Debian Bug report logs -
#1022557
shapelib: CVE-2022-0699
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sun, 23 Oct 2022 20:00:02 UTC
Severity: important
Tags: security
Fixed in version shapelib/1.5.0-3
Done: Bas Couwenberg <sebastic@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>:
Bug#1022557; Package src:shapelib.
(Sun, 23 Oct 2022 20:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>.
(Sun, 23 Oct 2022 20:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: shapelib
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for shapelib.
CVE-2022-0699[0]:
| A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0
| and older releases. This issue may allow an attacker to cause a denial
| of service or have other unspecified impact via control over malloc.
https://github.com/OSGeo/shapelib/issues/39
https://github.com/OSGeo/shapelib/commit/c75b9281a5b9452d92e1682bdfe6019a13ed819f
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-0699
https://www.cve.org/CVERecord?id=CVE-2022-0699
Please adjust the affected versions in the BTS as needed.
Reply sent
to Bas Couwenberg <sebastic@debian.org>:
You have taken responsibility.
(Mon, 24 Oct 2022 04:24:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Mon, 24 Oct 2022 04:24:04 GMT) (full text, mbox, link).
Message #10 received at 1022557-close@bugs.debian.org (full text, mbox, reply):
Source: shapelib
Source-Version: 1.5.0-3
Done: Bas Couwenberg <sebastic@debian.org>
We believe that the bug you reported is fixed in the latest version of
shapelib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1022557@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bas Couwenberg <sebastic@debian.org> (supplier of updated shapelib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 24 Oct 2022 05:38:54 +0200
Source: shapelib
Architecture: source
Version: 1.5.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
Changed-By: Bas Couwenberg <sebastic@debian.org>
Closes: 1022557
Changes:
shapelib (1.5.0-3) unstable; urgency=high
.
* Bump watch file version to 4.
* Update lintian overrides.
* Bump Standards-Version to 4.6.1, no changes.
* Bump debhelper compat to 12, changes:
- Drop --list-missing from dh_install
* Add upstream patch to fix CVE-2022-0699.
(closes: #1022557)
Checksums-Sha1:
f4fc78716259ca9577f3a08559012ff63c4248d0 2081 shapelib_1.5.0-3.dsc
533c26632a489e7f4289e348ecb0ccacfbb246cd 16060 shapelib_1.5.0-3.debian.tar.xz
4fffe9dc53db6b6de220b2db869dc57fbeae06b8 9211 shapelib_1.5.0-3_amd64.buildinfo
Checksums-Sha256:
cc50607e91f60fe5eb4dd028df45934d91af83b8511e411a481ce11f7e164d42 2081 shapelib_1.5.0-3.dsc
b9df27d84148e0a136bd05ac7ccdad7240a6e7223addd06ce827048ececa8b2b 16060 shapelib_1.5.0-3.debian.tar.xz
3f80effc2588b60014d112ed92aa69b48f0a6709dd3381f3c0498da3725b6fdc 9211 shapelib_1.5.0-3_amd64.buildinfo
Files:
da0101abdba9f029a10b0a2b21ac036c 2081 libs optional shapelib_1.5.0-3.dsc
f5bce03d79dd86504c6fa888dd7a9755 16060 libs optional shapelib_1.5.0-3.debian.tar.xz
17b51019604d78fadc5ac03c04576f5b 9211 libs optional shapelib_1.5.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgYLeQXBWQI1hRlDRZ1DxCuiNSvEFAmNWD28ACgkQZ1DxCuiN
SvEn1Q//V0KYPc+WE+IHjcVmA3tQhAO8GYnVLdMp6Zh4CODs/g5FkzqexYmJ3xJ3
USixggXtyvjfIL61aiBiddgaZWhFgca5A3tNkNlFajdO7LdPCxwHKg69MjVXe9bx
YEEUs+BvWQYUlkK5NZAFyKZba6w1EgaNkdQofGXmVq/oPrjF1zssvvo+kklOrPTp
WIoyKX+O8lLzpLoVFaTJw+ztrBN4PrjeriqOwGZyMXLjw0D2x39KCFbonKALItcM
WmE0L0dqa/uZQA7t3lJnQwgaA23XRSahIBNRKSD/16PhuCtJOO7Vx5j5nkddxNLm
K7lrPwo2Yb/b9rmhGFZtKOkS4p7wmWtjeDMOyi/kgpw93ga7/U0NDfoKO0X2s0F5
AhsqM4Qpm6IqYwi9w1JuzG/U72pV0OfoQzwckkce2U6+h7k3k8BgI5k4jSacmQz7
yf/9l3hDGTvb1oZCTRDqlUkD5cvyAuZTYcsR5AqSwnmtLxEeY1Y7swVZplkJS/Gi
ZlUrEZJqQNtt4UBnUKoWOUXyUKLxOEwNwVPLk+eE81C6MJpqvLJg6zsyqxM327UB
yCgPBnmr2zquIO/AGUNYiYqrKsjvu3eztiMjh7Xm4E3hmLCvcMWB89WBgf9T4M7U
Ofy6MccTZlrwY3iTEAh4Bx4qNZ66FfLNHdyyV3037wZt/ul7vNI=
=5KO+
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Oct 24 13:24:04 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon