Debian Bug report logs -
#880016
libextractor: CVE-2017-15922
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bertrand Marc <bmarc@debian.org>:
Bug#880016; Package src:libextractor.
(Sat, 28 Oct 2017 12:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bertrand Marc <bmarc@debian.org>.
(Sat, 28 Oct 2017 12:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libextractor
Version: 1:1.6-1
Severity: important
Tags: patch security upstream
Forwarded: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html
Hi,
the following vulnerability was published for libextractor.
CVE-2017-15922[0]:
| In GNU Libextractor 1.4, there is an out-of-bounds read in the
| EXTRACTOR_dvi_extract_method function in plugins/dvi_extractor.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15922
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15922
[1] http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Bertrand Marc <bmarc@debian.org>:
You have taken responsibility.
(Thu, 28 Dec 2017 17:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 28 Dec 2017 17:36:03 GMT) (full text, mbox, link).
Message #10 received at 880016-close@bugs.debian.org (full text, mbox, reply):
Source: libextractor
Source-Version: 1:1.6-2
We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 880016@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bertrand Marc <bmarc@debian.org> (supplier of updated libextractor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 28 Dec 2017 18:10:52 +0100
Source: libextractor
Binary: libextractor3 libextractor-dev extract
Architecture: source amd64
Version: 1:1.6-2
Distribution: unstable
Urgency: medium
Maintainer: Bertrand Marc <bmarc@debian.org>
Changed-By: Bertrand Marc <bmarc@debian.org>
Description:
extract - displays meta-data from files of arbitrary type
libextractor-dev - extracts meta-data from files of arbitrary type (development)
libextractor3 - extracts meta-data from files of arbitrary type (library)
Closes: 880016 883528
Changes:
libextractor (1:1.6-2) unstable; urgency=medium
.
* Add patches from upstream to fix CVE-2017-15922 (Closes: #880016) and
CVE-2017-17440 (Closes: #883528).
* Standards-version: 4.1.3.
Checksums-Sha1:
75d2b2c0b263e92ba2d06e1070a059e63b814833 2477 libextractor_1.6-2.dsc
64a705f36d568ba72471fdd06f78e5b68d703544 17632 libextractor_1.6-2.debian.tar.xz
0aa5775c7c9d85c86f9044df30546a50bc8bd11d 23720 extract-dbgsym_1.6-2_amd64.deb
5effe57533221ad2bc4e3e48b80465fd118024c3 105120 extract_1.6-2_amd64.deb
c7b0dc72bdd48cd049368c9871a460926e71dd1b 26792 libextractor-dev_1.6-2_amd64.deb
535c70e978d13be87bd44bdd89c23fbed93f42c7 519632 libextractor3-dbgsym_1.6-2_amd64.deb
9faf60d74a21ce428bfa59339fca4a488a70c7ba 112804 libextractor3_1.6-2_amd64.deb
d55b22934388dc11ea05e6d09733360d9f0429d2 18366 libextractor_1.6-2_amd64.buildinfo
Checksums-Sha256:
c540bb7b59f5f9785a5d22363715f13e454a5fe991bf5cd38f9107b078ed26fa 2477 libextractor_1.6-2.dsc
57c4c6b29962f006114182e5d8c9c12a25534c286781117216a0cbb0e8e19649 17632 libextractor_1.6-2.debian.tar.xz
b35286b42ed91660a8d1c6321ccfa5cae5ceaebb113f02078c11a6b3b29c3fa3 23720 extract-dbgsym_1.6-2_amd64.deb
ad008edd97dbacb656e6d7f0b542e6d43bb57e338ffdcc20ed186601b5b263e9 105120 extract_1.6-2_amd64.deb
94ef20994ebaefe381427a7711adbefc9939f7a412178b9e71cf01a8385a868c 26792 libextractor-dev_1.6-2_amd64.deb
9050bfdea5ce8588abca6d730340c8d2d97550b6578b23aab918d62281efd99d 519632 libextractor3-dbgsym_1.6-2_amd64.deb
93f1f90b6cffe4ec8a75b2e7534b24d9e0ba148c16a3390acbd662c1cd7ef9c2 112804 libextractor3_1.6-2_amd64.deb
1dbafc3228bb7f245c41d876a107a05bcf64ea35f9ae501b69ca109dbd416078 18366 libextractor_1.6-2_amd64.buildinfo
Files:
10dbf42d18bdb3f437b44b22b858b38c 2477 libs optional libextractor_1.6-2.dsc
275097e35933afceeb30f7893685f8d2 17632 libs optional libextractor_1.6-2.debian.tar.xz
332de9a904dd170b204aeade1468a8b9 23720 debug optional extract-dbgsym_1.6-2_amd64.deb
19647747868070987e317f42242f346d 105120 utils optional extract_1.6-2_amd64.deb
5abc9d7048ec3cca8bb3fe226af244a6 26792 libdevel optional libextractor-dev_1.6-2_amd64.deb
f2a644c04714458193885371996a3808 519632 debug optional libextractor3-dbgsym_1.6-2_amd64.deb
b007f5b1d1a4ed2c1e39bfa518c77d2d 112804 libs optional libextractor3_1.6-2_amd64.deb
c0134ba759b4e6cecc04e4514b839a68 18366 libs optional libextractor_1.6-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEKUUr1GPOZwMj0JuIoEqzutviY+4FAlpFJx0RHGJtYXJjQGRl
Ymlhbi5vcmcACgkQoEqzutviY+7b7BAAhPbgZt6ysW3mLme0569hrv+I/8e0B6lj
9/7j2sImKS0ziJidctuNf2uWiRDiC/YfrhEQuCPp+K8faj7pedbbbm9BH1axu4rC
fWHXFDrcA8kxDceKN8r2sPI5oy8tuY5Bh0AYTmv9AiYYJMDs39uCtau6UrUYYRBy
yaEKlSncpd8iJF6hMqDCrhcNswTW24u7r4b4cwdPebFTlpgdfOS6pFUa9/6BSMIi
CjD1Jmib6JF6hyiWCDDTAy1SFfaKapLmHB9IgJl9KxOjBo7z+Fdll7EhAtrDuIzO
2LRiVvzpo6WwsBe+QhWsUaLGwZLd02/nQB21nsQ1O0zYOSwD2PPkRcHYOj+P4NC+
DhjsiGDMkdyuvzOdHeZHggGLRTVxUblLybNpVzcm8uD/4cOjhxtfZl71aYvVyMv9
u8q2zwDGBS9Hyq0jkzDSSoh+8bqnKLZxhrKbODFI1hh4wN1AM4YJPiKam6Z/uQeB
UES/TsykwgTlMNPJnhUSLS0yS8KQbfUeOEt49DWb52Rk4rlevKcI17sjCjACnyIw
eXYmVbgSFe8WslnphCm2Yzt7BkFf2avCfH20jl+sBraXUPjr5b7du9ZdvJvbZLrB
SH8DB1MtYTBTJ1i/piNHkCwKckdIcpWzKkw4urTCWMyxh4cn03OygX56lkA6TVAx
eB1oq/gEUiM=
=Po1K
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 31 Jan 2018 07:27:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:21:17 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon