjFCKmWrp1Nsfw7ASxSuaQwjen1JEcFdw5Gl+/sADM/FVRiTsy91z4y8JTN1xm
ILY+KjQNJtaQmL97M2OXoJaA/+9nMmEBGHc1F81dBwX58gDBIPYojJ2m4YLoB2wJ
oDyYRU5tJSie0cRC5Y9O6DjfZKPsVgK1x4iOnaI1JaXunWB6Pwv5XuATeekiU0hb
YDKdmN9a+yU3Mi/OAVxv3FYqh/pFQV5kZZi6CG6e2uHpzTcTZuE=
=KigT
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Dec 2 07:57:20 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon