Debian Bug report logs -
#840958
dwarfutils: CVE-2016-8679: heap-based buffer overflow in _dwarf_get_size_of_val
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 16 Oct 2016 13:12:01 UTC
Severity: important
Tags: security, upstream
Found in versions dwarfutils/20120410-2, dwarfutils/20161001-1
Fixed in version dwarfutils/20161001-2
Done: Fabian Wolff <fabi.wolff@arcor.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Fabian Wolff <fabi.wolff@arcor.de>:
Bug#840958; Package src:dwarfutils.
(Sun, 16 Oct 2016 13:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Fabian Wolff <fabi.wolff@arcor.de>.
(Sun, 16 Oct 2016 13:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dwarfutils
Version: 20161001-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for dwarfutils.
CVE-2016-8679[0]:
dwarf_util.c: heap-based buffer overflow in _dwarf_get_size_of_val
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-8679
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from Fabian Wolff <fabi.wolff@arcor.de>
to control@bugs.debian.org.
(Thu, 20 Oct 2016 20:33:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#840958.
(Thu, 20 Oct 2016 20:33:09 GMT) (full text, mbox, link).
Message #10 received at 840958-submitter@bugs.debian.org (full text, mbox, reply):
tag 840958 pending
thanks
Hello,
Bug #840958 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/dwarfutils.git;a=commitdiff;h=f605e4f
---
commit f605e4ff549ae6e9b882a8f69f60a2a8ac2eb47b
Author: Fabian Wolff <fabi.wolff@arcor.de>
Date: Thu Oct 20 22:32:02 2016 +0200
Add patch 03-CVE-2016-8679.patch
diff --git a/debian/changelog b/debian/changelog
index c2fdb24..d672eae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
dwarfutils (20161001-2) UNRELEASED; urgency=medium
* Add patch 02-CVE-2016-8680.patch to fix CVE-2016-8680 (Closes: #840960).
+ * Add patch 03-CVE-2016-8679.patch to fix both CVE-2016-8679 and
+ CVE-2016-8681 (the same fix applies to both issues)
+ (Closes: #840958, #840961).
-- Fabian Wolff <fabi.wolff@arcor.de> Thu, 20 Oct 2016 21:44:10 +0200
Reply sent
to Fabian Wolff <fabi.wolff@arcor.de>:
You have taken responsibility.
(Fri, 21 Oct 2016 10:27:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 21 Oct 2016 10:27:09 GMT) (full text, mbox, link).
Message #15 received at 840958-close@bugs.debian.org (full text, mbox, reply):
Source: dwarfutils
Source-Version: 20161001-2
We believe that the bug you reported is fixed in the latest version of
dwarfutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 840958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Wolff <fabi.wolff@arcor.de> (supplier of updated dwarfutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 20 Oct 2016 22:33:00 +0200
Source: dwarfutils
Binary: dwarfdump libdwarf-dev libdwarf1
Architecture: source
Version: 20161001-2
Distribution: unstable
Urgency: medium
Maintainer: Fabian Wolff <fabi.wolff@arcor.de>
Changed-By: Fabian Wolff <fabi.wolff@arcor.de>
Closes: 840958 840960 840961
Description:
dwarfdump - utility to dump DWARF debug information from ELF objects
libdwarf1 - library to consume and produce DWARF debug information (runtime)
libdwarf-dev - library to consume and produce DWARF debug information
Changes:
dwarfutils (20161001-2) unstable; urgency=medium
.
* Add patch 02-CVE-2016-8680.patch to fix CVE-2016-8680 (Closes: #840960).
* Add patch 03-CVE-2016-8679.patch to fix both CVE-2016-8679 and
CVE-2016-8681 (the same fix applies to both issues)
(Closes: #840958, #840961).
Checksums-Sha1:
4dd560494748a24033648d4ee3a75c301e3138cf 2057 dwarfutils_20161001-2.dsc
b2712b0ca172b262f09c1808106de7163614aac6 1724649 dwarfutils_20161001.orig.tar.gz
2ac9b8876a9d08b40407549c0f6a07193cde44a1 12536 dwarfutils_20161001-2.debian.tar.xz
Checksums-Sha256:
e456602072e6a68fec080937f10b0c8058f3f711170e7b469341a1e644b7023a 2057 dwarfutils_20161001-2.dsc
60c40f9a75c1fc8e35a60f7e9c41a2d02527434b70e594adcd0723f73e4f6b4d 1724649 dwarfutils_20161001.orig.tar.gz
1c06b527faf986ea03c24810260c50d1a20cabc2a83e8f1bba2b3ea4718a550f 12536 dwarfutils_20161001-2.debian.tar.xz
Files:
ba1fa1d2f2ecc0d47f9163584f577564 2057 libs optional dwarfutils_20161001-2.dsc
7b4cf2ae33fa0921aae2a431cd185e91 1724649 libs optional dwarfutils_20161001.orig.tar.gz
14cda10188b829d8ecfaa70a9eaca23c 12536 libs optional dwarfutils_20161001-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYCcgNAAoJEBXgmvTfUYLI6tMP/jVYilWX4ayRBCRl2/nb8vzw
KdHlm+1iS8eQOiQQvTVZksB+JkyEwcWKow3vdTSQhsgp6U2/nVAtFcY5vSG5Xoaw
fZ4cVZege6bN/Kv+ZrxZUdCKE/FOaTi7dXDmr17nlg+vJNRSEGqtZh4Kz/0o5mi0
7oPeOHnEKgk1x4PICwlyGsoUCVi1hreytWAdcoyg9wHVFWFxM5EPfXqrNuq88HgV
vGPwQGFyCg2z1Nfn3I7BWxsEE5wHBlP+krreRKw2HCc/SidvnBv4FRkLpweS0gs/
Sw5P9pbaV2Iwgi1DZEfq5Z+x1zvKC9WjJlXh4g2rljfY5goInVN3go1Z3LioWUdV
D+PgvG6iq1v2lsjtA+eN070NiA8pu7zL7fwm+++AO1vlnZdKU2qsJDIi/qT+1d3e
Ya4Z1jNn0ikr50iqPI75AJp6p4DWeQINgcvo6Cnk3Fu3ywrvX0uC1kh4G2mHixmT
ZO4O9DGpbrLs4Tueh9U7hTdfYt7SzRUtNXc0QGF08rhpLMhjScxhGYA4Rt4Kpny7
07ZYdbNESFZeVlyA3p23B7PoPogFhI3By7SseIzXVQMX/bP4qyjef4gJBqsc2YnJ
YYlCkQ+UX9ZJkGVX2QRVz41kB5C/S6vGaA9ZDo5WgR6MyKlwzDJvU8k0+qmwTKvu
bS4JXXgdMMBvCSV4JWUZ
=bOqt
-----END PGP SIGNATURE-----
Marked as found in versions dwarfutils/20120410-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 26 Oct 2016 16:09:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 10:00:32 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 02:01:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 10:13:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:24:20 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon