Debian Bug report logs -
#868956
libmspack: CVE-2017-11423
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Wed, 19 Jul 2017 20:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Wed, 19 Jul 2017 20:18:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Version: 0.5-1
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=11873
Hi,
the following vulnerability was published for libmspack.
CVE-2017-11423[0]:
| The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha,
| as used in ClamAV 0.99.2 and other products, allows remote attackers to
| cause a denial of service (stack-based buffer over-read and application
| crash) via a crafted CAB file.
Unfortunately the upstream bug [1] is locked-down.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11423
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11423
[1] https://bugzilla.clamav.net/show_bug.cgi?id=11873
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 19 Jul 2017 20:21:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Sun, 23 Jul 2017 15:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to duck@duckcorp.org
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Sun, 23 Jul 2017 15:21:02 GMT) (full text, mbox, link).
Message #12 received at 868956@bugs.debian.org (full text, mbox, reply):
Quack,
I added libmspack's upstream author in case he could give a hand.
Here is the bugreport:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868956
On 2017-07-20 05:15, Salvatore Bonaccorso wrote:
> Unfortunately the upstream bug [1] is locked-down.
Thanks for reporting it. Unfortunately I don't see how I can solve this
problem. If all information are hidden on a related but not upstream bug
tracker (which really should have one), if there's no patch or new
release either, then I'm honestly at a loss.
If I happen to create an account on the ClamAV's bug tracker, would you
be able to give me access?
Regards.
\_o<
--
Marc Dequènes
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Sun, 23 Jul 2017 16:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Stuart Caie <kyzer@cabextract.org.uk>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Sun, 23 Jul 2017 16:39:08 GMT) (full text, mbox, link).
Message #17 received at 868956@bugs.debian.org (full text, mbox, reply):
Hello,
I have no more infomation than you do. If you can find out who raised
the issue, please ask them to send me the example of the crafted file,
The bug says "stack-based buffer over-read and application crash" - the
file
https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul/stack-overflow
doesn't show an application crash, it shows only the stack-based buffer
over-read of 1 byte.
I've know about that one-byte buffer over-read, I fixed it in 2015, and
I haven't yet got around to making a release of libmspack with this fix,
because I didn't consider it a vulnerability at the time and still don't
consider it one now.
https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191
> 2015-05-10 Stuart Caie <kyzer@4u.net>
> * cabd_read_string(): correct rejection of empty strings. Thanks to
> Hanno Böck for finding the issue and providing a sample file.
I had a philosophical discussion with Hanno Böck about it, I wasn't
persuaded that it's a real vulnerability. If you craft a CAB file with
an empty CAB string, one byte will be overread. You can't make it
over-read an arbitrary number of bytes, just the empty string -> 1 byte
overread.
This report says "and application crash" -- I still have no evidence
this is true (unless you've instrumented your code to monitor all
overreads and deliberately crash yourself when you see one). If you want
me to release libmspack to address a CVE created for a
non-vulnerability, please let me know.
Regards
Stuart
On 23/07/17 16:17, Marc Dequènes (duck) wrote:
> Quack,
>
> I added libmspack's upstream author in case he could give a hand.
> Here is the bugreport:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868956
>
> On 2017-07-20 05:15, Salvatore Bonaccorso wrote:
>
>> Unfortunately the upstream bug [1] is locked-down.
>
> Thanks for reporting it. Unfortunately I don't see how I can solve
> this problem. If all information are hidden on a related but not
> upstream bug tracker (which really should have one), if there's no
> patch or new release either, then I'm honestly at a loss.
>
> If I happen to create an account on the ClamAV's bug tracker, would
> you be able to give me access?
>
> Regards.
> \_o<
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Fri, 04 Aug 2017 06:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Fri, 04 Aug 2017 06:42:05 GMT) (full text, mbox, link).
Message #22 received at 868956@bugs.debian.org (full text, mbox, reply):
On 2017-07-23 16:52:16 [+0100], Stuart Caie wrote:
> Hello,
Hi Stuart,
> https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191
> > 2015-05-10 Stuart Caie <kyzer@4u.net>
> > * cabd_read_string(): correct rejection of empty strings. Thanks to
> > Hanno Böck for finding the issue and providing a sample file.
>
> I had a philosophical discussion with Hanno Böck about it, I wasn't
> persuaded that it's a real vulnerability. If you craft a CAB file with an
> empty CAB string, one byte will be overread. You can't make it over-read an
> arbitrary number of bytes, just the empty string -> 1 byte overread.
>
> This report says "and application crash" -- I still have no evidence this is
> true (unless you've instrumented your code to monitor all overreads and
> deliberately crash yourself when you see one). If you want me to release
> libmspack to address a CVE created for a non-vulnerability, please let me
> know.
let me try to bring some light into it. First clamav fixed the issue via:
https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13
https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96
and the read function was crafted by the author of this email and looks
like this:
https://sources.debian.net/src/clamav/0.99.2%2Bdfsg-6/libclamav/libmspack.c/#L125
The way I see it, the problem is that the read functions returns -1 on
error and libmspack
https://sources.debian.net/src/libmspack/0.5-1/mspack/cabd.c/#L524
treats the return code as unsigned integer which makes the error (-1)
slightly large. The test files cabd_memory.c and multifh.c also return
-1 on error.
> Regards
> Stuart
Sebastian
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Sat, 05 Aug 2017 10:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stuart Caie <kyzer@cabextract.org.uk>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Sat, 05 Aug 2017 10:39:03 GMT) (full text, mbox, link).
Message #27 received at 868956@bugs.debian.org (full text, mbox, reply):
On 4 Aug 2017 7:40 am, Sebastian Andrzej Siewior <sebastian@breakpoint.cc> wrote:
>
> The way I see it, the problem is that the read functions returns -1 on
> error and libmspack
> https://sources.debian.net/src/libmspack/0.5-1/mspack/cabd.c/#L524
>
> treats the return code as unsigned integer which makes the error (-1)
> slightly large. The test files cabd_memory.c and multifh.c also return
> -1 on error.
Good catch. That's a new bug I hadn't seen before.
mspack_system.read promises to return negative numbers: https://www.cabextract.org.uk/libmspack/doc/structmspack__system.html#ac33dcc54409a7d5da9be475b3938101e
libmspack is wrong to convert to unsigned without checking for errors first.
When I get to my computer, I'll check all calls to mspack_system read/write/seek/tell methods, to be sure this doesn't happen anywhere else.
I'll put out a fix ASAP, but the good news is this seems tricky to exploit. You need to get read() to return an error, not bytes or EOF. The default mspack_system uses fread(), so it couldn't be done there just by file contents. Custom mspack_systems need to exploitable enough to reach the core bug, so not all libmspack usages are vulnerable.
Regards
Stuart
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Sun, 06 Aug 2017 09:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Stuart Caie <kyzer@cabextract.org.uk>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Sun, 06 Aug 2017 09:24:04 GMT) (full text, mbox, link).
Message #32 received at 868956@bugs.debian.org (full text, mbox, reply):
On 05/08/17 10:36, Stuart Caie wrote:
> libmspack is wrong to convert to unsigned without checking for errors first.
>
> When I get to my computer, I'll check all calls to mspack_system read/write/seek/tell methods, to be sure this doesn't happen anywhere else.
I checked all the other mspack_system calls, they're handled correctly.
Commited a fix:
https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
I'll put out a release in the near future.
Before fix, allowing N reads before always failing in cabd_memory.c
sys->read():
Allow 3 reads -> mspack/cabd.c:528 (cabd_read_string) len=4294967295
Allow 4 reads -> mspack/cabd.c:528 (cabd_read_string) len=193
Allow 5 reads -> mspack/cabd.c:528 (cabd_read_string) len=193
mspack/cabd.c:528 (cabd_read_string) len=4294967295
Allow 6 reads -> mspack/cabd.c:528 (cabd_read_string) len=193
mspack/cabd.c:528 (cabd_read_string) len=169
After fix:
Allowing 3 reads -> error caught and no len printed
Allowing 4 reads -> mspack/cabd.c:531 (cabd_read_string) len=193
Allowing 5 reads -> mspack/cabd.c:531 (cabd_read_string) len=193, error
caught and no len printed
Allowing 6 reads -> mspack/cabd.c:531 (cabd_read_string) len=193
mspack/cabd.c:531 (cabd_read_string) len=169
Regards
Stuart
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Sun, 06 Aug 2017 19:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Sun, 06 Aug 2017 19:27:03 GMT) (full text, mbox, link).
Message #37 received at 868956@bugs.debian.org (full text, mbox, reply):
On 2017-08-06 10:22:11 [+0100], Stuart Caie wrote:
> Commited a fix: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
>
> I'll put out a release in the near future.
thank you Stuart.
Marc do plan you upload something to unstable/security soon, wait for a
new release or would you prefer someone else to NMU it with this
change?
> Regards
> Stuart
Sebastian
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Sun, 13 Aug 2017 22:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stuart Caie <kyzer@cabextract.org.uk>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Sun, 13 Aug 2017 22:21:03 GMT) (full text, mbox, link).
Message #42 received at 868956@bugs.debian.org (full text, mbox, reply):
For your information, libmspack 0.6alpha has now been released.
On 06/08/17 20:22, Sebastian Andrzej Siewior wrote:
> On 2017-08-06 10:22:11 [+0100], Stuart Caie wrote:
>> Commited a fix: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
>>
>> I'll put out a release in the near future.
> thank you Stuart.
> Marc do plan you upload something to unstable/security soon, wait for a
> new release or would you prefer someone else to NMU it with this
> change?
>
>> Regards
>> Stuart
> Sebastian
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Mon, 14 Aug 2017 21:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Dequènes (Duck) <duck@duckcorp.org>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Mon, 14 Aug 2017 21:09:03 GMT) (full text, mbox, link).
Message #47 received at 868956@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quack,
On 08/07/2017 04:22 AM, Sebastian Andrzej Siewior wrote:
> Marc do plan you upload something to unstable/security soon, wait for a
> new release or would you prefer someone else to NMU it with this
> change?
I was at DebConf in Canada, so I was busy meeting people :-).
It should be done before or after flying back home.
\_o<
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
You have taken responsibility.
(Mon, 14 Aug 2017 23:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 14 Aug 2017 23:09:03 GMT) (full text, mbox, link).
Message #52 received at 868956-close@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Source-Version: 0.6-1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 15 Aug 2017 06:08:38 +0900
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-doc
Architecture: source amd64 all
Version: 0.6-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 868956 871263
Changes:
libmspack (0.6-1) unstable; urgency=medium
.
* New upstream release:
+ Fix CVE-2017-6419 (Closes: #871263)
+ Fix CVE-2017-11423 (Closes: #868956)
* Fix building documentation.
* Use HTTPS in package metadata.
* Transition to automatic debug packages.
* Package now conforms to Standards-Version 4.0.0.
* Switch to compat level 10.
Checksums-Sha1:
abfa82db355a34ccd5ee4f223c619c31f605b3c9 2026 libmspack_0.6-1.dsc
1e616315aeee95fc0140bdfd6e342a3706688d44 476992 libmspack_0.6.orig.tar.gz
47ce28652edf6aa3422386a23e11c2afaef03901 2932 libmspack_0.6-1.debian.tar.xz
6cda305044695ddfbfb4b8556791510c04261a85 64042 libmspack-dev_0.6-1_amd64.deb
9a15aae2b181ce2c534199400d2279a4cfd52720 323278 libmspack-doc_0.6-1_all.deb
ca56b2331a000fa008ab02567448df487e0a0c5b 78180 libmspack0-dbgsym_0.6-1_amd64.deb
1000c0c78db81e54086fcf76ff3639df9a402ed9 45922 libmspack0_0.6-1_amd64.deb
3aaec626eb5d086d579d06edfafaf85c81dae160 6208 libmspack_0.6-1_amd64.buildinfo
Checksums-Sha256:
d60b99aeaffe40371374eaf89a0eccc4cd388819b1ff698c896b5b430bfcc2a0 2026 libmspack_0.6-1.dsc
1edbee82accb28e679ab538f803aab7a5a569e4102ccf1715b462b1bd915f921 476992 libmspack_0.6.orig.tar.gz
d99333e354f66275033867690f8c60f36d19c7299ca60abd0c79f5a0dec4afaa 2932 libmspack_0.6-1.debian.tar.xz
44298281b906ba1e08090c8662ef14fd0ccd3a800d3ebc63bcffd490897b5d0c 64042 libmspack-dev_0.6-1_amd64.deb
0bab83264b3446927fb9b257ac03c427455d30f1f5048fb58611354375c4e8cd 323278 libmspack-doc_0.6-1_all.deb
babdc78285bdbf692023e2e764055b39491c22f412f79d85858fc252673a3efb 78180 libmspack0-dbgsym_0.6-1_amd64.deb
eee2940b06096b4abe70cc03ce096e94f2240e28ab4996b827bca1612a583397 45922 libmspack0_0.6-1_amd64.deb
c1c7e198d874418ddc9c5442c9bf9dee443f4ff900ce60e6a6a2de5d0c6b8c68 6208 libmspack_0.6-1_amd64.buildinfo
Files:
0e91f7ef773ae3f0be502a3a99840a11 2026 libs optional libmspack_0.6-1.dsc
ec1a4585178ef029d46475aef1462852 476992 libs optional libmspack_0.6.orig.tar.gz
31791878074789c554183f9a6fdb9523 2932 libs optional libmspack_0.6-1.debian.tar.xz
2eb3301f4264856ef379628b74361dca 64042 libdevel optional libmspack-dev_0.6-1_amd64.deb
4fa55856174e099142b92321c50b7aa8 323278 doc optional libmspack-doc_0.6-1_all.deb
f8107bc1dba0598cb7179f1f724ba4ef 78180 debug extra libmspack0-dbgsym_0.6-1_amd64.deb
fb12e2d00f7deeb0ae918ff136d64f0a 45922 libs optional libmspack0_0.6-1_amd64.deb
f1b8ac35ccda02b395b211568c28de76 6208 libs optional libmspack_0.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAlmSKZcACgkQVen596wc
RD/cmRAAwtBVqNntosWFUaMl4U8BqAmKDgyD5vvIVdG0XSXXfAAqncOXQkrCgh4H
H3YyEhyq+laOQp/s4AFuNIXDMYy+fBSSodjRifeXjOYjLuZDKUXsr+K/PMC4VpOk
3BKZ2od3cxmnHFTGFO6PPedpWGOCYiE6MiBTrZrzYBhRbeLTHuoOfM9FN94iCRCH
cq9iGx4VJCBlV5rYjcBuS5rYUj5iaJ6X6F2fEh7eOd3q8QsskYlizAfvu8YwgrTi
smFtvJPLYhPZASA3ReRHEF8N3LQBcz25J0zEZJ1VzDlTEiMmflemfV8h5+PnlpG4
4ElP7GEKz5t73zPlRuyF2MpNtGbSP8rRPFtt5nqAuOTuERDUn/bwp6Hq1gnXVDwx
zylKx1oA/KZU9fi2fETqOEnAsNr2uunwrjh8F68yI8yb9H8zjK2gRTw1/jHHzzse
PXSOdDTye5fg+RZN0OpPrI9I6CKt2TiUYRRktOXBUMVJn0YdBxb4z0a4FhAya5cj
VDY+s/2q1lgtqoK1iDQB4/V9yxuq6VKFR53RJGkte/p6F0aEwyC5MQ3KYiAfBiRJ
ac2NRu9zbukfB6UX2WZf3IG7Z8HrO2MD1FPgLPnSXwORRJxyzVznowiREaldheb6
7l+XNxrgOB68O4t4a2M0u76EzZiGFl+UATHpJudJWZMQW8o1zG8=
=9uFO
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#868956
; Package src:libmspack
.
(Tue, 15 Aug 2017 07:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Tue, 15 Aug 2017 07:00:03 GMT) (full text, mbox, link).
Message #57 received at 868956@bugs.debian.org (full text, mbox, reply):
On 2017-08-15 05:55:49 [+0900], Marc Dequènes (Duck) wrote:
> Quack,
Hi,
> I was at DebConf in Canada, so I was busy meeting people :-).
> It should be done before or after flying back home.
No worries. We got the two CVEs sorted out and a release in the
meantime. I see an unstable upload almost made it (B-D doxygen missing).
And we need a security upload.
> \_o<
>
Sebastian
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
You have taken responsibility.
(Tue, 22 Aug 2017 21:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 22 Aug 2017 21:51:03 GMT) (full text, mbox, link).
Message #62 received at 868956-close@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Source-Version: 0.5-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Aug 2017 21:42:50 +0200
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source all
Version: 0.5-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
libmspack-dbg - library for Microsoft compression formats (debugging symbols)
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 868956 871263
Changes:
libmspack (0.5-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload.
* Correct rejection of empty strings.
* Fix mis-handling of sys->read() errors in cabd_read_string()
(CVE-2017-11423) (Closes: #868956).
* Reject negative output length in SpanInfo (CVE-2017-6419)
(Closes: #871263).
Checksums-Sha1:
8118405773ef8356fe520737058fbf95d17117ed 2106 libmspack_0.5-1+deb9u1.dsc
226f19b1fc58e820671a1749983b06896e108cc4 654193 libmspack_0.5.orig.tar.gz
4babb832b2773e12567b274de585ba2a9e7d8c67 5144 libmspack_0.5-1+deb9u1.debian.tar.xz
dc60b25fbf123af558558eca9d42d07eeb5d401e 100468 libmspack-doc_0.5-1+deb9u1_all.deb
223aaec089b4b2981c25d8bf97018e527504774b 5514 libmspack_0.5-1+deb9u1_all.buildinfo
Checksums-Sha256:
310bd4b82727a872fe4501178858384843047b6068eca999d95d079f57d76499 2106 libmspack_0.5-1+deb9u1.dsc
8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 654193 libmspack_0.5.orig.tar.gz
5684fef2fb4dcef3440a04bfb2fcb2add4eb1cafab157b7e0f6fe623d7a2c484 5144 libmspack_0.5-1+deb9u1.debian.tar.xz
b5a7aff16ae33e3b8ab74e2a7f249567908d1b32af63a31c7ea0309f7b142033 100468 libmspack-doc_0.5-1+deb9u1_all.deb
b175d977c70110889a4f5f70fb6723a42d52fb9d308434a25946fc2ef32fdc56 5514 libmspack_0.5-1+deb9u1_all.buildinfo
Files:
396bdf2547bb0b30d16b472e83d6a3b0 2106 libs optional libmspack_0.5-1+deb9u1.dsc
3aa3f6b9ef101463270c085478fda1da 654193 libs optional libmspack_0.5.orig.tar.gz
9ff4024c162377ea097e4bb2ae44d85f 5144 libs optional libmspack_0.5-1+deb9u1.debian.tar.xz
a517717857cb8d9b933fa156f4e24445 100468 doc optional libmspack-doc_0.5-1+deb9u1_all.deb
dbf7fd58a7820d7024a987819700eb86 5514 libs optional libmspack_0.5-1+deb9u1_all.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlmV7rYACgkQT+XjJihy
5MzIeA//YVNHDJ/Yp/ebskbodbsSO5z0Dyb/5M/Z41kJWnVd5v541YkIZiEQC3tW
8N3a0sXdYH/x8MMHyU7itHdYU2G5vnh0Th5KXFVTL1lIkCoiOX7779O/XqUeAAwq
gJ95e7s4ASgMn+h4vliTtbe4nE8Rj9PbSTcdA+hhB6UssMbH9fTMt6SghTMNBFY3
H0xNZlr7jidA5olqXe/I9mviuAAl6CzenUWe8ePW5EnZIfusZ9ladcs/pYhpWJII
yEa7aA+Igjfme4i0OodDDEEt3cJqEyyM5IeqmGHoBEmOhSQc3zawHt6CRZ5nWETR
bnFIdaZb5aBV6g1ykBZUeli1Q6CNHueTxUOJEdC2C5kXK7/I1snnRssJW/jpcLhX
Y8geQZN0f0EmZjVdRT/4rtl/fAAqS3xst5YFyoPEarnGbAUcLuuX6lOSbGjcQcdQ
ldXYJ4/3Wd5JwCYTHW68rwbDXYq+vsEX/gBPpnQeNAaLcaxUPIgd+dMbcAIxfDXv
AzcAqe1dJ/dFyV+/PowKqrA4uXyT6C/jTjkG5UWD5ZJU3eXuSl4/6/e/OOpc2gQo
inq6JhcFRD9qCx9dD7fXp3b5pzXElGxDS1ODGBS1R+GaqjxFmqX6OuiCYkbacko4
ECoKjbyQ+g3/F50R4J2YwuQx1R/dGzc+EtTo7Ei76kfNuch4fuc=
=oXra
-----END PGP SIGNATURE-----
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
You have taken responsibility.
(Tue, 22 Aug 2017 21:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 22 Aug 2017 21:51:05 GMT) (full text, mbox, link).
Message #67 received at 868956-close@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Source-Version: 0.5-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Aug 2017 21:42:50 +0200
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.5-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
libmspack-dbg - library for Microsoft compression formats (debugging symbols)
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 868956 871263
Changes:
libmspack (0.5-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload.
* Correct rejection of empty strings.
* Fix mis-handling of sys->read() errors in cabd_read_string()
(CVE-2017-11423) (Closes: #868956).
* Reject negative output length in SpanInfo (CVE-2017-6419)
(Closes: #871263).
Checksums-Sha1:
0f0eeda3692a12a2ba912733b96c72c6e190295a 2106 libmspack_0.5-1+deb8u1.dsc
42df94afb1e167e1334b92cded4e86c0b6568823 5148 libmspack_0.5-1+deb8u1.debian.tar.xz
5d53a8c460e28223ad680154451f21794e5811a5 47170 libmspack0_0.5-1+deb8u1_amd64.deb
ff8fe69a3e7ac2e1a67e3be3583b5002757158b7 65516 libmspack-dev_0.5-1+deb8u1_amd64.deb
66cd4083789e01458c19f928c5576995dfe07aab 84436 libmspack-dbg_0.5-1+deb8u1_amd64.deb
4aae4ac61a56bfc7d30e9195d13bd19f5b290712 100766 libmspack-doc_0.5-1+deb8u1_all.deb
Checksums-Sha256:
4c0d570bee1de45c801dd2fc745c4fa56131a206ab1edab49e7407942f7d8387 2106 libmspack_0.5-1+deb8u1.dsc
c7ad3df9c6401cbc075acba4519a5fb312183c83154834d52408ce8455e76db8 5148 libmspack_0.5-1+deb8u1.debian.tar.xz
c5efdde1b92633dc3c6b65bbe197bd9cdf5c1748b98f465a29c582602fd3cff4 47170 libmspack0_0.5-1+deb8u1_amd64.deb
0578c9ff8f5f6ff6732769a588595c82850ae83a8379ba3e92df3514d7bd8fd3 65516 libmspack-dev_0.5-1+deb8u1_amd64.deb
7597553486ec11b6fc583468bc85b822ab538a3eb3e14a6193aab36793f13542 84436 libmspack-dbg_0.5-1+deb8u1_amd64.deb
8e04f2a37878279060657d4af01ddb4b8a27b30e2656e408e57eecefd80bac29 100766 libmspack-doc_0.5-1+deb8u1_all.deb
Files:
b5bcf260629f0c2c6884d8b1b1877f55 2106 libs optional libmspack_0.5-1+deb8u1.dsc
be04a3ce310a729c35f5fdb666655373 5148 libs optional libmspack_0.5-1+deb8u1.debian.tar.xz
86d7f1928a14eca61d5619eb42a17ff1 47170 libs optional libmspack0_0.5-1+deb8u1_amd64.deb
b1677eff105b2c8238f7d119d16f4a1e 65516 libdevel optional libmspack-dev_0.5-1+deb8u1_amd64.deb
54826f304dd902d6e78909f39994bd05 84436 debug extra libmspack-dbg_0.5-1+deb8u1_amd64.deb
66e14a51927a4c22a8d2f3b01ad53123 100766 doc optional libmspack-doc_0.5-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlmV7uAACgkQT+XjJihy
5My7oA/+JNfHZouLWnAcOQKvyF2s4RiEADz4mx5Lb/s5vtnfUJMwzhS1nK7sPViu
amy2SlSBlCkkscKKVdpCilcTJJeNNHMwXuaLXJDrohA0T3gz6TbG2QlnwiS0BU5x
KOXqYy1OCMuPPH3kG/715u4aod6cJLWUPjD+/uNd16PQjhQ+Z/3321iYfo1er/q3
xFwfom3ZmcdXxGl+dQ4cdKNBxhpWUP19Tt19Gwg/tojnfEnm1sNtgrwP9E/nAfMn
5UKO7oNzBpQAl1MZzA6TcfWqf+YAFl8ciNlCYqYxDb7qiFyEPtTWWtxlwDDE7DNa
DHc9vSd9psinIUzKNabkIdwYWRK4SOqNESRxDVn1Imdjqj5tuvVRsMS3qWL7HjFS
z/9EIYxpUG2b1IsUP1xXF5SKNtMFzNwhC2YU/STXHWgZb4rwig3tg19XBGKVi2Ei
fRPJd2+ixeSOXVnn2yHuNRCjEfjDaAC7BwTbteOaeKtLWtGgyvjkfCg0qmxcyrrn
xDuU0TIhdLaSayL5vsnf7lCv88FB82t7jhHs5hBaWHAmRjmP+aCT2/PQn0ZbVcAu
jyj7BYdLc+0XU8M/fzF949il04BCjOVuPlyCzCSp1hoHFQwovnnN/MIpmXLdFfHa
X5DFUlhsb3DxBiWrED4NL++C9v1LeXgOwlpB6Qk/yTmVy1Wki00=
=HQH1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 08 Oct 2017 07:29:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:31:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.