Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

vips: CVE-2018-7998

Related Vulnerabilities: CVE-2018-7998  

Source

Debian Bug report logs - #892589
vips: CVE-2018-7998

version graph

Package: src:vips; Maintainer for src:vips is Laszlo Boszormenyi (GCS) <gcs@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 11 Mar 2018 07:33:02 UTC

Severity: important

Tags: patch, security, upstream

Found in version vips/8.4.5-1

Fixed in version vips/8.4.5-2

Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/jcupitt/libvips/issues/893

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#892589; Package src:vips. (Sun, 11 Mar 2018 07:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Sun, 11 Mar 2018 07:33:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vips: CVE-2018-7998
Date: Sun, 11 Mar 2018 08:31:00 +0100
Source: vips
Version: 8.4.5-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/jcupitt/libvips/issues/893

Hi,

the following vulnerability was published for vips.

CVE-2018-7998[0]:
| In libvips before 8.6.3, a NULL function pointer dereference
| vulnerability was found in the vips_region_generate function in
| region.c, which allows remote attackers to cause a denial of service or
| possibly have unspecified other impact via a crafted image file. This
| occurs because of a race condition involving a failed delayed load and
| other worker threads.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7998
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7998
[1] https://github.com/jcupitt/libvips/issues/893
[2] https://github.com/jcupitt/libvips/commit/20d840e6da15c1574b3ed998bc92f91d1e36c2a5

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility. (Sun, 11 Mar 2018 09:39:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 11 Mar 2018 09:39:09 GMT) (full text, mbox, link).

Message #10 received at 892589-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>
To: 892589-close@bugs.debian.org
Subject: Bug#892589: fixed in vips 8.4.5-2
Date: Sun, 11 Mar 2018 09:36:39 +0000
Source: vips
Source-Version: 8.4.5-2

We believe that the bug you reported is fixed in the latest version of
vips, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 892589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated vips package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Mar 2018 07:39:29 +0000
Source: vips
Binary: libvips42 libvips-dev libvips-tools python-vipscc libvips-doc gir1.2-vips-8.0
Architecture: source amd64 all
Version: 8.4.5-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 gir1.2-vips-8.0 - GObject introspection data for VIPS
 libvips-dev - image processing system good for very large ones (dev)
 libvips-doc - image processing system good for very large ones (doc)
 libvips-tools - image processing system good for very large ones (tools)
 libvips42  - image processing system good for very large ones
 python-vipscc - image processing system good for very large ones (tools)
Closes: 892589
Changes:
 vips (8.4.5-2) unstable; urgency=high
 .
   * Backport upstream security fix for CVE-2018-7998: fix a crash with
     delayed load (closes: #892589).
Checksums-Sha1:
 0ae9855c3c7960001cf44a52fc2de4aca03b415c 2679 vips_8.4.5-2.dsc
 254b6e0004e334bd496924c2929308482054094d 10820 vips_8.4.5-2.debian.tar.xz
 6d87488c71792750833fb731bcd241213cf54397 76748 gir1.2-vips-8.0_8.4.5-2_amd64.deb
 65631fb6951f38b2c6991a751a97a99ff35eba06 935096 libvips-dev_8.4.5-2_amd64.deb
 4704ea4a2984b9a5fd12738d8b71b1969d6598ea 282588 libvips-doc_8.4.5-2_all.deb
 3064bcd66ba720ad5c3f50227837618fe64f34f4 61536 libvips-tools-dbgsym_8.4.5-2_amd64.deb
 4c0689a86200f376e711beef19c059c27455901d 94220 libvips-tools_8.4.5-2_amd64.deb
 9eb610c275517ddbbe88538658b4c60adc04a0a0 3279212 libvips42-dbgsym_8.4.5-2_amd64.deb
 048e2b9bde869bb1fe208e97449351d421959ed7 747616 libvips42_8.4.5-2_amd64.deb
 4824bca9b0271c5ce5567986b20fb4043ca99d5c 1194448 python-vipscc-dbgsym_8.4.5-2_amd64.deb
 75090e5ac95011b4a9ebe8081704fba65890fdb5 276292 python-vipscc_8.4.5-2_amd64.deb
 869b0d5107b98d57565dd473f145426cd0ea5926 18315 vips_8.4.5-2_amd64.buildinfo
Checksums-Sha256:
 04e2f743d2a4ac59d919163829d2f1bde57d900e3dc3235698ac6a6de45a7534 2679 vips_8.4.5-2.dsc
 045edb9b27a980fa76b4b63671530db8aff6a99f2c8228c0ec7a864a73089f29 10820 vips_8.4.5-2.debian.tar.xz
 4e310757f2fcdf04e76754308164595f6ce84becb255af3dc42b4278fd7e9886 76748 gir1.2-vips-8.0_8.4.5-2_amd64.deb
 5efc86e5aa22cee82f905907f3ca896fbea3c2f60c0a2a12e54b9b3cc7b33369 935096 libvips-dev_8.4.5-2_amd64.deb
 792f594b21fe0673eb5a212798fd1aeeadb5d291167d16f802fe445663a106b7 282588 libvips-doc_8.4.5-2_all.deb
 50de3ad03163bd59496c9c7662e9ffc23b5b0c71b7cf8c9ae3c5c00f1bb528da 61536 libvips-tools-dbgsym_8.4.5-2_amd64.deb
 31d7a63b54277ec0113f17c76bfaf439878dbeb235edf6179332318b4ffc8fc8 94220 libvips-tools_8.4.5-2_amd64.deb
 da0e31f8340b2483bb531150e9b21a07e9de77deaf4f5ed8a3e1375d515ddbd4 3279212 libvips42-dbgsym_8.4.5-2_amd64.deb
 ce45194a6e1301469b6e2c60e60b01536ab817006cf233704c061d53868abbd7 747616 libvips42_8.4.5-2_amd64.deb
 1f24baf04ba0d4ada6db60167514dc2a4e12cc2b3e81ea75b063f13ae4c97217 1194448 python-vipscc-dbgsym_8.4.5-2_amd64.deb
 23a086d49fb1a8758807cdb4a5837f95d796b556aff96e57dd721af35b20255c 276292 python-vipscc_8.4.5-2_amd64.deb
 8c832249d983bcc4865affb5d42e05e2450465d5754dcd026ad00b35fc1aa091 18315 vips_8.4.5-2_amd64.buildinfo
Files:
 58562e3980345b1cc0b42a59a4fb9636 2679 libs optional vips_8.4.5-2.dsc
 e95f722dcc89c4238d337766ca33b2cd 10820 libs optional vips_8.4.5-2.debian.tar.xz
 e0ae0b98152123987d60497fba20f631 76748 introspection optional gir1.2-vips-8.0_8.4.5-2_amd64.deb
 9d642cdc28069c89492676fd9b595328 935096 libdevel optional libvips-dev_8.4.5-2_amd64.deb
 3f40bb59c324d7787f8ba877c134297b 282588 doc optional libvips-doc_8.4.5-2_all.deb
 3185aa5e7514ae29fc0c3161941b2e09 61536 debug optional libvips-tools-dbgsym_8.4.5-2_amd64.deb
 8e06ac5a239f4cf7fe0d0bf7d28570f5 94220 graphics optional libvips-tools_8.4.5-2_amd64.deb
 389094e72b665d7461a35ad906581ed5 3279212 debug optional libvips42-dbgsym_8.4.5-2_amd64.deb
 604156fc21b29df428531b767c69d6b1 747616 libs optional libvips42_8.4.5-2_amd64.deb
 f1c1022b54bf89294b6d502b624b7e8c 1194448 debug optional python-vipscc-dbgsym_8.4.5-2_amd64.deb
 ec56396087ca48521c60ca18d324e8d1 276292 python optional python-vipscc_8.4.5-2_amd64.deb
 d34ae11a1a0f3b5463a58f5fe65f9f9a 18315 libs optional vips_8.4.5-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlqk880ACgkQ3OMQ54ZM
yL8KjA/9GDC7wOcEHJOidCjfcTFRB8vDKkzTVi9VSizaqdr8QQtwwFYF35uqCvkd
rkGXvJysqoziXChFEvZzJkJ4RFVE2/zBhPbGuv44bTN6cC9r9WpovWnuEXOTqzJB
HyL2YgDspKjQzmZnjuF/oZai+Zct0uMCJh4BCW6yUb1E1D3y0tYey7ImcFU5t3Bw
SqZJVJ59JME3pOQ1FiqL9o55ky89PyRW3Pv3Vzig2MFFqfa5ddqSf0Z+aHTO68Yz
E0rZAyCbZ3hEC9tucqV3h0km/7WShYEnXnctZnF7eF8y8TvFnKk41D4aeC5B66VT
nnbFuFKFbLvjZeTJWF/VKPY/AJs4FA/5fw8FGKu+ODbnjtgqbrK+UFBmaNPOQ3Lq
5EehKb//Yg8R7Gz9380Jpb6tfo9q3GUDqQuB1irpmfr04l6PWw5kEovSNtGg7+fL
mu15oeZQJBRrW16Eii6AwzPZQ3WXx7DhitVEdNIwp7O9sH1L/UeBA7G1GSAJRRkV
WSeP2IKMrKrMh4/DxU6L/exhoU9r5634uUALC4A0iWKdTeU5OAkSzL3aMAYGSMqa
uZ64SSxl49uBS60Xs5noDVKGNcv0PZ3Ns6JWS1qCuRjIoEBQBw/asWk+rta3Tbae
VVORFpok4m7Dpia2jWi/6Xm/K0IpwYNQ7+OifAohrhVrKMSMxtc=
=ax4d
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 13 Apr 2018 07:32:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:29:58 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started