Debian Bug report logs -
#971396
md4c: CVE-2020-26148
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#971396; Package src:md4c.
(Tue, 29 Sep 2020 20:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Tue, 29 Sep 2020 20:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: md4c
Version: 0.4.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mity/md4c/issues/130
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for md4c.
CVE-2020-26148[0]:
| md_push_block_bytes in md4c.c in md4c 0.4.5 allows attackers to
| trigger use of uninitialized memory, and cause a denial of service
| (e.g., assertion failure) via a malformed Markdown document.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-26148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26148
[1] https://github.com/mity/md4c/commit/22ca89a3008966c4316d6b0a158b1a49f9038df0
[2] https://github.com/mity/md4c/issues/130
Regards,
Salvatore
Reply sent
to Patrick Franz <patfra71@gmail.com>:
You have taken responsibility.
(Wed, 30 Sep 2020 03:24:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 30 Sep 2020 03:24:03 GMT) (full text, mbox, link).
Message #10 received at 971396-close@bugs.debian.org (full text, mbox, reply):
Source: md4c
Source-Version: 0.4.5-2
Done: Patrick Franz <patfra71@gmail.com>
We believe that the bug you reported is fixed in the latest version of
md4c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 971396@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Franz <patfra71@gmail.com> (supplier of updated md4c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 Sep 2020 04:52:53 +0200
Source: md4c
Architecture: source
Version: 0.4.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <patfra71@gmail.com>
Closes: 971396
Changes:
md4c (0.4.5-2) unstable; urgency=medium
.
* Add fix_CVE-2020-26148.patch to fix CVE-2020-26148 (Closes: #971396).
Checksums-Sha1:
1f56a28ac1902d37a23cf98d0dc7df4a78d290c8 2173 md4c_0.4.5-2.dsc
083462f1ba3c4e6df41a6193c6465dea2935f78d 9804 md4c_0.4.5-2.debian.tar.xz
e00537964f986abbede24bcd59946202cb3bab4c 6940 md4c_0.4.5-2_source.buildinfo
Checksums-Sha256:
be8c7a72e59d7890d8af574693521c968d566fe5975f2b91ecf6c0ba560a429f 2173 md4c_0.4.5-2.dsc
dbc21bf91436a0c518a7c0e7a5715daec7d7af8fa131ea8e4a23d63d378b95a2 9804 md4c_0.4.5-2.debian.tar.xz
8849491c5c5e5c7a8556716902ed4463e037ace9b0a421cc52e19ab0ab1153e3 6940 md4c_0.4.5-2_source.buildinfo
Files:
cb7507070b1cda8de654cdf2a099e23d 2173 libs optional md4c_0.4.5-2.dsc
bf558ed06163817c8e137cfdd108811e 9804 libs optional md4c_0.4.5-2.debian.tar.xz
e1fc6c6b4ade62bee178f2a90215b67d 6940 libs optional md4c_0.4.5-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAl9z9RUTHHBhdGZyYTcx
QGdtYWlsLmNvbQAKCRCen3pgMHf+Vv8PD/9wWJWeXuYUSCoNjh4jGPu8yQRBQYve
1JAXv0H77hhL4SHl5ebg1uQuJ39jZRg9IUV157qp+C3SPBWP0OmEro5N9blFC8zs
Vz+HLF3bBJTVoJ8M8+18ZvlDh0MxhWF4aWJeZxURTq/NU6mp4kj+r1Q5cRNiR1SQ
wXWQZu/DiUw8ZuaogIVx5uj/6gRSI6WxEVJt2rs6eIoI+PedWHRNSwVZLkJhpRtf
CPn7Gv0lv1UIIQJfxw7zoIaWgO6jw7ha/DEYP/bRdbg5mCbXW8LEx5yyPjjQbFcs
+0PrPexpbvKdPn1NDuuv/ceEvONgaWLdA15kjQYafh4b0TCjskRj+uxH3+NiN2pm
0SjzoHyrSQmGsQC9piTzHWCUmJKA5TyaUT75wRKHNFZAzf1YDx/YZFvjImnj+nf9
xQJpr6ZwPIgTAfvMq6fAsAyPx/qxYw404qedAzSCbdBLKtzvb6+xrdn45OkngZxM
3nmOfF7US5rumafTqpjpfPvUs6nIBS5IhvpKJHYpIelV82ag94raWIoJcVwRp0rP
/QsNdUvao6CrLTtjmllrJepNoA09iOi4UvQIhA+MJv2e54L2S6I/XSLXAnskmEQm
Ny7EcjqEDAonBz0w9XbylUY7Zb6Pafe8lENRA4ruHAH5biygg6crEZBvi5J0ImvF
MZzJeBXZSDMxNg==
=YlHM
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Sep 30 10:25:10 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon