Debian Bug report logs -
#859714
lepton: CVE-2017-7448
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#859714; Package src:lepton.
(Thu, 06 Apr 2017 11:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Thu, 06 Apr 2017 11:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lepton
Version: 1.2.1-2
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/dropbox/lepton/issues/86
Hi,
the following vulnerability was published for lepton.
CVE-2017-7448[0]:
| The allocate_channel_framebuffer function in uncompressed_components.hh
| in Dropbox Lepton 1.2.1 allows remote attackers to cause a denial of
| service (divide-by-zero error and application crash) via a malformed
| JPEG image.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7448
[1] https://github.com/dropbox/lepton/issues/86
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Reply sent
to ChangZhuo Chen (陳昌倬) <czchen@debian.org>:
You have taken responsibility.
(Thu, 06 Apr 2017 15:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Apr 2017 15:51:08 GMT) (full text, mbox, link).
Message #10 received at 859714-close@bugs.debian.org (full text, mbox, reply):
Source: lepton
Source-Version: 1.2.1-3
We believe that the bug you reported is fixed in the latest version of
lepton, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <czchen@debian.org> (supplier of updated lepton package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Apr 2017 23:19:12 +0800
Source: lepton
Binary: lepton
Architecture: source
Version: 1.2.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Description:
lepton - tool to compress JPEGs losslessly
Closes: 859714
Changes:
lepton (1.2.1-3) unstable; urgency=high
.
* Merge upstream patch for CVE-2017-7448 (Closes: #859714).
Checksums-Sha1:
bf056ad7d8ad7dddc3259068ce0daba58285452c 2033 lepton_1.2.1-3.dsc
f6cf50f4e02fe274aa894ab0ffbc11e8fb35c06c 8020 lepton_1.2.1-3.debian.tar.xz
fa592a567ebc900684b108cde30afa55d07ec9be 6255 lepton_1.2.1-3_source.buildinfo
Checksums-Sha256:
cb74739dc6c58f9fd4821d5bcbb8f37de24fd14b09cd14949673f7d5f169cbc2 2033 lepton_1.2.1-3.dsc
4deebc82109b5c39955bc39fb56c6a60aef84ab6ed4ad7847c065fd7e0daace9 8020 lepton_1.2.1-3.debian.tar.xz
cfb5d78ff33896040ed064c057900ea8720e7151b6d867b3e773fb10954e9026 6255 lepton_1.2.1-3_source.buildinfo
Files:
c91263079b0819122b02054ec7f4fa51 2033 graphics optional lepton_1.2.1-3.dsc
45d6e6ac312d40c8eb44a9be80e473f8 8020 graphics optional lepton_1.2.1-3.debian.tar.xz
1de241f86d80acd671304f9ef83d89d3 6255 graphics optional lepton_1.2.1-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEE5H9tOJ8ReWWaF1PGrc2MXdaTaQFAljmXj0ACgkQGrc2MXda
TaRADhAA6UIwfJG1+1u2Crr9t42iOoAKERG7Gus6FWYi3bNsH1m6Bk52ksFPU9yF
3a3uvWpxvH7Jjj24cXAdwJMN76JetnsoSWhHH6loEKZ8b8cmf76frHsZGdSLZuKq
luiRAQCygmevLgMRbVZyMqCAzE2smZWogwKNGcgkdSaxZNOYUMgavc5fqWttU5wo
Os1LpjB75VFcuO4P9K85n9sKGutI+Xka3RhJ9ap93JDG8NqPJvgD4Z2PAFzg4gbs
pB7X8TXLVvhFhALNBt0KGrx5bon5JRYPh0IOxy2biO6UZhxeq/LB5ccT21reCQys
TCfkiqWtO+4vK2qFXRubNRx/52IYbCzjV9AqfO1qmKLnW+UOqMCgSUIFFbVIj8xe
yzlK3XZHVB3PK+ntTlqqraM0dhaRRv5RcHGapXQTx6baBvUSNDzgSlHpl8/8N2Qr
et9c0ncMMwxP21cMcwWshBbNXTpqL+m+x1jMGuDhAaHJwzdfBbXiLqT0j42CHbNh
QSxjcz5mhuJAnSshpWAgsTG+iOPfLchjcTMwtOCVuHS+JGxUzjO8BYJezBBDlI7g
O082cEy1xDMkVb31+yJI+luMwqCI2fkQrvAr7Q9TTFdKrOrmvRajx3Pn8CIezkzP
32ApyYuE53BSdtBeBScWsUzlFGWoRXWbMc6oLjwzc1bEKuYKf2A=
=7sHO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 05 May 2017 07:25:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:33:45 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon