Debian Bug report logs -
#861347
udfclient: CVE-2017-8305: Buffer overflow in own strlcpy implementation
Reported by: Pali Rohár <pali.rohar@gmail.com>
Date: Thu, 27 Apr 2017 19:39:01 UTC
Severity: normal
Tags: fixed-upstream, security, upstream
Found in version udfclient/0.8.7-1
Fixed in version udfclient/0.8.8-1
Done: Pali Rohár <pali.rohar@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#861347; Package udfclient.
(Thu, 27 Apr 2017 19:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Pali Rohár <pali.rohar@gmail.com>:
New Bug report received and forwarded.
(Thu, 27 Apr 2017 19:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: udfclient
Version: 0.8.7-1
UDFClient has its own implementation of strlcpy function as standard
glibc in libc.so does not provide one. But this implementation in
UDFClient prior to version 0.8.8 has buffer overflow defect and writes
more characters as buffer size.
Mitre assigned CVE-2017-8305 for this issue.
--
Pali Rohár
pali.rohar@gmail.com
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'udfclient: CVE-2017-8305: Buffer overflow in own strlcpy implementation' from 'udfclient: Buffer overflow in own strlcpy implementation'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 19:45:07 GMT) (full text, mbox, link).
Added tag(s) security, fixed-upstream, and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 19:45:07 GMT) (full text, mbox, link).
Reply sent
to Pali Rohár <pali.rohar@gmail.com>:
You have taken responsibility.
(Sun, 14 May 2017 15:06:12 GMT) (full text, mbox, link).
Notification sent
to Pali Rohár <pali.rohar@gmail.com>:
Bug acknowledged by developer.
(Sun, 14 May 2017 15:06:12 GMT) (full text, mbox, link).
Message #14 received at 861347-close@bugs.debian.org (full text, mbox, reply):
Source: udfclient
Source-Version: 0.8.8-1
We believe that the bug you reported is fixed in the latest version of
udfclient, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861347@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pali Rohár <pali.rohar@gmail.com> (supplier of updated udfclient package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Apr 2017 22:10:27 +0200
Source: udfclient
Binary: udfclient
Architecture: source
Version: 0.8.8-1
Distribution: unstable
Urgency: low
Maintainer: Pali Rohár <pali.rohar@gmail.com>
Changed-By: Pali Rohár <pali.rohar@gmail.com>
Description:
udfclient - userland implementation of the UDF filesystem
Closes: 861347
Changes:
udfclient (0.8.8-1) unstable; urgency=low
.
* New upstream release.
- CVE-2017-8305: Fix buffer overflow in strlcpy implementation
(Closes: #861347)
* Enable hardening.
* Install new man pages.
* Update debian/watch.
Checksums-Sha1:
a18418239d2aea8390ac2f8f665650ea43412086 1745 udfclient_0.8.8-1.dsc
7d730739dcdc8686a5d146423665900db7daeca2 257978 udfclient_0.8.8.orig.tar.gz
0ef8b1e30144d8d8d848ee8e2e0f687f1f945c3d 4872 udfclient_0.8.8-1.debian.tar.xz
Checksums-Sha256:
4bda69c3b5aaa4641c37de58232bba178bfdc3c7e924822515fba475e865eb15 1745 udfclient_0.8.8-1.dsc
962bd2aa578f9056fba19f920bb8444501020774298dc809d6239c480c96c6c5 257978 udfclient_0.8.8.orig.tar.gz
1dff68723d228352201b8564d2b6a9329ae33860b9a90af01085e73cf17e918e 4872 udfclient_0.8.8-1.debian.tar.xz
Files:
83dd95782af78b0c9dce79fd7c3c9c2f 1745 otherosfs optional udfclient_0.8.8-1.dsc
529a047f5e87b04540d06e369747c50b 257978 otherosfs optional udfclient_0.8.8.orig.tar.gz
6494ca9c759a40632dd111ee3b4bb79d 4872 otherosfs optional udfclient_0.8.8-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZBJSsAAoJEPNPCXROn13ZBakP/3E6T1LoZajivF5tbI3SAtzl
NDHBZX7MI33okcQgkz3eajrjWov/RvhUKOIcYq1fRKXIDSb0z4c/aRDkA4pUZ2o+
VPKjU7F1PaqnHixzs1Ggqu3fRSSinpQ0+iwnKwgLOFj0CRc0IIw+bkQfrtbIDZHY
1VCBxsTuWnATNfRZiVn0y5+wp5dtC9X7IxS8rQ3tRGDQNw+bSxAN1uxP+MoX3R96
/ju+IlDXrOVZKbcpry5UR0u2fTsjWSJorxt2n05fOIsmV9cTWS/gd1osLwKEgKJ7
cGQsgVSejW4Lwrs1aP28Oh5npgykhhRtOeNkD5z6+nm9ySpORzuoI6twa9yGeIXH
xxacwGThLRqw8NeTPiUaPD80Jes5j1gL8QLhjbbQjdWwMI0EFw/h4C0D3+59O5PN
gyPyHJTx/AGO8MU5B7zH0VivpAxCuBI2jiOQlTxpvnD6uiprirTYTHzQRx/1u+Cr
/uiyl3NleM/a6HyiuQ9pwRqghn3jmU7SStLumACORcleRFFrRbHy/HuFqew6Nshl
K8mDTrG+sI2F/wxK/DVzUDZ14Od0NzyCiBAFm4UCiD+QNkZDDSRlRzuGfdNZLGB5
bNHxT/ffhED6aTzpTCwhJ5dmtbzpDdqS8EZ5pKiPfjQdMxsrMnw3c6b5OE8TzNMX
KftrWgw49DPryq9J4cEE
=XlSk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 17 Jun 2017 07:28:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:22:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon