Debian Bug report logs -
#839827
freeimage: CVE-2016-5684
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 5 Oct 2016 13:09:01 UTC
Severity: grave
Tags: security, upstream
Found in versions freeimage/3.17.0+ds1-2, freeimage/3.15.1-1.1
Fixed in versions freeimage/3.17.0+ds1-3, freeimage/3.15.4-4.2+deb8u1
Done: Anton Gladky <gladk@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>:
Bug#839827; Package src:freeimage.
(Wed, 05 Oct 2016 13:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>.
(Wed, 05 Oct 2016 13:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: freeimage
Version: 3.17.0+ds1-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for freeimage.
CVE-2016-5684[0]:
XMP Image Handling Code Execution Vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-5684
Please adjust the affected versions in the BTS as needed. Only sid has
been checked source wise in this case.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>:
Bug#839827; Package src:freeimage.
(Wed, 05 Oct 2016 14:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Balint Reczey <balint@balintreczey.hu>:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>.
(Wed, 05 Oct 2016 14:18:04 GMT) (full text, mbox, link).
Message #10 received at 839827@bugs.debian.org (full text, mbox, reply):
Hi,
On Wed, 05 Oct 2016 15:07:41 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: freeimage
> Version: 3.17.0+ds1-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> the following vulnerability was published for freeimage.
>
> CVE-2016-5684[0]:
> XMP Image Handling Code Execution Vulnerability
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-5684
>
> Please adjust the affected versions in the BTS as needed. Only sid has
> been checked source wise in this case.
Jessie and Wheezy seem to be affected as well.
Cheers,
Balint
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>:
Bug#839827; Package src:freeimage.
(Thu, 06 Oct 2016 08:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Ghislain Vaillant <ghisvail@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>.
(Thu, 06 Oct 2016 08:33:03 GMT) (full text, mbox, link).
Message #15 received at 839827@bugs.debian.org (full text, mbox, reply):
Dear Salvatore, Balint,
Thanks for forwarding the CVE to us and verifying which versions of the
package were affected.
I'll monitor the progress of this CVE. The CVE reporter offered some
clues as to how to mitigate the problem, but I wonder how appropriate
closure of this vulnerability can be verified.
Any suggestions would be welcome.
Best regards,
Ghis
Marked as found in versions freeimage/3.15.1-1.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 06 Oct 2016 09:09:02 GMT) (full text, mbox, link).
Reply sent
to Ghislain Antony Vaillant <ghisvail@gmail.com>:
You have taken responsibility.
(Tue, 11 Oct 2016 19:24:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 11 Oct 2016 19:24:05 GMT) (full text, mbox, link).
Message #22 received at 839827-close@bugs.debian.org (full text, mbox, reply):
Source: freeimage
Source-Version: 3.17.0+ds1-3
We believe that the bug you reported is fixed in the latest version of
freeimage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 839827@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ghislain Antony Vaillant <ghisvail@gmail.com> (supplier of updated freeimage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 10 Oct 2016 15:12:26 +0100
Source: freeimage
Binary: libfreeimage-dev libfreeimage3 libfreeimage3-dbg libfreeimageplus-dev libfreeimageplus-doc libfreeimageplus3 libfreeimageplus3-dbg
Architecture: source
Version: 3.17.0+ds1-3
Distribution: unstable
Urgency: critical
Maintainer: Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Ghislain Antony Vaillant <ghisvail@gmail.com>
Description:
libfreeimage-dev - Support library for graphics image formats (development files)
libfreeimage3 - Support library for graphics image formats (library)
libfreeimage3-dbg - Support library for graphics image formats (debugging symbols)
libfreeimageplus-dev - C++ wrappers for FreeImage (development files)
libfreeimageplus-doc - C++ wrappers for FreeImage (documentation)
libfreeimageplus3 - C++ wrappers for freeimage (library)
libfreeimageplus3-dbg - C++ wrappers for FreeImage (debugging symbols)
Closes: 839827
Changes:
freeimage (3.17.0+ds1-3) unstable; urgency=critical
.
[ Ghislain Antony Vaillant ]
* Fix CVE-2016-5864: apply patch from wheezy-security.
Thanks to Salvatore Bonaccorso, Balint Reczey and Chris Lamb
(Closes: #839827)
* d/gbp.conf: use master as packaging branch.
* Bump standards version to 3.9.8, no changes required.
* Upgrade to debhelper 10.
- Bump compat version to 10.
- Bump versioned depends of debhelper to 10.
- Drop explicit usage of `--with autoreconf` from dh command.
- Drop explicit usage of `--parallel` from dh command.
* Use DEB_BUILD_MAINT_OPTIONS for hardening.
* Disable PIE hardening feature.
.
[ Anton Gladky ]
* Change the urgency to critical.
Checksums-Sha1:
88711d92a06d6a989b24472eb8bc3e15ae5e8e9c 2675 freeimage_3.17.0+ds1-3.dsc
d7afc36f02cc5a4be21a2471f684ad44749e5444 22936 freeimage_3.17.0+ds1-3.debian.tar.xz
Checksums-Sha256:
13504bfc404f9f7806a11820734d42f790a31f8d475dff433470b1c5892156c6 2675 freeimage_3.17.0+ds1-3.dsc
ec4e0328dea5989a7c5e8b54fa4a81be214cc7d7bd4febfe4a516ebaf27349ce 22936 freeimage_3.17.0+ds1-3.debian.tar.xz
Files:
aa7f6df0440daf387c979295e3ce7c07 2675 libs optional freeimage_3.17.0+ds1-3.dsc
29c869efc7a73cdef6d132959163e8f7 22936 libs optional freeimage_3.17.0+ds1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJX/TMcAAoJENPhc4PPp/8G78UQAJPSrpi9Kb4CjXUh0EuBzmk1
8VXoCSKx61Bw1Y68nvLhbcvmIJT8jzmLxZXYnVhn1B9p+Q97ZSoFz/89ITzhQNH7
NrcU0wCS9upXx3th5ThJBkhqqdl3orQDiTlhRvViBiUTcwRc/YuZutp6/FqwCc8T
Eoi3YksNV5ShyAHYT3E521KzYeb/HQ6wJGEptzJmL0fgxLeVQZ4/hCSv6U5TX6O7
rmE8TBPARckIU7l5P4v1KHds5T2joiE20OEFzNTo+ZylvtjHHUEFs758D+tFekef
9hREardF8G1ou+OcJKfIqsjb1pPBMCAX1QzyaX+S89hWwpvMnca4z561s/gIyJlY
15qncvq5lsfgnm8lhnHFGsxQFRJ7DrMvjesagk5nKxYx+HPD8j5YDYbMza8povXO
eEVFZCVbizrjRS7DHiig0Fgs0Pg8Tbyjdg6M6kCW4LxQsRhs9vBML2QV08+7n2Fj
L9EDnRw708F3rCW9xYZcuY4u0rujDtdwor9ycK4+4z7Uyhx3zhVb/qSu3NtwQgGl
CxXemU95JtmMqIsAivnw+wCJe9WwxtwRGH8+DLaVdWoTW1IoypOIz/jMtGRtnCxZ
Pq0lC5jm4esIL/QHAZ+GjD9tXPWNDOAuO6XnPzMhFn28A5wJ1X0SBuWC4i/9WtyQ
vTRAGp00ZuJlEl1pfyf4
=yCag
-----END PGP SIGNATURE-----
Reply sent
to Anton Gladky <gladk@debian.org>:
You have taken responsibility.
(Fri, 14 Oct 2016 20:12:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 14 Oct 2016 20:12:05 GMT) (full text, mbox, link).
Message #27 received at 839827-close@bugs.debian.org (full text, mbox, reply):
Source: freeimage
Source-Version: 3.15.4-4.2+deb8u1
We believe that the bug you reported is fixed in the latest version of
freeimage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 839827@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated freeimage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Oct 2016 21:00:24 +0200
Source: freeimage
Binary: libfreeimage-dev libfreeimage3 libfreeimage3-dbg
Architecture: source
Version: 3.15.4-4.2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Description:
libfreeimage-dev - Support library for graphics image formats (development files)
libfreeimage3 - Support library for graphics image formats (library)
libfreeimage3-dbg - Support library for graphics image formats (debugging symbols)
Closes: 786790 839827
Changes:
freeimage (3.15.4-4.2+deb8u1) jessie-security; urgency=high
.
* [f51f898] Fix CVE-2015-3885: integer overflow in the ljpeg_start function
(Closes: #786790)
* [b2e0c3f] Fix CVE-2016-5864: apply patch from wheezy-security.
Thanks to Salvatore Bonaccorso, Balint Reczey and Chris Lamb
(Closes: #839827)
Checksums-Sha1:
ea30cb74210f4e847c67cf6ef2c56c4f2a9d98df 2160 freeimage_3.15.4-4.2+deb8u1.dsc
0a33537e32ad9bd4cf7b151a32de96905da27d3e 5768019 freeimage_3.15.4.orig.tar.gz
3ce43cf089d11596f14ea34fbf79d60744305524 34200 freeimage_3.15.4-4.2+deb8u1.debian.tar.xz
Checksums-Sha256:
25905f9ec54630e38cfda93391f876779f5b6ff5c413b765e2537f788b61c375 2160 freeimage_3.15.4-4.2+deb8u1.dsc
f85b43e8bffda2b26b15a2d09242a77dd08ba17d7207ec2f18278163a29565d9 5768019 freeimage_3.15.4.orig.tar.gz
3099001958df24a48afaa4d4c4f913656de4d8ca8705cdb9d0846418cd14cb17 34200 freeimage_3.15.4-4.2+deb8u1.debian.tar.xz
Files:
6f12176255121ffc422cf4c67d9cdf6e 2160 libs optional freeimage_3.15.4-4.2+deb8u1.dsc
a1164eb85ab51bda023328ec740a5679 5768019 libs optional freeimage_3.15.4.orig.tar.gz
088bb33194e5b256e8f6a9bbb7805830 34200 libs optional freeimage_3.15.4-4.2+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJX/VVzAAoJENPhc4PPp/8GptcP/0PCO+rWGX6SF09UF8IvEzBB
pgKk+e3AYR+VdsMhVdHMVWytwMSOa5yGs+6ZZHZKOUV8JgA+4ohFINxZJ5Xpcfr6
kA53+g/L/r+WyOsXJTVdG1PDd9wOA5aLb4JV4lzxoo/lY6JS7oEYzSOC/PbLGZTp
TS+EF32lmo9JMjhYe5Nxr3qq5CuWCLBW3QadSfLQQoYnoxTD5Sxtn4aRzz8ocwpe
6U2cgGFuKez+1o6GpNrihV97pW9jKWPWXjA4+GCLG9Th9X9C7zgD3mx1yRmOhT5i
yDN8fXm3xxoLAI2etX5IuqMuCuKRRcB/Q3ypsKAkAxiUksND8UPpLb6C4q0AzepN
YMUCL3h47FFcwHViFRS3UOxiH5i6uJqHdRMqeIedG1qyNUnQv4c9QWOdOfnp+Kvi
oFT0f7XEwEOKVcl0L180Q702ZWqtVncMRkep/sxvd80Gog/ykPoT6bOa0i2qzJXd
yLXNHkAKYSbf3zz74zL/s65EE/qiiIAMdYMrD/LsGg7c2uz7V54Cw/VHneeMFsar
dNKnGUx4g2ZaX9LcxwCIaw0L8yflpFPLxQCcmcLQA7uEMollY2wpNeLXdvpSCE1U
DQC8l/hp8EHvHmhoq17V2vZn+5aJGLTYwbkOTzt1fi3QRycXnVs0y3FMl50K55uc
pqGHaAUYwuH4tcXPnh+p
=9+YY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 12 Nov 2016 07:28:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:49:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon