Debian Bug report logs -
#880621
liblouis: CVE-2014-8184: stack-based buffer overflow in findTable()
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 2 Nov 2017 21:24:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version liblouis/2.5.1-1
Fixed in versions liblouis/2.6.2-1, liblouis/2.5.3-3+deb8u1
Done: Samuel Thibault <sthibault@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>
:
Bug#880621
; Package src:liblouis
.
(Thu, 02 Nov 2017 21:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>
.
(Thu, 02 Nov 2017 21:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: liblouis
Version: 2.5.1-1
Severity: important
Tags: patch security upstream fixed-upstream
Control: fixed -1 2.6.2-1
Hi,
the following vulnerability was published for liblouis. The issue is
actually already fixed upstream quite a while ago, see the references.
The purpose of this bug is to try to be able to track an isolated fix
for jessie (Think this can go via a point release)
CVE-2014-8184[0]:
stack-based buffer overflow in findTable()
It as reported first at [1], see [2] which contains as well the
isolated patch which was applied by Red Hat.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8184
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1492701
[2] https://github.com/liblouis/liblouis/issues/425
Regards,
Salvatore
Marked as fixed in versions liblouis/2.6.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 02 Nov 2017 21:24:04 GMT) (full text, mbox, link).
Reply sent
to Samuel Thibault <sthibault@debian.org>
:
You have taken responsibility.
(Sun, 19 Nov 2017 22:52:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 19 Nov 2017 22:52:08 GMT) (full text, mbox, link).
Message #12 received at 880621-close@bugs.debian.org (full text, mbox, reply):
Source: liblouis
Source-Version: 2.5.3-3+deb8u1
We believe that the bug you reported is fixed in the latest version of
liblouis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 880621@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Thibault <sthibault@debian.org> (supplier of updated liblouis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Nov 2017 01:14:02 +0100
Source: liblouis
Binary: liblouis-dev liblouis2 liblouis-data liblouis-bin python-louis python3-louis
Architecture: source all amd64
Version: 2.5.3-3+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian Accessibility Team <debian-accessibility@lists.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
Description:
liblouis-bin - Braille translation library - utilities
liblouis-data - Braille translation library - data
liblouis-dev - Braille translation library - static libs and headers
liblouis2 - Braille translation library - shared libs
python-louis - Python bindings for liblouis
python3-louis - Python bindings for liblouis
Closes: 880621
Changes:
liblouis (2.5.3-3+deb8u1) jessie; urgency=medium
.
* Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621).
* Fix RedHat's patch.
Checksums-Sha1:
241a91dd8270f6724a08dceea3cd70d090f2cdeb 2387 liblouis_2.5.3-3+deb8u1.dsc
a11e60244e9c5d3235d26343e2debe4edbde679a 7956 liblouis_2.5.3-3+deb8u1.debian.tar.xz
76f112c0b66a5906704da23a483a503aa2c0b5c6 1025806 liblouis-data_2.5.3-3+deb8u1_all.deb
b5150c3b856c0a2b009fd5acf1664adaeffbcef8 22524 python-louis_2.5.3-3+deb8u1_all.deb
2fb4d1aea9563d3a6d02ac55b8b40591bd8f863a 22580 python3-louis_2.5.3-3+deb8u1_all.deb
c725f1d7df667021cbb869e4b174512c1480fc7c 183992 liblouis-dev_2.5.3-3+deb8u1_amd64.deb
d9214230c16e1a16202d1d68da74fa1d8eedcd56 70358 liblouis2_2.5.3-3+deb8u1_amd64.deb
d83accd607397c33d5257b83d033348dd6b92e62 40452 liblouis-bin_2.5.3-3+deb8u1_amd64.deb
Checksums-Sha256:
595e8a8833f00b4d5145956deb231331d59fca65d4aea4d49dcf497c7fa60fd9 2387 liblouis_2.5.3-3+deb8u1.dsc
2dac733047c6fafe01800c23ac9fda9ff3f83c31c2e2351a7396767b60bd5e89 7956 liblouis_2.5.3-3+deb8u1.debian.tar.xz
b573f432b7764106d9801a252bd032f6162108edceb2f86e24edd0cc4b97a33d 1025806 liblouis-data_2.5.3-3+deb8u1_all.deb
52dc1450b86afc8865bb7dd44445a1160b4de993e8d85ed669c8dde39de93161 22524 python-louis_2.5.3-3+deb8u1_all.deb
0c48c4ba4480577451e6919bc4ace3a77d2a896c7ea293c8faf7ee831d2b6381 22580 python3-louis_2.5.3-3+deb8u1_all.deb
99944a5de3e22b066e39c0380595f3d97c0a85c575df2ec57f5a94e9a45e7ccb 183992 liblouis-dev_2.5.3-3+deb8u1_amd64.deb
534b9835d714125fb43cae49d093c406fcbea31138270211e1d8edbc511d40b3 70358 liblouis2_2.5.3-3+deb8u1_amd64.deb
5816a9f2a9928da1a786acb7b04da9ccec3d5f5f30edf677b2e63d08f45c26d0 40452 liblouis-bin_2.5.3-3+deb8u1_amd64.deb
Files:
1deae7f246062072d0402886388d02f9 2387 libs extra liblouis_2.5.3-3+deb8u1.dsc
22ff0e164e43769ea60d5e499aa4ba56 7956 libs extra liblouis_2.5.3-3+deb8u1.debian.tar.xz
9bf6ce44f9ef24185514338a17f93cad 1025806 text extra liblouis-data_2.5.3-3+deb8u1_all.deb
b899c0f923ae9155859facafc86e30e1 22524 python extra python-louis_2.5.3-3+deb8u1_all.deb
3f046a5937c834ede840e0de07ffd60f 22580 python extra python3-louis_2.5.3-3+deb8u1_all.deb
c9054e6a550636ee285d4fdbc691455c 183992 libdevel extra liblouis-dev_2.5.3-3+deb8u1_amd64.deb
04a4a8e11f0aae5bd1b1a1a5eed90086 70358 libs extra liblouis2_2.5.3-3+deb8u1_amd64.deb
1d7c978d07724811a0fb5f4e4fc0a083 40452 text extra liblouis-bin_2.5.3-3+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErr90SPq5RTpFUjkOsKUb9YyRecUFAloRgCkACgkQsKUb9YyR
ecU3Vg//bTBObAXU5Urod/04r2lMcBcU+shNQ2quWNljW5LzBEcchNrh8ytmVVFj
D4cflwY/0CNu89wlssBSe54tpTnjC502oFT20BIXFGQmRgiDDsDHKeihn64Ogmti
96mmO8GU54rSv37lGnEfC91eaF1kd+Gn6gGzWi3+QGeUXJp+URF1XQ422FsuyzRp
xp79qMRK450vRCkxHsq4DOrjxgmpPhkD3s5usbeaWzqNx3S1c4kgmt5E7U4rPMlW
/eHxGqpYMs33lHDDnlNuf0xjKfb0rKps9R5wnAdkZPPgISpECJfjf7Za+ppB8ApQ
aycEqN0FZibuFtw18gRhzYqLNSplp5wpGtbXwjTDWvRTDZjcPUVCUUCvaxOsSH/B
8yKWcAvg39wZBqCRbV7G6qe+Yqpxi/yGJed6SxcHvv74w3JK0IwLKRYJs2kKgW0P
+mK6ACHpOWSg12ylFg7gE14zkRQ9bznFDvurFiRQA3+GzfFj7Ucs8aTJipifSEL5
Ii8Ac+DIUpWHex6+uvEB63f/k0k4ZQrOYBgFHcWE4YSVF9x5q8Gd4YuCE/T1ixZ2
UvQLTG3ylUXdiygxUp0UJr7NgVRV8gqI8FTn0eE+MHk2V90WdTAt6rJNMXKBtEOS
gXof0ip6rS5EAn7TlnBvSigQ21lfRHSvnZbl41xaqAcJzPejxdw=
=a4yQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 18 Dec 2017 07:27:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:52:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.