confuse: CVE-2018-14447

Debian Bug report logs - #904159
confuse: CVE-2018-14447

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: confuse: CVE-2018-14447

Date: Sat, 21 Jul 2018 00:01:48 +0200

Source: confuse
Version: 3.2.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/martinh/libconfuse/issues/109

Hi,

The following vulnerability was published for confuse, filling this
bug to track the upstream issue reporter.

CVE-2018-14447[0]:
| trim_whitespace in lexer.l in libConfuse v3.2.1 has an out-of-bounds
| read.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-14447
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14447
[1] https://github.com/martinh/libconfuse/issues/109

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 904159@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Salvatore Bonaccorso <carnil@debian.org>, 904159@bugs.debian.org

Subject: Re: Bug#904159: confuse: CVE-2018-14447

Date: Sun, 12 Aug 2018 12:01:03 +0200

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On 2018-07-21 00:01, Salvatore Bonaccorso wrote:
> Source: confuse
> Version: 3.2.1+dfsg-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/martinh/libconfuse/issues/109
> 
> Hi,
> 
> The following vulnerability was published for confuse, filling this
> bug to track the upstream issue reporter.
> 
> CVE-2018-14447[0]:
> | trim_whitespace in lexer.l in libConfuse v3.2.1 has an out-of-bounds
> | read.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-14447
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14447
> [1] https://github.com/martinh/libconfuse/issues/109

Now that the fix is available upstream, I have just fixed the bug in
sid. Do you want me to also prepare a package for stretch?

Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 904159-close@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurel32@debian.org>

To: 904159-close@bugs.debian.org

Subject: Bug#904159: fixed in confuse 3.2.1+dfsg-5

Date: Sun, 12 Aug 2018 10:03:56 +0000

Source: confuse
Source-Version: 3.2.1+dfsg-5

We believe that the bug you reported is fixed in the latest version of
confuse, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 904159@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated confuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Aug 2018 11:51:32 +0200
Source: confuse
Binary: libconfuse2 libconfuse-common libconfuse-dev libconfuse-doc
Architecture: source
Version: 3.2.1+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
 libconfuse-common - Common files for libConfuse
 libconfuse-dev - Development files for libConfuse
 libconfuse-doc - Documentation for libConfuse
 libconfuse2 - Library for parsing configuration files
Closes: 904159
Changes:
 confuse (3.2.1+dfsg-5) unstable; urgency=high
 .
   * Add debian/patches/CVE-2018-14447.patch from upstream to fix
     an out of bound read in trim_whitespace (CVE-2018-14447).  Closes:
     #904159.
   * Set the urgency to high due to the security issue.
   * Bumped Standards-Version to 4.2.0 (no changes).
Checksums-Sha1:
 a1eceecd7b32861da6831748814f9e33f0716af9 2003 confuse_3.2.1+dfsg-5.dsc
 68666ec3426821fed5d82c443136bee84b2b8b80 4896 confuse_3.2.1+dfsg-5.debian.tar.xz
 ca8c949f88beddbb1f4c3f3f6b90b16b644d8b77 5193 confuse_3.2.1+dfsg-5_source.buildinfo
Checksums-Sha256:
 197019c3a7cd53fcb914be92fe4caffb128eb2ccab3b3150abc4b99eaf4fb3dd 2003 confuse_3.2.1+dfsg-5.dsc
 8b5b0192bbbe775f5e92bc618ad455674c519102d7ad6135f3a0e1ef7a796f1b 4896 confuse_3.2.1+dfsg-5.debian.tar.xz
 4d64d33a73136f9b64992bd9cbb14b2c92801aa8004bb5ebcf5cc870ba0f5ffb 5193 confuse_3.2.1+dfsg-5_source.buildinfo
Files:
 b37541dbc262b5315c47f469cc98f323 2003 libs optional confuse_3.2.1+dfsg-5.dsc
 deee6474346c2c7cbe2b2449f32138ae 4896 libs optional confuse_3.2.1+dfsg-5.debian.tar.xz
 d62a08da21a221e3defda58cd5df9bf7 5193 libs optional confuse_3.2.1+dfsg-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAltwAzwACgkQE4jA+Jno
M2vgBw/+KJqSPUxrPcMMbYc1tq/snbQ72NwM4Y0G7ZeqzRAkiUfxhX4k0CWA1ZVp
FYk/ytDm46JanyTCb4c8mx7hsrArIOPl9PkuFj/LJfQds6lwmSNXH5YsB9xtd+pk
i5Zup2l8Lb8Tofk5NjKtR42KXda2bpB/yIte5RI1AvxNxPyx4w2daztabLjLYuqI
78Zv3vzqkgh+RAodPFWDEnwUE8e0zFAM+x9l3PICAkafL8t+Fd0eJG0y/rISR6+k
ijLvOVvLwyjugAZrJ0iU3RO2l7juMawQt6J+v0YY8oOgcy28E48cLmrL9Oz+6/aA
EB6C3j2KrLgW7rrkCnDWzsbadS0QZSseTeiNdiP0Q0Jn0R8ggsKpw3Was98qvCAp
/hGOtcWMfwJrBcij5xJXBRSI7BCp4T/0t5DDAEBKkS2lrg3dQQMk5E2JuBm+MMYz
ZOBjC5l7TCp/VDmEczZlcsSKmfGfPOUOju2BdcOgSRYJzjVHktiOE3GFd1uHAUmp
l6lnVmzGu3uI87YDKs9VAyFGWdBiYqZG5BmHf/0vTpu++V7tlBPpCmVC21v4O8uN
qEsW5Wt334TZicVaJ06BvJ80DY2TietHNeKBcuCrg9QWOBsG2GhssetBxEUPdexf
396lOyOCZnadQDhZ3MrE/fopCO4n9SXrWTQkbb71F4AwjLHf4PM=
=8yYG
-----END PGP SIGNATURE-----

Message #22 received at 904159-close@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurel32@debian.org>

To: 904159-close@bugs.debian.org

Subject: Bug#904159: fixed in confuse 3.0+dfsg-2+deb9u1

Date: Fri, 17 Aug 2018 17:02:07 +0000

Source: confuse
Source-Version: 3.0+dfsg-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
confuse, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 904159@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated confuse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Aug 2018 10:46:39 +0200
Source: confuse
Binary: libconfuse1 libconfuse-common libconfuse-dev
Architecture: source
Version: 3.0+dfsg-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
 libconfuse-common - Common files for libConfuse
 libconfuse-dev - Development files for libConfuse
 libconfuse1 - Library for parsing configuration files
Closes: 904159
Changes:
 confuse (3.0+dfsg-2+deb9u1) stretch; urgency=medium
 .
   * Add debian/patches/CVE-2018-14447.patch from upstream to fix
     an out of bound read in trim_whitespace (CVE-2018-14447).  Closes:
     #904159.
Checksums-Sha1:
 55fb9dce61cb1cba984ebfe8404433f579b6e325 1934 confuse_3.0+dfsg-2+deb9u1.dsc
 84f475f4e0cc9ce5fd303d6aa7600c467acde4f0 4392 confuse_3.0+dfsg-2+deb9u1.debian.tar.xz
 56f6ab25c93b9528c82291a692cdebfded203de4 5970 confuse_3.0+dfsg-2+deb9u1_source.buildinfo
Checksums-Sha256:
 08e40f2c43a22d8970dd46320fac1adda840fbcfc342042895df28ef997cab1b 1934 confuse_3.0+dfsg-2+deb9u1.dsc
 cc6dec8a29c5e6bf0e998e55e0c9d42f1d9f0bafe2b5bd05d7b89394afb7f366 4392 confuse_3.0+dfsg-2+deb9u1.debian.tar.xz
 7f52ef0a655d1ff95a518339c44765e33e12fca0681488ed7a6bf7fca49fd638 5970 confuse_3.0+dfsg-2+deb9u1_source.buildinfo
Files:
 0e80794a3824ce43ebf0259298ec910f 1934 libs optional confuse_3.0+dfsg-2+deb9u1.dsc
 eb8184e6d56ed050e7beeee30b2a21cf 4392 libs optional confuse_3.0+dfsg-2+deb9u1.debian.tar.xz
 965fe43680dd11c22056c1f46c2b08b3 5970 libs optional confuse_3.0+dfsg-2+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAltz6KAACgkQE4jA+Jno
M2vWVw/+M3/wPmSEWvrzVjRhoDT1smw0ZZLzXXDVan3ajXLPZ44fLlFF+D8R0mG9
8rF0WwnEH3sjc5VdctgjAqQf+xBF08jqyz1T9PBcRkNvhXZYWUGCRzmZCo2QhKfQ
CPRNxlUldoMRprhN9WLY2DaY7DgV6PHM+sBJG2BxvfOEMwF+nhHNZNqw8p73Xg2v
au40G+62RrcECjTqU11G71fFMK1y7pdCsDezDTpdOpse4TRWDwjWn9Nv9KBGsqfW
84ah4geP89hjvXW/am/oPqz0FmQtinCSpzVRWyzAKuuECZYznlhkzEKmqkWGSBiq
7YWjbvioFUe439LsPTN1Vw33nhL0aaB+wryGqD+hNQf1xdYJvTXGWhY1NEvNI9oZ
QNLWt6NVoH25wzUzSwGnLzaBRkVrBsfAXRq2C646+QQTftgfm7RY1CDiiZv9XItg
OrOcyP5WHUlxpZEhRRCiU0hTHbzPooQ5px58fx5boppUmpPKVG+6PbJuab7g66D+
c0w9lGbrSjo9FZpLI2PZctiSTiiYsLWuTWriL/eTXRpCLWYUHRcX7LcpIryyeXJu
pI8XXldoQuzLu8yCAm9PQkkCyFPxr1SZu8jK4rGgn/a7TWbfEyxeV3qbvIcY0KyH
cdJIOrrxnkoXprX2qJ0i4JpySNULTn/3SreWiDrUGrs0IgMNhHg=
=WU9P
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.