Debian Bug report logs -
#917213
libextractor: CVE-2018-20431
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 24 Dec 2018 08:21:01 UTC
Severity: important
Tags: patch, security, upstream
Found in versions libextractor/1:1.8-1, libextractor/1:1.3-4+deb9u2, libextractor/1:1.3-1
Fixed in versions libextractor/1:1.3-2+deb8u4, libextractor/1:1.8-2, libextractor/1:1.3-4+deb9u3
Done: Bertrand Marc <bmarc@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://gnunet.org/bugs/view.php?id=5494
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Bertrand Marc <bmarc@debian.org>:
Bug#917213; Package src:libextractor.
(Mon, 24 Dec 2018 08:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Bertrand Marc <bmarc@debian.org>.
(Mon, 24 Dec 2018 08:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libextractor
Version: 1:1.8-1
Severity: important
Tags: patch security upstream
Forwarded: https://gnunet.org/bugs/view.php?id=5494
Hi,
The following vulnerability was published for libextractor.
CVE-2018-20431[0]:
| GNU Libextractor through 1.8 has a NULL Pointer Dereference
| vulnerability in the function process_metadata() in
| plugins/ole2_extractor.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20431
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20431
[1] https://gnunet.org/bugs/view.php?id=5494
[2] https://gnunet.org/git/libextractor.git/commit/?id=489c4a540bb2c4744471441425b8932b97a153e7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions libextractor/1:1.3-4+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 24 Dec 2018 20:21:03 GMT) (full text, mbox, link).
Marked as found in versions libextractor/1:1.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 24 Dec 2018 20:21:04 GMT) (full text, mbox, link).
Reply sent
to Bertrand Marc <bmarc@debian.org>:
You have taken responsibility.
(Thu, 27 Dec 2018 19:09:02 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 27 Dec 2018 19:09:03 GMT) (full text, mbox, link).
Message #14 received at 917213-close@bugs.debian.org (full text, mbox, reply):
Source: libextractor
Source-Version: 1:1.8-2
We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 917213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bertrand Marc <bmarc@debian.org> (supplier of updated libextractor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Dec 2018 19:45:49 +0100
Source: libextractor
Binary: libextractor3 libextractor-dev extract
Architecture: source amd64
Version: 1:1.8-2
Distribution: unstable
Urgency: high
Maintainer: Bertrand Marc <bmarc@debian.org>
Changed-By: Bertrand Marc <bmarc@debian.org>
Description:
extract - displays meta-data from files of arbitrary type
libextractor-dev - extracts meta-data from files of arbitrary type (development)
libextractor3 - extracts meta-data from files of arbitrary type (library)
Closes: 917213 917214
Changes:
libextractor (1:1.8-2) unstable; urgency=high
.
* Fix out-of-bounds read vulnerability in common/convert.c (Closes: #917214,
CVE-2018-20430).
* Fix NULL pointer dereference in OLE2 extractor (Closes: #917213,
CVE-2018-20431).
* Standards-version: 4.3.0, no changes needed.
Checksums-Sha1:
80179590f39213ed7fa612598cc422cb9c5d34cf 2435 libextractor_1.8-2.dsc
35861ac78dfc8725c96a1e5780832ccea4b20d4f 16992 libextractor_1.8-2.debian.tar.xz
bfbfb35100a980469e6558a2b4df4ef240ee3b21 26596 extract-dbgsym_1.8-2_amd64.deb
04695fe72cd34b3b9f2db751ccf2c9e554ec3ae1 112220 extract_1.8-2_amd64.deb
63835463d30cd536a88719a37738bd184c46d5af 27520 libextractor-dev_1.8-2_amd64.deb
c0997f886c25250f8bf4753ce2b0bcf213fe2145 603900 libextractor3-dbgsym_1.8-2_amd64.deb
b800b130a578ea0781b2b33089caae8272413aae 113532 libextractor3_1.8-2_amd64.deb
55a0dd5439828a9fe81372fe1effbaa5db049569 18553 libextractor_1.8-2_amd64.buildinfo
Checksums-Sha256:
4948f68a7edb85d475e98db3881b4025171de95692fe4505093ccec5f12ccef0 2435 libextractor_1.8-2.dsc
0c5034787e1f5e10828948d4ca170b287d50c031e87214e8bb25650fa1182e78 16992 libextractor_1.8-2.debian.tar.xz
15c90942d298fb5477364eb45f6a8f1db27c87bcdbf5f62fbeee493d3422c8ca 26596 extract-dbgsym_1.8-2_amd64.deb
d572a900deeefa08d01f0456d735d034e7968c32916a230ecfbc448865002d88 112220 extract_1.8-2_amd64.deb
b21f31b6c08ab39b8f491bfa9699b523f6d340337e56ca76d1fe4d8d11677915 27520 libextractor-dev_1.8-2_amd64.deb
a3f9c82e5e3bff689593a545cc792db214375afc187a2a5771783c281ed244c1 603900 libextractor3-dbgsym_1.8-2_amd64.deb
fc6014b9cf1f3c0ad27af9ae3692208c6543f05f7f553f4fbe8ee644da090349 113532 libextractor3_1.8-2_amd64.deb
748f0193c9e65f8cbab157742f06937258a960acc03f571fa763b92dfda0540e 18553 libextractor_1.8-2_amd64.buildinfo
Files:
b9d6a4ce5f00b5cce2b911b020d50108 2435 libs optional libextractor_1.8-2.dsc
cb9d34337181b0aa433cd0086f6cc8a6 16992 libs optional libextractor_1.8-2.debian.tar.xz
4203ddb7c445f79096a74aae37f089e6 26596 debug optional extract-dbgsym_1.8-2_amd64.deb
d3413ad6501401d17aeabebed593dad0 112220 utils optional extract_1.8-2_amd64.deb
661f84441f6d08798f8e2e3bb1973915 27520 libdevel optional libextractor-dev_1.8-2_amd64.deb
debe1bcd8b630dd2f5540e5409ae88e9 603900 debug optional libextractor3-dbgsym_1.8-2_amd64.deb
700e2da375198db6617714d23192be1d 113532 libs optional libextractor3_1.8-2_amd64.deb
5f9d5a147d47743615c73d56a73f375a 18553 libs optional libextractor_1.8-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEKUUr1GPOZwMj0JuIoEqzutviY+4FAlwlH0ERHGJtYXJjQGRl
Ymlhbi5vcmcACgkQoEqzutviY+5bAg/8ClKRPu4v5aFtEotuIgy2Ca2DMHGhnD9i
x5OhRglBLqWPBJQrfxuxBjcbzsjWUXOokBW8XoHX0uED0DxRfg7TVoCbWd8Awx3K
0EKmxAyth7aFDiN4E1DzOtFKQb+LQowWu6IjIK5CItQpJxOX6QnTj3DQ0LjS7nTw
uCRfiZ5ojd7rt9lX8apulGYkSDXdPRTtdWbNqkMp52WB8ciLMyXmxNVp5J0TuLz4
pAkVz+WP8FkGEX0fWZoVWWkJl7gxau1ercSDTwTHAyT+bsZyW7t3a9x0Jr8soofN
M3W8bpJhHA/s2lEQNNjKsQiiW5+nLdOb+6H2YWYVmoch/8b+6r1DA/t+oU0o4K65
Z+gw7aWXtJ1twP1Y3CpvOIOMPTcS0IqmZv8beGWeBXMwh8b6amfzaWD8eTxiMN/r
g+6+YEta9oDtfNToH6EX6xgBipCx6uaZ0X/FuJeFOY5CgsDig3DEouqzuiYu5f8z
QiEpVwBgl4qQofvsJ4wq3d6sx8YLZQRRV6V+RHyFEDMG7noUtKuNAfsOx5cL9Wpr
T/G9eju87mQxz7IFbl0Q/h44LiqXv5P3iOa4C+jwFcvuqgc/4tLH4IQN38cvNyCA
loj5S3eKitXv1ao0luDioURXa5Bs1GtODfuFeDbMefXWDGZu/z86MAd39TGyCgdP
MmbmaSge5KA=
=HLxJ
-----END PGP SIGNATURE-----
Marked as fixed in versions libextractor/1:1.3-2+deb8u4.
Request was from Bertrand Marc <bmarc@debian.org>
to control@bugs.debian.org.
(Fri, 28 Dec 2018 10:03:08 GMT) (full text, mbox, link).
Reply sent
to Bertrand Marc <bmarc@debian.org>:
You have taken responsibility.
(Thu, 03 Jan 2019 21:51:39 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 03 Jan 2019 21:51:39 GMT) (full text, mbox, link).
Message #21 received at 917213-close@bugs.debian.org (full text, mbox, reply):
Source: libextractor
Source-Version: 1:1.3-4+deb9u3
We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 917213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bertrand Marc <bmarc@debian.org> (supplier of updated libextractor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 27 Dec 2018 21:52:52 +0100
Source: libextractor
Binary: libextractor3 libextractor-dbg libextractor-dev extract
Architecture: source amd64
Version: 1:1.3-4+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Bertrand Marc <beberking@gmail.com>
Changed-By: Bertrand Marc <bmarc@debian.org>
Description:
extract - displays meta-data from files of arbitrary type
libextractor-dbg - extracts meta-data from files of arbitrary type (debug)
libextractor-dev - extracts meta-data from files of arbitrary type (development)
libextractor3 - extracts meta-data from files of arbitrary type (library)
Closes: 917213 917214
Changes:
libextractor (1:1.3-4+deb9u3) stretch-security; urgency=high
.
* Fix out-of-bounds read vulnerability in common/convert.c (Closes: #917214,
CVE-2018-20430).
* Fix NULL pointer dereference in OLE2 extractor (Closes: #917213,
CVE-2018-20431).
Checksums-Sha1:
b3f79c3d19ab2ad5d7c971c5ff34194e3f76cfe8 2571 libextractor_1.3-4+deb9u3.dsc
3e266ef0023e59e8306af045fc126faaa3a63ba8 20016 libextractor_1.3-4+deb9u3.debian.tar.xz
ce4bbf963c79a9c8039ae2db2a1fb6865211edcd 91034 extract_1.3-4+deb9u3_amd64.deb
38f16b88cc9d68cb4ba8725da37ce18438fc07bc 553178 libextractor-dbg_1.3-4+deb9u3_amd64.deb
833c8d499b55301c22cc50c65c45c887334c6b11 26258 libextractor-dev_1.3-4+deb9u3_amd64.deb
c160ddb3f72648d3fd487e083f357b92eb8a616f 112212 libextractor3_1.3-4+deb9u3_amd64.deb
4563768acdae6e45abc78a1f0c8d0298765da3cf 17998 libextractor_1.3-4+deb9u3_amd64.buildinfo
Checksums-Sha256:
19735a7cf2e06047132804ba697a20ff5dafe7a913c4ab89020b341ef9d78920 2571 libextractor_1.3-4+deb9u3.dsc
b44ded6ffb5ef94eab2a8ac1f62f9dc5f90f6ccdf2c5e05b91d5c4f1fb632b41 20016 libextractor_1.3-4+deb9u3.debian.tar.xz
df36789b312578035fd9e1b32f7f65cdc075d7a4f8ed89e7cf96a66987908407 91034 extract_1.3-4+deb9u3_amd64.deb
c8b2e7a744641301b1bcb89a3cf9b5bf0191482306353e7928a90b009d981ad5 553178 libextractor-dbg_1.3-4+deb9u3_amd64.deb
4f4cd23e0629ff96c9b2ad65ad753054e3473c6aac7be1d55ae82bdefef5dd87 26258 libextractor-dev_1.3-4+deb9u3_amd64.deb
c2dac69153ae0b5158057cd12820660563953bcdf82e78f49f53770cd2214211 112212 libextractor3_1.3-4+deb9u3_amd64.deb
ceb495167b10fd3836e5cbb2fa1ac60822226c08b42f86dc09ed82783eb3f733 17998 libextractor_1.3-4+deb9u3_amd64.buildinfo
Files:
2a8183f7ad531d9d6f5d7916bc4f7f3c 2571 libs optional libextractor_1.3-4+deb9u3.dsc
e3a90e5a9a4e9bd961e49745e0ae66a8 20016 libs optional libextractor_1.3-4+deb9u3.debian.tar.xz
2850769895dbd210418649e53207907e 91034 utils optional extract_1.3-4+deb9u3_amd64.deb
96d6e2d9fc41acd282e798373fb5c38c 553178 debug extra libextractor-dbg_1.3-4+deb9u3_amd64.deb
054f63e8eb0ff90143dc5240c46556d2 26258 libdevel optional libextractor-dev_1.3-4+deb9u3_amd64.deb
81a92e3db5b4c4d9e8ef7a152da61f93 112212 libs optional libextractor3_1.3-4+deb9u3_amd64.deb
9aa8c7c9c88af82320e6b15a333891e0 17998 libs optional libextractor_1.3-4+deb9u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEKUUr1GPOZwMj0JuIoEqzutviY+4FAlwlPowRHGJtYXJjQGRl
Ymlhbi5vcmcACgkQoEqzutviY+77khAAmZr7gS8hKTjOKThDJ+w7FpVh4HD4uvOU
8fdYxfM+yUqyTGINrzvTIBkp9zghNY9udE4mfNYG2knG7bi7Oj/GKdwlDAe0Pb4I
+0/Xd58JFR+nPodizou4C7I9iKOeY4N8iR6V+qcZrmzaovfAz+dnv5M0E0b/B18J
HP/arMZxSBpPLIkuyKvuTLVzdfex4D1/EIRb6sbKV/bPWxomsGZ5e8H6X/k3kr/t
248rW3nutROMxUkPlofcKPzzuOTZTQI3PPY28ggUkyTcsApRwEtLAgQWtaEeOMyA
vwxasD8lLOD2cb8zLT1YZdERJF/8Ien5r//2gGcSpl7w9JYwmHx5pUw4h7uzXxUW
zeTY6p9KN7ODi0lW7nIBMDzLZjkbuAE4BUVtSU2afuIY4wl3XUuF/zMh4fuJgbtY
JHvLLSk1MEnNc6ylpzS9NZwxbdn+dgUoxULWT71wdm9KhxbjMZ7axAaJyaXsZz5w
NPuao9/w7aNnWxYbM+RNgNdTaD9/Ct2WpVI1JVEAwKR/MB+W99SAX2CQHDgH1nBw
FX6HQfLFLnIbRnJIfm+6XzgUT1Vi25TAYbGrh9OyDcLAcfb51ip/6lbn2iy+DPp2
vAhSJUlbMpwb3k3VgSRv/NtUZ+zmkwTzxbdLzOXKqTeIiSu0qtkxEoShL8VEphNm
E1CtEhAX8to=
=d3zl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Feb 2019 07:26:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:08:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon