Debian Bug report logs -
#883792
libxcursor: CVE-2017-16612: heap overflows when parsing malicious files
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 7 Dec 2017 15:33:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version libxcursor/1:1.1.14-1
Fixed in versions libxcursor/1:1.1.14-1+deb9u1, libxcursor/1:1.1.14-1+deb8u1, libxcursor/1:1.1.14-3.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#883792; Package src:libxcursor.
(Thu, 07 Dec 2017 15:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>.
(Thu, 07 Dec 2017 15:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxcursor
Version: 1:1.1.14-1
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for libxcursor.
CVE-2017-16612[0]:
| libXcursor before 1.1.15 has various integer overflows that could lead
| to heap buffer overflows when processing malicious cursors, e.g., with
| programs like GIMP.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16612
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
[1]
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#883792; Package src:libxcursor.
(Sat, 09 Dec 2017 07:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(Sat, 09 Dec 2017 07:57:03 GMT) (full text, mbox, link).
Message #10 received at 883792@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 883792 + pending
Dear maintainer,
I've prepared an NMU for libxcursor (versioned as 1:1.1.14-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[libxcursor-1.1.14-3.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 883792-submit@bugs.debian.org.
(Sat, 09 Dec 2017 07:57:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 09 Dec 2017 12:03:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Dec 2017 12:03:16 GMT) (full text, mbox, link).
Message #17 received at 883792-close@bugs.debian.org (full text, mbox, reply):
Source: libxcursor
Source-Version: 1:1.1.14-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
libxcursor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883792@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxcursor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Dec 2017 17:07:35 +0100
Source: libxcursor
Binary: libxcursor1 libxcursor1-udeb libxcursor1-dbg libxcursor-dev
Architecture: source
Version: 1:1.1.14-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 883792
Description:
libxcursor-dev - X cursor management library (development files)
libxcursor1 - X cursor management library
libxcursor1-dbg - X cursor management library (unstripped)
libxcursor1-udeb - X cursor management library (udeb)
Changes:
libxcursor (1:1.1.14-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix heap overflows when parsing malicious files (CVE-2017-16612)
(Closes: #883792)
Package-Type: udeb
Checksums-Sha1:
fa523eff12447207cc077d46c5a0eb9da2d87178 2489 libxcursor_1.1.14-1+deb9u1.dsc
c33076d4567862854b28fb5fd76888ecd62603c1 19302 libxcursor_1.1.14-1+deb9u1.diff.gz
Checksums-Sha256:
81c5372315e4534c07f1bbc05e92927568ae55e84b3609d6f95c11e592890791 2489 libxcursor_1.1.14-1+deb9u1.dsc
7bf662975b685c42ee3125ecf370cefb804afa0c45423d1ff26c690b0b6e5de3 19302 libxcursor_1.1.14-1+deb9u1.diff.gz
Files:
ac49ec1ce39bd604be57ed8ab59d9cff 2489 devel optional libxcursor_1.1.14-1+deb9u1.dsc
7bc9c086a59ccc7b6d3bd2a77f4fd543 19302 devel optional libxcursor_1.1.14-1+deb9u1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopoddfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EMvsQAJTO9PKdwvRhz/PkCw19737OQQVejPbt
KaKsq1Xv5P2pu46aApmWvQb0KG62qcpoqBVfQg9Wc+gqH3HPFCo4V0eCPl9WZhku
y9txijhTEgqu4ErT46AFIWc+NdBMkGWoK9O33ElfheDaEVyTC55flf5h6zNzzugi
sPVumGC/4xJWPG2uF6jzXrsaxb9n5c6GBVtzgHZb/Vpc/KbYkc+RfpmhoEumf8Jj
ZBU91pqyOqlADghdpef4mRzKCFhlCtMjs4krCGbFbELHyTLyV9lDPZBCPC593IFP
et8jPUPoQLlHZ3puKEhaIGeYfGTMSfBwMMTtXay8L9SZYXtZXledZ8tugq+f+pDQ
zGTzKDFjdOkCcxxzLC6eqqz0olKiBEc/rkwfPSpHIaaMUJRqUJoc6yy5JZfICVsA
Fyfih7A+X802H/pwKavmbAUIJmVl/g6H9dkX9zzwK7X83y9dIPodqH2fTN7A4DEg
95tRjUdwDl8ouBGVzhKQcvhUP1DXEyC5mo1xm110dESBN2UgOPnViYdVJN1kB4dC
Wc7ecRwa1eZQPNGgrXA2dXkxTZ7HVjrK+yZ3kwEWnQRY6c/8qYMZi8nPLjEfj73f
hC0BQTY7J+5kFg7B/bYjx/XbYCTcMjcviv26ADZhVG4HGJSetNipLLpY7X0TB8NA
MSYA3umIgLhb
=8MLl
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 09 Dec 2017 14:39:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Dec 2017 14:39:13 GMT) (full text, mbox, link).
Message #22 received at 883792-close@bugs.debian.org (full text, mbox, reply):
Source: libxcursor
Source-Version: 1:1.1.14-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
libxcursor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883792@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxcursor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Dec 2017 16:41:25 +0100
Source: libxcursor
Binary: libxcursor1 libxcursor1-udeb libxcursor1-dbg libxcursor-dev
Architecture: source
Version: 1:1.1.14-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 883792
Description:
libxcursor-dev - X cursor management library (development files)
libxcursor1 - X cursor management library
libxcursor1-dbg - X cursor management library (unstripped)
libxcursor1-udeb - X cursor management library (udeb)
Changes:
libxcursor (1:1.1.14-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix heap overflows when parsing malicious files (CVE-2017-16612)
(Closes: #883792)
Package-Type: udeb
Checksums-Sha1:
f5b40465c76de143ba07b0dd875b0f726c1e7c55 2489 libxcursor_1.1.14-1+deb8u1.dsc
873a91831946cdedc0724b1d048c8041d958807c 374910 libxcursor_1.1.14.orig.tar.gz
5f9c33126ce19bf8fcfc2350ab6e78fdad60139e 19303 libxcursor_1.1.14-1+deb8u1.diff.gz
Checksums-Sha256:
7af9f2b539d1fca5fda58ad45597cb748a3bfc60ac40e979264d99354ceefea3 2489 libxcursor_1.1.14-1+deb8u1.dsc
be0954faf274969ffa6d95b9606b9c0cfee28c13b6fc014f15606a0c8b05c17b 374910 libxcursor_1.1.14.orig.tar.gz
eaeb821b3d4eab91585687533da6bfec45e1195e7f6cf984ced43b221cc4296d 19303 libxcursor_1.1.14-1+deb8u1.diff.gz
Files:
7ba0e1b103e6a968b699d0058f99e564 2489 devel optional libxcursor_1.1.14-1+deb8u1.dsc
39c8423de190d64f1c52fbc00022e52c 374910 devel optional libxcursor_1.1.14.orig.tar.gz
d3446e44aadefbf91843af6a2ceae6cf 19303 devel optional libxcursor_1.1.14-1+deb8u1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopoZRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Eu6wP/3/vjAKrdRGIR32KXepIebQvyiNK/quh
WpvOYEWQFUuQxUmBC7MECBE9xTOmOEWhC2a0riRLgol7lzu8aVHHNcMxUpGHC3pa
ioATVgzQTVRweg65oRbN9q8VLwNx+jEjN4yFBzjiRkdxtlwjdugIwFLG5id/6yfR
w3sEKyQFAa1UNAkqtPPtGVqbqwhB8FGvfZFKA8MTiZzFNnqxGZudkga0YOKFBTkI
eo206Kyx7P45blnLQm3z2Tb80ygQ11LvS9fYfeK7I83klVCNXmGUnwrhV7a7ffB/
QIr0kpEqKoSNTIJwVfU0xzHfdnOI6PojqBLrc0DVjzl0a6BZZU3vQ35oKkozNlul
CDkQS6DEOTnrsIr/5B4ftpZLQcBwfsLhL2pZQlaXQ7s/GVf5hPDTCJYcbqPdKh4h
P1r//ouQWQ/HYadCnkFIa5Rqd4gs6wewqtgosrLeiUfxpWN5SFV2jmlnKK/99EHw
BoaGu41jJofbRrbKDUH8qAtLHxIHDu/mUcpl8zDiBGKR4YC41MkWzzoUYbwdoDe+
mGvoAhL00Dam6NgXfZTCf63VoD5Xtu2xtijrYiQ+0/HUHse3Lloi1aPFC2RMNAa0
phLagWHhW+Jq77Ry/XQAt4hWN+gtGXQMLvD5k+rGeyxWRIW1Rmq5HSmWYd5kSA+q
/MNICxjDIutA
=IxDI
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 11 Dec 2017 09:09:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Dec 2017 09:09:20 GMT) (full text, mbox, link).
Message #27 received at 883792-close@bugs.debian.org (full text, mbox, reply):
Source: libxcursor
Source-Version: 1:1.1.14-3.1
We believe that the bug you reported is fixed in the latest version of
libxcursor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883792@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxcursor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 Dec 2017 08:45:47 +0100
Source: libxcursor
Binary: libxcursor1 libxcursor1-udeb libxcursor-dev
Architecture: source
Version: 1:1.1.14-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 883792
Description:
libxcursor-dev - X cursor management library (development files)
libxcursor1 - X cursor management library
libxcursor1-udeb - X cursor management library (udeb)
Changes:
libxcursor (1:1.1.14-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix heap overflows when parsing malicious files (CVE-2017-16612)
(Closes: #883792)
Package-Type: udeb
Checksums-Sha1:
424a1e70149bf20ecd9f5fa3abae12e02ec30a07 2422 libxcursor_1.1.14-3.1.dsc
2ffec746fe09c462f6e7fbce1afcf162d201bff2 9836 libxcursor_1.1.14-3.1.debian.tar.xz
Checksums-Sha256:
b1cd95c8131cf8fe4252c379e702a9531a76ac532752f79b8dee94a01dc51a9e 2422 libxcursor_1.1.14-3.1.dsc
b2cc4ae463ae8e015f16c15ae0e058625a401422a30c001dcae71ebbf5ba9dc8 9836 libxcursor_1.1.14-3.1.debian.tar.xz
Files:
801502fe0f22b4d76723210ca0184889 2422 devel optional libxcursor_1.1.14-3.1.dsc
b7306def0044a280ec1ca9db1dd4b964 9836 devel optional libxcursor_1.1.14-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlorlc5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbkoP/jlAWJQiFaCKUCoNrX0wevlTTGdvrvsI
o8lqdVMizMsZbBgKhrs2st4zPA7Sw0RKnaQg0+lITNVL99hDsj1QBt4QsoiaDwk3
uWgnqojgVlBvShuk0klV0TwYjPA1NycKMVTm0g5Uy9zy0JJJUesJy6BXO3g3pnZf
gOKvUcObfsHxp2j80jXE3mzK4F1ztL6gY6FJIiGCVMQFDyT4XVjIQFX7CmmDqDJK
FLD7/Kq+pd6utVnNUL3v/0VCQBu3+RtleJ5b+L0J7Dvd2+95sUiq015kWm1iQZ1r
QrLYkR2Zb1mNtsbNTM6KQfGbsHplx/2SHLRnzEghnprogxKAuh4mJqNOCM+ZvlXr
rjMP5hnZkEzDuiadJ3+so3viSjjuAkOByeR+DCFi9Wu34YnC9iYbadYIMeqGYqfB
Dmuv3N94M86B3FQqqeS8LWcSO1TaIw2s7ISjN6niDjiy60OQrJKwtydK75YVClG5
XWEldVMk7ZoWBGDoIP+oStMkCRMQdhgmdZQmKFkZDBNkpotKjo873eDOIKA2iIsU
BSOs0+PprPdxzklbg/02iMnrLFMSYt7vMQ8NDe9VDI2wKqozxAK4aoOWQmJuQX9y
FZtTyc5iqQ3+26zIVEsA912SWmdUU4zlttPU8quUNHaiEKPtOhqKYgBJJFgheVfg
AuRt09alqXjV
=A/gj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 22 Jan 2018 07:29:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:15:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon