Debian Bug report logs -
#943561
unoconv: CVE-2019-17400
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Vincent Bernat <bernat@debian.org>:
Bug#943561; Package src:unoconv.
(Sat, 26 Oct 2019 14:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Vincent Bernat <bernat@debian.org>.
(Sat, 26 Oct 2019 14:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: unoconv
Version: 0.7-1.1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/unoconv/unoconv/pull/510
Hi,
The following vulnerability was published for unoconv.
CVE-2019-17400[0]:
| The unoconv package before 0.9 mishandles untrusted pathnames, leading
| to SSRF and local file inclusion.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-17400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17400
[1] https://github.com/unoconv/unoconv/pull/510
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Vincent Bernat <bernat@debian.org>:
You have taken responsibility.
(Sat, 26 Oct 2019 15:57:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 26 Oct 2019 15:57:07 GMT) (full text, mbox, link).
Message #10 received at 943561-close@bugs.debian.org (full text, mbox, reply):
Source: unoconv
Source-Version: 0.7-2
We believe that the bug you reported is fixed in the latest version of
unoconv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 943561@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated unoconv package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 26 Oct 2019 17:07:44 +0200
Source: unoconv
Architecture: source
Version: 0.7-2
Distribution: unstable
Urgency: high
Maintainer: Vincent Bernat <bernat@debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Closes: 943561
Changes:
unoconv (0.7-2) unstable; urgency=high
.
* d/control: update Vcs-* fields.
* d/patches: don't update linked document by default. CVE-2019-17400.
Closes: #943561.
Checksums-Sha1:
e5a67084dfdb53c706feb58187e5b53bca7ee736 1851 unoconv_0.7-2.dsc
2cf73259c57b3b5bb8fec049e20bf9a260f48621 6240 unoconv_0.7-2.debian.tar.xz
dee5cb45c6506cdbe0d2652b1d69feead9fcc623 6491 unoconv_0.7-2_amd64.buildinfo
Checksums-Sha256:
85d88c85b5087f041718e865dc6c2972c4045356c92ee227be97928f39f5a0f9 1851 unoconv_0.7-2.dsc
c8b3913951c092608840c69dd61654e76f63f929fbc0d4c2926fd94cca953431 6240 unoconv_0.7-2.debian.tar.xz
2ab2fe6e6e43794df4d1f4a05eb0617bf722a0ac1cf0eee0536edfe80b2602fb 6491 unoconv_0.7-2_amd64.buildinfo
Files:
e34f0e462dd5e41f92dce1d4aebfb089 1851 text extra unoconv_0.7-2.dsc
318802d36863955809f86c06cb9ec955 6240 text extra unoconv_0.7-2.debian.tar.xz
4119b360624c11e047f0394a4914590b 6491 text extra unoconv_0.7-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEErvI0h4bzccaJpzYAlaQv6DU1JfkFAl20ZcASHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5FRkP/iSk1yxIxcnWZUaDsSTkThIlBAIhvul1
VYKDwItQtpEcaHdrRDfMEweNx10EakIhtSMXvupMAjtJZxdoyzDNeISALNDRhHaN
h9MMNrJh4ki2InAbyIdEE3HCPpz/dXEzA9KAAZuaCPLJINShf9ZFMwpByAsV75tl
IKRukdgRqm109t3hOq/4biEUpH1mgQeAl44aNH/DJbcSSNqCuZz9KGRTTN8lzcOy
XOIIMRkrnbFdbO4nuW4b5/KgwNeZW5frDDd/MApk2h4vvJ8JIA9FJ0hZevAiIcJK
SlmrOEB+7ZJNZ6LX0JQTxqGXhsV89/s/cVtOw+KqCFoHCqGpveN8oXL7q9bZkgAr
4sA08r6PA37apR6mYXf8QJfh40mlJOf+6tRSKu/GR10B5ADiBgvv1AJFmEO8T79y
GVljaGf7fXxdlulsYSUe6r2GRRJpykFjIpsBOboOotUoqJZg8eHy4dRlwt0kVxrZ
rViNWR700cH/0DTt5jAkcQoN8ZpsIdpxEP4B5q7QGeOT7+s4NO1R4z/k2J7I+EUP
OYa0Ia2KTOd7Wq9KM7FQ8bmgFeWaT+qvaF4do+X1zygFZfUP9PLVQ/BzY7U3MW0b
US5wrPqNjDH1l3j1MfKh4VetkgC5bvSsZ+snGjqi+dzkrqiX8TnbQIuPcP68Yh6g
Gq5IL48y90jU
=dQnW
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Oct 27 08:32:49 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon