Debian Bug report logs -
#899999
liblouis: CVE-2018-11410
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>:
Bug#899999; Package src:liblouis.
(Thu, 24 May 2018 14:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>.
(Thu, 24 May 2018 14:18:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: liblouis
Version: 3.5.0-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for liblouis, it was
reported at [1], not sure if it was forwarded to upstream, can you
double check that?
CVE-2018-11410[0]:
| An issue was discovered in Liblouis 3.5.0. A invalid free in the
| compileRule function in compileTranslationTable.c allows remote
| attackers to cause a denial of service (application crash) or possibly
| have unspecified other impact.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11410
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1582024
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from Samuel Thibault <sthibault@debian.org>
to control@bugs.debian.org.
(Fri, 25 May 2018 08:39:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Samuel Thibault <sthibault@debian.org>
to control@bugs.debian.org.
(Fri, 25 May 2018 08:45:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>:
Bug#899999; Package src:liblouis.
(Fri, 25 May 2018 09:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Samuel Thibault <sthibault@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>.
(Fri, 25 May 2018 09:03:03 GMT) (full text, mbox, link).
Message #16 received at 899999@bugs.debian.org (full text, mbox, reply):
Hello
Salvatore Bonaccorso, le jeu. 24 mai 2018 16:16:16 +0200, a ecrit:
> The following vulnerability was published for liblouis, it was
> reported at [1], not sure if it was forwarded to upstream, can you
> double check that?
I reported it to upstream and is now fixed there. I have uploaded a
fixed package to unstable as version 3.5.0-2.
I have prepared a stable upload in
git@salsa.debian.org:a11y-team/liblouis.git in the debian-stretch branch
The buffer overflow can be exploited only if one is able to feed the
content of a braille table, which is not normally something that is
possible, usually only the content of the text to be transcribed to
braille can be fed, so I don't see any situation where this can really
be a security concern, so I guess a simple stable upload would be
enough?
Samuel
Reply sent
to Samuel Thibault <sthibault@debian.org>:
You have taken responsibility.
(Fri, 25 May 2018 09:09:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 25 May 2018 09:09:13 GMT) (full text, mbox, link).
Message #21 received at 899999-close@bugs.debian.org (full text, mbox, reply):
Source: liblouis
Source-Version: 3.5.0-2
We believe that the bug you reported is fixed in the latest version of
liblouis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 899999@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Thibault <sthibault@debian.org> (supplier of updated liblouis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 May 2018 10:42:16 +0200
Source: liblouis
Binary: liblouis-dev liblouis14 liblouis-data liblouis-bin python-louis python3-louis
Architecture: source
Version: 3.5.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
Description:
liblouis-bin - Braille translation library - utilities
liblouis-data - Braille translation library - data
liblouis-dev - Braille translation library - static libs and headers
liblouis14 - Braille translation library - shared libs
python-louis - Python bindings for liblouis
python3-louis - Python bindings for liblouis
Closes: 899999
Changes:
liblouis (3.5.0-2) unstable; urgency=high
.
* Bump Standards-Version to 4.1.4 (no changes).
* patches/cve-2018-11410: Buffer overflow fix for CVE 2018-11410
(Closes: #899999).
Checksums-Sha1:
5d799c1bfa1ebd4ef217171fb49d40ff9aa2a9cf 2413 liblouis_3.5.0-2.dsc
96586f682caf903462c99d9214151b26f47a3339 6956 liblouis_3.5.0-2.debian.tar.xz
Checksums-Sha256:
34519bb6639bcc4f453a41de75d7183e4a29412981e1491eb71e1c18e39dfa67 2413 liblouis_3.5.0-2.dsc
1d5a809ab573c5092db48e810bc53b92ae52609386d15b1917a338d7d660ea20 6956 liblouis_3.5.0-2.debian.tar.xz
Files:
309b273c8aee2f30d6582ad742eeefa2 2413 libs optional liblouis_3.5.0-2.dsc
f8d9733c9932e8eeeb055de8efe59266 6956 libs optional liblouis_3.5.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEmjc9NmSo3GLaCjT9nlEeAcc38HUFAlsHzaEACgkQnlEeAcc3
8HW5rw/+KwBjWRxO8dm6Bj6g4Hrid7ASAxRy8wIg2t8eTIejPTCdaTnia+vDBH5t
zWGvEeMkRaK60nJcSISxhEtq0ZswjuH/iWFns6ao2pkRKOf08UtbIg4RpriQlL0F
gReTul88Ys+H/9J0mucILkZMDZlWYs9D1YpvinH7b8AEBJwSTW28aSclt7EX2pUZ
bhNYH9hjkOUxK5CLrwJwfGuDL0ewizdn/J/70tjesylMxgsZ91gp5IZCiULRqdzu
GFC3vcZdSA3Bc3KkskIIPZrxOlB8TsRczrydwKF4xX+jpuF5R6TzWzur0VmiNfso
BMTlU4tJ+5IJWQy0TOdhoK8ksKanE3T+UQ8HmCsCov5zz9o/Y89hCd6EoYfeEwfm
hhA8/JtLSfVGsARKM0KFbYy88PtZ6e/g8fxmO+mxrkbkTqvABHTllzHpffKAcg9f
rPy34B1nLrerUPCWRIgbZpCLZqx+D85gvYno4KO2pyFuoOrmRmPwHdzbw9hYZvOx
VR552pe3eDjQj9iYQxDjs2F8YP29aaG/iA03EZuf3uVmOlCaJOJcRhB4iH8CDOyH
PhTmCFsCvbpczSJUErWeleMGAyJRBvVwpS0PPIrMIqbbB3K7FacEBADBQSrTXz6a
oFxHIHEcZCNH1VDJ/SDqYFd7bUBK/c7VvlK30oqMVYsdIYUeORI=
=g574
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>:
Bug#899999; Package src:liblouis.
(Fri, 25 May 2018 10:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>.
(Fri, 25 May 2018 10:27:03 GMT) (full text, mbox, link).
Message #26 received at 899999@bugs.debian.org (full text, mbox, reply):
Hi Samuel,
On Fri, May 25, 2018 at 11:00:49AM +0200, Samuel Thibault wrote:
> Hello
>
> Salvatore Bonaccorso, le jeu. 24 mai 2018 16:16:16 +0200, a ecrit:
> > The following vulnerability was published for liblouis, it was
> > reported at [1], not sure if it was forwarded to upstream, can you
> > double check that?
>
> I reported it to upstream and is now fixed there. I have uploaded a
> fixed package to unstable as version 3.5.0-2.
>
> I have prepared a stable upload in
> git@salsa.debian.org:a11y-team/liblouis.git in the debian-stretch branch
>
> The buffer overflow can be exploited only if one is able to feed the
> content of a braille table, which is not normally something that is
> possible, usually only the content of the text to be transcribed to
> braille can be fed, so I don't see any situation where this can really
> be a security concern, so I guess a simple stable upload would be
> enough?
I agree, if you can prepare an update to be included in the upcoming
point release for stretch that would be great!
Thanks for all your work.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>:
Bug#899999; Package src:liblouis.
(Fri, 25 May 2018 11:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Samuel Thibault <sthibault@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>.
(Fri, 25 May 2018 11:18:03 GMT) (full text, mbox, link).
Message #31 received at 899999@bugs.debian.org (full text, mbox, reply):
Hello,
Salvatore Bonaccorso, le ven. 25 mai 2018 12:24:28 +0200, a ecrit:
> On Fri, May 25, 2018 at 11:00:49AM +0200, Samuel Thibault wrote:
> > Hello
> >
> > Salvatore Bonaccorso, le jeu. 24 mai 2018 16:16:16 +0200, a ecrit:
> > > The following vulnerability was published for liblouis, it was
> > > reported at [1], not sure if it was forwarded to upstream, can you
> > > double check that?
> >
> > I reported it to upstream and is now fixed there. I have uploaded a
> > fixed package to unstable as version 3.5.0-2.
> >
> > I have prepared a stable upload in
> > git@salsa.debian.org:a11y-team/liblouis.git in the debian-stretch branch
> >
> > The buffer overflow can be exploited only if one is able to feed the
> > content of a braille table, which is not normally something that is
> > possible, usually only the content of the text to be transcribed to
> > braille can be fed, so I don't see any situation where this can really
> > be a security concern, so I guess a simple stable upload would be
> > enough?
>
> I agree, if you can prepare an update to be included in the upcoming
> point release for stretch that would be great!
Ok, liblouis_3.0.0-3+deb9u2 is now in proposed-updates->stable-new ,
should I reportbug release.debian.org, or should the security team
handle it?
Samuel
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>:
Bug#899999; Package src:liblouis.
(Fri, 25 May 2018 17:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>.
(Fri, 25 May 2018 17:36:03 GMT) (full text, mbox, link).
Message #36 received at 899999@bugs.debian.org (full text, mbox, reply):
Hello Samuel,
On Fri, May 25, 2018 at 01:15:55PM +0200, Samuel Thibault wrote:
> Hello,
>
> Salvatore Bonaccorso, le ven. 25 mai 2018 12:24:28 +0200, a ecrit:
> > On Fri, May 25, 2018 at 11:00:49AM +0200, Samuel Thibault wrote:
> > > Hello
> > >
> > > Salvatore Bonaccorso, le jeu. 24 mai 2018 16:16:16 +0200, a ecrit:
> > > > The following vulnerability was published for liblouis, it was
> > > > reported at [1], not sure if it was forwarded to upstream, can you
> > > > double check that?
> > >
> > > I reported it to upstream and is now fixed there. I have uploaded a
> > > fixed package to unstable as version 3.5.0-2.
> > >
> > > I have prepared a stable upload in
> > > git@salsa.debian.org:a11y-team/liblouis.git in the debian-stretch branch
> > >
> > > The buffer overflow can be exploited only if one is able to feed the
> > > content of a braille table, which is not normally something that is
> > > possible, usually only the content of the text to be transcribed to
> > > braille can be fed, so I don't see any situation where this can really
> > > be a security concern, so I guess a simple stable upload would be
> > > enough?
> >
> > I agree, if you can prepare an update to be included in the upcoming
> > point release for stretch that would be great!
>
> Ok, liblouis_3.0.0-3+deb9u2 is now in proposed-updates->stable-new ,
> should I reportbug release.debian.org, or should the security team
> handle it?
yes, please do reportbug against release.d.o (although it's alowed to
already upload, the release team still would like to have a bug for
the update, cf. [1]).
Regards,
Salvatore
[1] https://lists.debian.org/debian-devel-announce/2018/04/msg00007.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>:
Bug#899999; Package src:liblouis.
(Fri, 25 May 2018 17:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Samuel Thibault <sthibault@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>.
(Fri, 25 May 2018 17:39:04 GMT) (full text, mbox, link).
Message #41 received at 899999@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso, le ven. 25 mai 2018 19:33:46 +0200, a ecrit:
> (although it's alowed to already upload, the release team still would
> like to have a bug for the update, cf. [1])
Sure, I was just wondering whether such security uploads would go
through the security team, or just the normal release team process.
Will reportbug then, thanks.
Samuel
Reply sent
to Samuel Thibault <sthibault@debian.org>:
You have taken responsibility.
(Mon, 28 May 2018 21:21:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 28 May 2018 21:21:16 GMT) (full text, mbox, link).
Message #46 received at 899999-close@bugs.debian.org (full text, mbox, reply):
Source: liblouis
Source-Version: 3.0.0-3+deb9u2
We believe that the bug you reported is fixed in the latest version of
liblouis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 899999@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Thibault <sthibault@debian.org> (supplier of updated liblouis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 May 2018 10:46:29 +0200
Source: liblouis
Binary: liblouis-dev liblouis12 liblouis-data liblouis-bin python-louis python3-louis
Architecture: source
Version: 3.0.0-3+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian Accessibility Team <debian-accessibility@lists.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
Description:
liblouis-bin - Braille translation library - utilities
liblouis-data - Braille translation library - data
liblouis-dev - Braille translation library - static libs and headers
liblouis12 - Braille translation library - shared libs
python-louis - Python bindings for liblouis
python3-louis - Python bindings for liblouis
Closes: 899999
Changes:
liblouis (3.0.0-3+deb9u2) stretch; urgency=medium
.
* patches/cve-2018-11410: Buffer overflow fix for CVE 2018-11410
(Closes: #899999).
Checksums-Sha1:
781869a99bf21cbcb82123beeb51e0268b61e8b9 2406 liblouis_3.0.0-3+deb9u2.dsc
464108c825a1879a83516ecce5d9b9a743c0284d 9848 liblouis_3.0.0-3+deb9u2.debian.tar.xz
Checksums-Sha256:
2ddca80fac496618104176f0c5876a447671dd871d600b8ad7a991b9d8f9a12a 2406 liblouis_3.0.0-3+deb9u2.dsc
34948d090a363892fdef561d877b0a9e200d5cfdd10db6ea960a12fb46b0086e 9848 liblouis_3.0.0-3+deb9u2.debian.tar.xz
Files:
acba3dedafff29c85baa140b05b1a5e3 2406 libs extra liblouis_3.0.0-3+deb9u2.dsc
fa478c7db6e17cd7013a426d63aaa4fa 9848 libs extra liblouis_3.0.0-3+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEmjc9NmSo3GLaCjT9nlEeAcc38HUFAlsH6kEACgkQnlEeAcc3
8HXIJBAAoZ1Vj9oD5LhrbhQ/g1s0m649D4g2hh/8Wbt4Z4+vTga7GWeTi3+Ep7Tc
3EbaCKLQACFVv/l9f17IFulvsdexOOqU2DctDAEmXi2QKYa/SX50DWrs0A+Lye3t
RZTyWFd/vEoKOmhDYFBd6Jr3XJhgYztKrFXpUDy+U8zosbhs2q/kn+3f3TLCpyfs
yVtK7oLH3AR5ztRLPZx7a2CvxBIHnVKSXbl7Mq5lopNYbIax+DZb8b4qmeUJhi3m
ixk0UYfCoiT5WT9JWfHGqRtstiiJoR8K3Y0h/XgXJBPKERFK6EAHorzDKjqw64E5
6vER0PyuNmgBG/xK6eV/Op2PnQy89QlJcSDS6m4wZt3qJMUQ6cMx5rAB19PLaHqx
5EylYbw3Bhg6MV9HexzfS6ilDQMl/5CIEbDLXqY3qD6vt8UTDufUrAx+AMAHqth/
WFIKWBm420/HGEL220ND+dT++aB9u26i03UzA8FgwEs+6gT1v9u+HbwNRUoNobml
EubdyP36iHqCW/C2qDevMUK4uzuwIEHX/gssU+UqDo7iNcg/FPRx6IkU2fqfG9+9
eAZTnfb3fR7peZyOYEBcPsJqGqy+e3wAA51LZM2RpUHzHqIHSW0RG80rUQgqYovD
aCKxogQLkUH4nqbMeCcaFhGQQf2uPWZePKYtYCEMtMBMW2CPUUc=
=PypM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 31 Jul 2018 07:32:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:58:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon