Debian Bug report logs -
#1019596
libconfuse: CVE-2022-40320
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Aurelien Jarno <aurel32@debian.org>:
Bug#1019596; Package src:libconfuse.
(Mon, 12 Sep 2022 20:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Aurelien Jarno <aurel32@debian.org>.
(Mon, 12 Sep 2022 20:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libconfuse
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libconfuse.
CVE-2022-40320[0]:
| cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based
| buffer over-read.
https://github.com/libconfuse/libconfuse/issues/163
Fixed by: https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-40320
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40320
Please adjust the affected versions in the BTS as needed.
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Mon, 12 Sep 2022 21:27:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Mon, 12 Sep 2022 21:27:03 GMT) (full text, mbox, link).
Message #10 received at 1019596-close@bugs.debian.org (full text, mbox, reply):
Source: libconfuse
Source-Version: 3.3-3
Done: Aurelien Jarno <aurel32@debian.org>
We believe that the bug you reported is fixed in the latest version of
libconfuse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1019596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated libconfuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 Sep 2022 23:08:48 +0200
Source: libconfuse
Architecture: source
Version: 3.3-3
Distribution: unstable
Urgency: high
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 993178 1019596
Changes:
libconfuse (3.3-3) unstable; urgency=high
.
* Urgency set to high due to the security issue.
* Add debian/patches/CVE-2022-40320.patch from upstream to fix a heap-based
buffer over-read in cfg_tilde_expand (CVE-2022-40320). Closes: #1019596.
* Enable hardening flags. Closes: #993178.
* Bumped Standards-Version to 4.6.1 (no changes).
Checksums-Sha1:
67b0915e6086a3291b48dfb3ef766304c9b4126c 2061 libconfuse_3.3-3.dsc
956a70abccb77b2beb6a08437e241c18bdf4635d 7644 libconfuse_3.3-3.debian.tar.xz
55bc511eea8a2d931636b755ddb3c2df620bd8cd 5849 libconfuse_3.3-3_source.buildinfo
Checksums-Sha256:
6b711e4cedfd3f032c921b96ee854fdbbcd7df2160f9d2ffde3a728baee63f7f 2061 libconfuse_3.3-3.dsc
eee86195d579e2ee121c2404d0014391b9bb3192c1963a8ea2559f921d99eb3b 7644 libconfuse_3.3-3.debian.tar.xz
ac175a6a19050ac02822b281833f800d21ea8ea4cd512831f7b389965ae34af1 5849 libconfuse_3.3-3_source.buildinfo
Files:
befc5fb7d2c69d9c4423a16403f135e1 2061 libs optional libconfuse_3.3-3.dsc
46f4f2e86b1a1f4b721464a2e4e85a46 7644 libs optional libconfuse_3.3-3.debian.tar.xz
3d1f5f20741b533f808cd0f7c66fda9d 5849 libs optional libconfuse_3.3-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmMfoBoACgkQE4jA+Jno
M2soGg//RQImuWdNDP1QWDTJeWoTLPcqdtwIJJUgpsCHswPXvZEGeQScCMv0X8qO
H4+ngO2ftiT46t6MPhxdrI1Bdh8g2JDEhj7q5PoHp6C7otsXPiexpXAHkfHDUfN2
8phQr2duAC+AWbT0KA4KGnEIOba7BBjcjiRPMwPZui1D/aS8y30v+fyxxkFJtO6H
7/rTduiih8Pa6t+r5FQYypZ51Nq/hzyX3sNS+6sLdrAcdQDcI839y378S6IrWzEq
xBhlgLivKvVNd0ZxpKGq/k8uRq04LB+a1jhL1H6RwijrUHI8FPxz8DYMdT1hZnaM
MMnrTLXjTKiMdfi4N6VNrwZAglSpkNlFFQJsW26q6hXA3f5iVdtm7CC3Q5MnEfXW
2DwAjn0Uh0SDgb46vKAceM85RnXRMnqxlRS+efeaOyOk5oDHYi8IK7RKqr0PSNZs
tPw1XUUTicaasWLGC35DAbrP0mChX4zZk/SxCYT3E8lt5ilR/W0zRatnKZ5y7HI7
ALCobP+nZSTOJi1JU4lpyF1e71AG3werE70t8DnTytgIKD5xIY6JIurfXEKTPO12
Ds67LybBxAfjf7lYvb2U/7bPKgf4qUpRZ+Wa0i4iWjL/xDSiwHqBBPYf3OvoBlek
Rq1bWq4+z445OC/Fwo/6XCLJFw0Nmk1TPLe9rrMxqCVZftyyAM4=
=QQtN
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Sep 2022 04:24:06 GMT) (full text, mbox, link).
Marked as found in versions libconfuse/3.3-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Sep 2022 04:24:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Sep 13 13:20:29 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon