Debian Bug report logs -
#874302
liblouis: CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 4 Sep 2017 20:12:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions 3.0.0-3, liblouis/3.0.0-3
Fixed in versions liblouis/3.0.0-3+deb9u1, liblouis/3.3.0-1
Done: Samuel Thibault <sthibault@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Accessibility Team <debian-accessibility@lists.debian.org>:
Bug#874302; Package src:liblouis.
(Mon, 04 Sep 2017 20:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Accessibility Team <debian-accessibility@lists.debian.org>.
(Mon, 04 Sep 2017 20:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: liblouis
Version: 3.0.0-3
Severity: important
Tags: upstream security fixed-upstream
Hi
The new upstream version 3.3.0 fixes severaly CVEs for liblouis:
CVE-2017-13738
CVE-2017-13739
CVE-2017-13740
CVE-2017-13741
CVE-2017-13742
CVE-2017-13743
CVE-2017-13744
https://github.com/liblouis/liblouis/releases/tag/v3.3.0
The isses were marked no-dsa for stretch and jessie, but a fix is
welcomed via an upcoming point release if possible.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <debian-accessibility@lists.debian.org>:
Bug#874302; Package src:liblouis.
(Tue, 05 Sep 2017 18:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Leonidas S. Barbosa" <leo.barbosa@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <debian-accessibility@lists.debian.org>.
(Tue, 05 Sep 2017 18:06:02 GMT) (full text, mbox, link).
Message #10 received at 874302@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: liblouis
Version: 3.0.0-3
Followup-For: Bug #874302
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: Illegal address access in getALine
- debian/patches/CVE-2017-13738-and-2017-13744.patch: fix
possible out-of-bounds write in liblouis/compileTranslationTable.c.
- CVE-2017-13738
- CVE-2017-13744
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch:
fix buffer overflow parsing malformed table in
liblouis/compilerTranslationTable.c.
- CVE-2017-13739
- CVE-2017-13740
- CVE-2017-13742
See that for us 41 and 43 were considered as ignored since it seems to catched
just with ASAN.
Thanks for considering the patch.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
[liblouis_3.0.0-3ubuntu1.debdiff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <debian-accessibility@lists.debian.org>:
Bug#874302; Package src:liblouis.
(Tue, 05 Sep 2017 19:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <debian-accessibility@lists.debian.org>.
(Tue, 05 Sep 2017 19:00:04 GMT) (full text, mbox, link).
Message #15 received at 874302@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Leonidas,
On 05-09-17 20:02, Leonidas S. Barbosa wrote:
> In Ubuntu, the attached patch was applied to achieve the following:
Just so I understand it right, why didn't you package the new upstream
as suggested by the Debian security team?
Paul
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <debian-accessibility@lists.debian.org>:
Bug#874302; Package src:liblouis.
(Tue, 05 Sep 2017 19:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Leonidas S. Barbosa" <leo.barbosa@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <debian-accessibility@lists.debian.org>.
(Tue, 05 Sep 2017 19:06:04 GMT) (full text, mbox, link).
Message #20 received at 874302@bugs.debian.org (full text, mbox, reply):
On Ter, 2017-09-05 at 20:44 +0200, Paul Gevers wrote:
> Hi Leonidas,
>
> On 05-09-17 20:02, Leonidas S. Barbosa wrote:
> >
> > In Ubuntu, the attached patch was applied to achieve the following:
> Just so I understand it right, why didn't you package the new
> upstream
> as suggested by the Debian security team?
>
> Paul
>
Ok, sorry it was probaly a mine mistake. I'm using submitodebian tool
and didn't saw those suggestions.
[]'s
Added tag(s) pending.
Request was from Samuel Thibault <sthibault@debian.org>
to control@bugs.debian.org.
(Thu, 07 Sep 2017 23:03:02 GMT) (full text, mbox, link).
Reply sent
to Samuel Thibault <sthibault@debian.org>:
You have taken responsibility.
(Thu, 14 Sep 2017 15:03:41 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Sep 2017 15:03:41 GMT) (full text, mbox, link).
Message #27 received at 874302-close@bugs.debian.org (full text, mbox, reply):
Source: liblouis
Source-Version: 3.3.0-1
We believe that the bug you reported is fixed in the latest version of
liblouis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874302@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Thibault <sthibault@debian.org> (supplier of updated liblouis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 Sep 2017 01:01:17 +0200
Source: liblouis
Binary: liblouis-dev liblouis14 liblouis-data liblouis-bin python-louis python3-louis
Architecture: source amd64 all
Version: 3.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
Description:
liblouis-bin - Braille translation library - utilities
liblouis-data - Braille translation library - data
liblouis-dev - Braille translation library - static libs and headers
liblouis14 - Braille translation library - shared libs
python-louis - Python bindings for liblouis
python3-louis - Python bindings for liblouis
Closes: 874302
Changes:
liblouis (3.3.0-1) unstable; urgency=medium
.
* New upstream release (Closes: Bug#874302).
- rename liblouis12 to liblouis14 according to soname bump.
* Use canonical anonscm vcs URL.
* control: Update maintainer mailing list.
* control: Migrate priority to optional.
* control: Bump Standards-Version to 4.1.0.
Checksums-Sha1:
6cd3a8996a1cab3f5bc8297d8a50223a6d2f26a9 2413 liblouis_3.3.0-1.dsc
e92b4bdef82d517725eb91c2ed3422849dad49c6 12932001 liblouis_3.3.0.orig.tar.gz
11c65b7878ce323a65b05148aca39a22f741fb47 6436 liblouis_3.3.0-1.debian.tar.xz
5357e114f0c7e5f22a6ec6d6cfd0e6a303de4c70 64966 liblouis-bin-dbgsym_3.3.0-1_amd64.deb
a8057f3c0670a2cda7082a2ebb42ed98861c4406 44488 liblouis-bin_3.3.0-1_amd64.deb
9c95ef06bdeb59aec696a911a48c02b9b03af25d 1246146 liblouis-data_3.3.0-1_all.deb
51cf3558148f1cf3f06089faae4bb543403b75db 202690 liblouis-dev_3.3.0-1_amd64.deb
67e5ad27a98441e1ac00df7898637ecf4e9b1149 172768 liblouis14-dbgsym_3.3.0-1_amd64.deb
f7f15fc01e85ca91919efb4c312c3e783d5644de 93878 liblouis14_3.3.0-1_amd64.deb
b5b66fb099ac96516b585359ee2d65cb058b0bdd 8474 liblouis_3.3.0-1_amd64.buildinfo
2529b8068ae9f1f5f4f2e32e396ca34c70ae06b1 23666 python-louis_3.3.0-1_all.deb
de00e37886bb4fb0e306605fec1b0c2b8ce7bdbf 23740 python3-louis_3.3.0-1_all.deb
Checksums-Sha256:
982b60700a5db2955d0973bdfc49d960475b098f83553c326e77f8732267df8a 2413 liblouis_3.3.0-1.dsc
3466c9d55ad23191ec1b092b911c706475156556176ead9ecd7ee841df6a31f3 12932001 liblouis_3.3.0.orig.tar.gz
18eaf000c8ccaef07091f42aa6bbd163bc758b62b7a4e486fdbd25e2f8ecd4bc 6436 liblouis_3.3.0-1.debian.tar.xz
e83349104ef395d5651f4d870b8aced8b051d6339f7f97f997aee35474e97bec 64966 liblouis-bin-dbgsym_3.3.0-1_amd64.deb
3feb9d9faaa3c4411e5124ffbcd948f68ae5a08f3dc173e8bed4703054942008 44488 liblouis-bin_3.3.0-1_amd64.deb
9c3585c6885bb30ad14b2133531923967feb91db4a5ec1b4cdf2adbe68385c16 1246146 liblouis-data_3.3.0-1_all.deb
0e3d25d9de3c06737889ff72d37daac02a0798045c66f13715ce294f4415d802 202690 liblouis-dev_3.3.0-1_amd64.deb
a6d015b6f15a25e1fb8db416c15bd00d480f3678e50d9ffe3d5ad86021c38724 172768 liblouis14-dbgsym_3.3.0-1_amd64.deb
bbe2a775b3bcc7f7052f959e04c914dc36192c7e4f5115474ae5a881fe21374c 93878 liblouis14_3.3.0-1_amd64.deb
0a4cbe03e8953216ecc0a3860e565e3e86f1a8e9114eb6b11050aac73e62b9d0 8474 liblouis_3.3.0-1_amd64.buildinfo
1d6f8b333d76a1be6938a62ddb5d27a08cbe555f4a79fc2cb68219365198ba87 23666 python-louis_3.3.0-1_all.deb
0e6f0cd22ec94babefe140a54fbc10b7040de76c699dc180bd032db2b70f0b5e 23740 python3-louis_3.3.0-1_all.deb
Files:
601d54093ce665b059621ea569cfc019 2413 libs optional liblouis_3.3.0-1.dsc
59bbb394280df8d06dc184bc19985811 12932001 libs optional liblouis_3.3.0.orig.tar.gz
b3f27c771dcdef4cefe9550fa0080550 6436 libs optional liblouis_3.3.0-1.debian.tar.xz
82a3a6dea4573e6c91b104904d8c1457 64966 debug extra liblouis-bin-dbgsym_3.3.0-1_amd64.deb
1b1e0c0a681b0c66c15828ccad495cc4 44488 text optional liblouis-bin_3.3.0-1_amd64.deb
748c95361dd189bd4cc4355c0c8a6d61 1246146 text optional liblouis-data_3.3.0-1_all.deb
2079123e9c84fcff7625ca98c6f7a728 202690 libdevel optional liblouis-dev_3.3.0-1_amd64.deb
7dda54788df252561d77bb877ab30417 172768 debug extra liblouis14-dbgsym_3.3.0-1_amd64.deb
5bdf498dfd77ee64dbcddb82aa92596e 93878 libs optional liblouis14_3.3.0-1_amd64.deb
2951aa5ccc544a039c5029c836cb4851 8474 libs optional liblouis_3.3.0-1_amd64.buildinfo
4644125da303a45d9ee7fecf40cd4d35 23666 python optional python-louis_3.3.0-1_all.deb
92d8977a8321e6dabf046080fde15934 23740 python optional python3-louis_3.3.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErr90SPq5RTpFUjkOsKUb9YyRecUFAlmx1FAACgkQsKUb9YyR
ecX2fQ//fB9epR6BN62g/OcQMVmplmlCY+TN05cKKsG9OqadpUVfz1XRZWK6jEo+
335v8hWKclSSyBgC83htiTVnnNuwKMhFPE0vpZIaXZDRg8Ah4AM8V/LqbFnnNPm1
JZ0XNsUSoQvNgPdMmFgF/p/p2F5lNwvWFvOhwz2r4/YWV3AGNXBOjtTEyGKDO+XD
TKC5J9Jq7O/o/YrDiatSGYOk6lMltfPFNIZ4n7DjDSV54TpERY33cinFygZPJCE9
z2py0FRz/PniGglzciuqaSPN5TXBTlk4nL8fUd2kbOQ5S/yA6XeNH+qHJazb+31A
qkSDw6WTwum4tpVbybjjHSrCwwftOX0InhztvCEjeLGg4Vchn4/tx1NB58UgPqZR
DDkaPqt3An1NIR7weLUxQ1QNTsfFfcZ+veU/x8CoZk0jBCWOGrhKTnnpryiPXW5m
agQjVM6mWlHHiv1UKPzNSw5lY70ZKWvWQp5jWoYXivNp6QSZI3YvPeG4+xzP6Mtm
YR+UL+N7leU/T1Z3CA9ci8F0AsaOLea1NfYC/BAee8ae8i1juCG6o6uiZy526EmV
TbtdwGrNeRaJ7EBSeSbJgAbil8I5EeSEA3zAej8iZ7VbZyCNDnLUgrNaRL9gcfwH
geJlb9Q+ZS65BHZrF3bwIMIAuG8TLUbGVT1iRlYTirm1eXPPGuY=
=iErk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 18 Oct 2017 07:25:03 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Samuel Thibault <sthibault@debian.org>
to control@bugs.debian.org.
(Thu, 02 Nov 2017 14:09:04 GMT) (full text, mbox, link).
Marked as fixed in versions liblouis/3.0.0-3+deb9u1.
Request was from Samuel Thibault <sthibault@debian.org>
to control@bugs.debian.org.
(Thu, 02 Nov 2017 14:09:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Samuel Thibault <sthibault@debian.org>
to control@bugs.debian.org.
(Thu, 02 Nov 2017 14:09:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:53:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon