Debian Bug report logs -
#892589
vips: CVE-2018-7998
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
Bug#892589
; Package src:vips
.
(Sun, 11 Mar 2018 07:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
.
(Sun, 11 Mar 2018 07:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: vips
Version: 8.4.5-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/jcupitt/libvips/issues/893
Hi,
the following vulnerability was published for vips.
CVE-2018-7998[0]:
| In libvips before 8.6.3, a NULL function pointer dereference
| vulnerability was found in the vips_region_generate function in
| region.c, which allows remote attackers to cause a denial of service or
| possibly have unspecified other impact via a crafted image file. This
| occurs because of a race condition involving a failed delayed load and
| other worker threads.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7998
[1] https://github.com/jcupitt/libvips/issues/893
[2] https://github.com/jcupitt/libvips/commit/20d840e6da15c1574b3ed998bc92f91d1e36c2a5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
You have taken responsibility.
(Sun, 11 Mar 2018 09:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 11 Mar 2018 09:39:09 GMT) (full text, mbox, link).
Message #10 received at 892589-close@bugs.debian.org (full text, mbox, reply):
Source: vips
Source-Version: 8.4.5-2
We believe that the bug you reported is fixed in the latest version of
vips, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated vips package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 11 Mar 2018 07:39:29 +0000
Source: vips
Binary: libvips42 libvips-dev libvips-tools python-vipscc libvips-doc gir1.2-vips-8.0
Architecture: source amd64 all
Version: 8.4.5-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
gir1.2-vips-8.0 - GObject introspection data for VIPS
libvips-dev - image processing system good for very large ones (dev)
libvips-doc - image processing system good for very large ones (doc)
libvips-tools - image processing system good for very large ones (tools)
libvips42 - image processing system good for very large ones
python-vipscc - image processing system good for very large ones (tools)
Closes: 892589
Changes:
vips (8.4.5-2) unstable; urgency=high
.
* Backport upstream security fix for CVE-2018-7998: fix a crash with
delayed load (closes: #892589).
Checksums-Sha1:
0ae9855c3c7960001cf44a52fc2de4aca03b415c 2679 vips_8.4.5-2.dsc
254b6e0004e334bd496924c2929308482054094d 10820 vips_8.4.5-2.debian.tar.xz
6d87488c71792750833fb731bcd241213cf54397 76748 gir1.2-vips-8.0_8.4.5-2_amd64.deb
65631fb6951f38b2c6991a751a97a99ff35eba06 935096 libvips-dev_8.4.5-2_amd64.deb
4704ea4a2984b9a5fd12738d8b71b1969d6598ea 282588 libvips-doc_8.4.5-2_all.deb
3064bcd66ba720ad5c3f50227837618fe64f34f4 61536 libvips-tools-dbgsym_8.4.5-2_amd64.deb
4c0689a86200f376e711beef19c059c27455901d 94220 libvips-tools_8.4.5-2_amd64.deb
9eb610c275517ddbbe88538658b4c60adc04a0a0 3279212 libvips42-dbgsym_8.4.5-2_amd64.deb
048e2b9bde869bb1fe208e97449351d421959ed7 747616 libvips42_8.4.5-2_amd64.deb
4824bca9b0271c5ce5567986b20fb4043ca99d5c 1194448 python-vipscc-dbgsym_8.4.5-2_amd64.deb
75090e5ac95011b4a9ebe8081704fba65890fdb5 276292 python-vipscc_8.4.5-2_amd64.deb
869b0d5107b98d57565dd473f145426cd0ea5926 18315 vips_8.4.5-2_amd64.buildinfo
Checksums-Sha256:
04e2f743d2a4ac59d919163829d2f1bde57d900e3dc3235698ac6a6de45a7534 2679 vips_8.4.5-2.dsc
045edb9b27a980fa76b4b63671530db8aff6a99f2c8228c0ec7a864a73089f29 10820 vips_8.4.5-2.debian.tar.xz
4e310757f2fcdf04e76754308164595f6ce84becb255af3dc42b4278fd7e9886 76748 gir1.2-vips-8.0_8.4.5-2_amd64.deb
5efc86e5aa22cee82f905907f3ca896fbea3c2f60c0a2a12e54b9b3cc7b33369 935096 libvips-dev_8.4.5-2_amd64.deb
792f594b21fe0673eb5a212798fd1aeeadb5d291167d16f802fe445663a106b7 282588 libvips-doc_8.4.5-2_all.deb
50de3ad03163bd59496c9c7662e9ffc23b5b0c71b7cf8c9ae3c5c00f1bb528da 61536 libvips-tools-dbgsym_8.4.5-2_amd64.deb
31d7a63b54277ec0113f17c76bfaf439878dbeb235edf6179332318b4ffc8fc8 94220 libvips-tools_8.4.5-2_amd64.deb
da0e31f8340b2483bb531150e9b21a07e9de77deaf4f5ed8a3e1375d515ddbd4 3279212 libvips42-dbgsym_8.4.5-2_amd64.deb
ce45194a6e1301469b6e2c60e60b01536ab817006cf233704c061d53868abbd7 747616 libvips42_8.4.5-2_amd64.deb
1f24baf04ba0d4ada6db60167514dc2a4e12cc2b3e81ea75b063f13ae4c97217 1194448 python-vipscc-dbgsym_8.4.5-2_amd64.deb
23a086d49fb1a8758807cdb4a5837f95d796b556aff96e57dd721af35b20255c 276292 python-vipscc_8.4.5-2_amd64.deb
8c832249d983bcc4865affb5d42e05e2450465d5754dcd026ad00b35fc1aa091 18315 vips_8.4.5-2_amd64.buildinfo
Files:
58562e3980345b1cc0b42a59a4fb9636 2679 libs optional vips_8.4.5-2.dsc
e95f722dcc89c4238d337766ca33b2cd 10820 libs optional vips_8.4.5-2.debian.tar.xz
e0ae0b98152123987d60497fba20f631 76748 introspection optional gir1.2-vips-8.0_8.4.5-2_amd64.deb
9d642cdc28069c89492676fd9b595328 935096 libdevel optional libvips-dev_8.4.5-2_amd64.deb
3f40bb59c324d7787f8ba877c134297b 282588 doc optional libvips-doc_8.4.5-2_all.deb
3185aa5e7514ae29fc0c3161941b2e09 61536 debug optional libvips-tools-dbgsym_8.4.5-2_amd64.deb
8e06ac5a239f4cf7fe0d0bf7d28570f5 94220 graphics optional libvips-tools_8.4.5-2_amd64.deb
389094e72b665d7461a35ad906581ed5 3279212 debug optional libvips42-dbgsym_8.4.5-2_amd64.deb
604156fc21b29df428531b767c69d6b1 747616 libs optional libvips42_8.4.5-2_amd64.deb
f1c1022b54bf89294b6d502b624b7e8c 1194448 debug optional python-vipscc-dbgsym_8.4.5-2_amd64.deb
ec56396087ca48521c60ca18d324e8d1 276292 python optional python-vipscc_8.4.5-2_amd64.deb
d34ae11a1a0f3b5463a58f5fe65f9f9a 18315 libs optional vips_8.4.5-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlqk880ACgkQ3OMQ54ZM
yL8KjA/9GDC7wOcEHJOidCjfcTFRB8vDKkzTVi9VSizaqdr8QQtwwFYF35uqCvkd
rkGXvJysqoziXChFEvZzJkJ4RFVE2/zBhPbGuv44bTN6cC9r9WpovWnuEXOTqzJB
HyL2YgDspKjQzmZnjuF/oZai+Zct0uMCJh4BCW6yUb1E1D3y0tYey7ImcFU5t3Bw
SqZJVJ59JME3pOQ1FiqL9o55ky89PyRW3Pv3Vzig2MFFqfa5ddqSf0Z+aHTO68Yz
E0rZAyCbZ3hEC9tucqV3h0km/7WShYEnXnctZnF7eF8y8TvFnKk41D4aeC5B66VT
nnbFuFKFbLvjZeTJWF/VKPY/AJs4FA/5fw8FGKu+ODbnjtgqbrK+UFBmaNPOQ3Lq
5EehKb//Yg8R7Gz9380Jpb6tfo9q3GUDqQuB1irpmfr04l6PWw5kEovSNtGg7+fL
mu15oeZQJBRrW16Eii6AwzPZQ3WXx7DhitVEdNIwp7O9sH1L/UeBA7G1GSAJRRkV
WSeP2IKMrKrMh4/DxU6L/exhoU9r5634uUALC4A0iWKdTeU5OAkSzL3aMAYGSMqa
uZ64SSxl49uBS60Xs5noDVKGNcv0PZ3Ns6JWS1qCuRjIoEBQBw/asWk+rta3Tbae
VVORFpok4m7Dpia2jWi/6Xm/K0IpwYNQ7+OifAohrhVrKMSMxtc=
=ax4d
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 13 Apr 2018 07:32:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:29:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.