Debian Bug report logs -
#892599
afflib: CVE-2018-8050
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 11 Mar 2018 09:42:05 UTC
Severity: important
Tags: patch, security, upstream
Found in version afflib/3.7.5-1
Fixed in version afflib/3.7.16-3
Done: Raphaël Hertzog <hertzog@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Forensics <forensics-devel@lists.alioth.debian.org>:
Bug#892599; Package src:afflib.
(Sun, 11 Mar 2018 09:42:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Forensics <forensics-devel@lists.alioth.debian.org>.
(Sun, 11 Mar 2018 09:42:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: afflib
Version: 3.7.5-1
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for afflib.
CVE-2018-8050[0]:
| The af_get_page() function in lib/afflib_pages.cpp in AFFLIB (aka
| AFFLIBv3) through 3.7.16 allows remote attackers to cause a denial of
| service (segmentation fault) via a corrupt AFF image that triggers an
| unexpected pagesize value.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8050
[1] https://github.com/sshock/AFFLIBv3/commit/435a2ca802358a3debb6d164d2c33049131df81c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Forensics <forensics-devel@lists.alioth.debian.org>:
Bug#892599; Package src:afflib.
(Sun, 11 Mar 2018 21:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Phillip Hellewell <sshock@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Forensics <forensics-devel@lists.alioth.debian.org>.
(Sun, 11 Mar 2018 21:00:03 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I checked in the fix for this in commit 435a2ca (
https://github.com/sshock/AFFLIBv3/commit/435a2ca). (Sorry I didn't have a
CVE id yet so that was not included in the commit comment.)
What needs to happen now? Do I need to do anything or can you guys take it
from here?
Phillip
On Sun, Mar 11, 2018 at 3:40 AM, Salvatore Bonaccorso <carnil@debian.org>
wrote:
> Source: afflib
> Version: 3.7.5-1
> Severity: important
> Tags: patch security upstream
>
> Hi,
>
> the following vulnerability was published for afflib.
>
> CVE-2018-8050[0]:
> | The af_get_page() function in lib/afflib_pages.cpp in AFFLIB (aka
> | AFFLIBv3) through 3.7.16 allows remote attackers to cause a denial of
> | service (segmentation fault) via a corrupt AFF image that triggers an
> | unexpected pagesize value.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-8050
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8050
> [1] https://github.com/sshock/AFFLIBv3/commit/
> 435a2ca802358a3debb6d164d2c33049131df81c
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Forensics <forensics-devel@lists.alioth.debian.org>:
Bug#892599; Package src:afflib.
(Sun, 11 Mar 2018 21:00:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Phillip Hellewell <sshock@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Forensics <forensics-devel@lists.alioth.debian.org>.
(Sun, 11 Mar 2018 21:00:12 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#892599.
(Thu, 15 Mar 2018 00:39:03 GMT) (full text, mbox, link).
Message #18 received at 892599-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #892599 in afflib reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/pkg-security-team/afflib/commit/ad47da77d7b74cfec267833f82c52d5f969cc2a1
------------------------------------------------------------------------
Fix CVE-2018-8050: DoS via a corrupt AFF image
Closes: #892599
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/892599
Added tag(s) pending.
Request was from hertzog@debian.org
to 892599-submitter@bugs.debian.org.
(Thu, 15 Mar 2018 00:39:03 GMT) (full text, mbox, link).
Reply sent
to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility.
(Thu, 15 Mar 2018 00:51:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 15 Mar 2018 00:51:04 GMT) (full text, mbox, link).
Message #25 received at 892599-close@bugs.debian.org (full text, mbox, reply):
Source: afflib
Source-Version: 3.7.16-3
We believe that the bug you reported is fixed in the latest version of
afflib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated afflib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 Mar 2018 01:13:49 +0100
Source: afflib
Binary: libafflib0v5 libafflib-dev afflib-tools
Architecture: source
Version: 3.7.16-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
afflib-tools - Advanced Forensics Format Library (utilities)
libafflib-dev - Advanced Forensics Format Library (development files)
libafflib0v5 - Advanced Forensics Format Library
Closes: 892599
Changes:
afflib (3.7.16-3) unstable; urgency=medium
.
* Team upload.
* Update team maintainer address to Debian Security Tools
<team+pkg-security@tracker.debian.org>
* Update Vcs-Git and Vcs-Browser for the move to salsa.debian.org
* Fix CVE-2018-8050: DoS via a corrupt AFF image (Closes: #892599)
* Switch debhelper compat to 11.
* Drop dh-autoreconf build dependency (implicit via debhelper).
* Bump Standards-Version to 4.1.3.
* Update symbols file.
Checksums-Sha1:
736b981fe74b289fada8c4075ef7f99a5e6431bc 1825 afflib_3.7.16-3.dsc
44d050441bdfd442ca120ac6ae52013c3748e52a 25904 afflib_3.7.16-3.debian.tar.xz
253452774c11bc9fec37e044cfc6f2a2c563aaa1 5544 afflib_3.7.16-3_source.buildinfo
Checksums-Sha256:
97bcd4694c5d570f3272321e594e8bbcc9f7f97d11d01ac050e7d7e0d1d008a8 1825 afflib_3.7.16-3.dsc
f8456715331aa2c913e2293dda867a46a28aaf581da49dfec87b89e485591a66 25904 afflib_3.7.16-3.debian.tar.xz
f79a9ac42581b937f8fa8c4dd23d968ebdc1601d60f3b58d7fcc2b52c8412bd4 5544 afflib_3.7.16-3_source.buildinfo
Files:
ea4bacbced7eb4ec31587a3476d0215e 1825 libs optional afflib_3.7.16-3.dsc
9a275142793da42641a477a20ebcb2a0 25904 libs optional afflib_3.7.16-3.debian.tar.xz
a64e967846bd4d1f80e2ae6e4f5aa1ee 5544 libs optional afflib_3.7.16-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
Comment: Signed by Raphael Hertzog
iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlqpv6UACgkQA4gdq+vC
mrnApQgAifjFJL7CRuJmAt0kh5mGTc1RdW2aiVRQOutvZsWdB0jOPHQpv/L/AYB4
M2MUupl5rLuC6Ek/xdVqiDMjm3NuAKxNk2BecaL6YkHxANZEczOSTuxvYBd8nT7b
foJH49eh6YvF8tYbTRtDgX151gL5uCl/iWDwv68ayavvAEMgZuY6b+BuF8nPqf+8
I4haYIDApnN1IDEvSHPxwdM0Sd3JdritIVlx6rXTZKma6H3wE30Y/g/yYa2cfluD
gOpw4dy1keXNKZQH13GMrHpUGqFl1T4zCksAR+SmNnoFRqxKYJ8So0Kq7EfEunBc
dcqJUM4LGGC6kMa59TlNRU2tNGsVSg==
=diU9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 17 Apr 2018 07:33:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:55:57 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon