Debian Bug report logs -
#928730
advancecomp: CVE-2019-8383
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#928730; Package src:advancecomp.
(Thu, 09 May 2019 19:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Piotr Ożarowski <piotr@debian.org>.
(Thu, 09 May 2019 19:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: advancecomp
Version: 2.1-2
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/advancemame/bugs/272/
Hi,
The following vulnerability was published for advancecomp.
CVE-2019-8383[0]:
| An issue was discovered in AdvanceCOMP through 2.1. An invalid memory
| address occurs in the function adv_png_unfilter_8 in lib/png.c. It can
| be triggered by sending a crafted file to a binary. It allows an
| attacker to cause a Denial of Service (Segmentation fault) or possibly
| have unspecified other impact when a victim opens a specially crafted
| file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-8383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8383
[1] https://sourceforge.net/p/advancemame/bugs/272/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions advancecomp/1.20-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 09 May 2019 20:00:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 16 May 2019 19:30:10 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 928729-submit@bugs.debian.org.
(Sat, 18 May 2019 21:00:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 928729-submit@bugs.debian.org.
(Sat, 18 May 2019 21:00:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#928730; Package src:advancecomp.
(Sat, 18 May 2019 21:00:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Sat, 18 May 2019 21:00:07 GMT) (full text, mbox, link).
Message #18 received at 928730@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 928729 + patch
Control: tags 928729 + pending
Control: tags 928730 + patch
Control: tags 928730 + pending
Control: severity 928729 serious # should not enter with open CVE in buster
Control: severity 928730 serious # should not enter with open CVE in buster
Dear maintainer,
I've prepared an NMU for advancecomp (versioned as 2.1-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Note I raised the severity to make sure the fixes enter buster and
buster will not release with open CVEs for advancecomp. The severity
of both issues might not warrant an RC status otherwise per se.
If you though disagree on the severity raise to make it RC feel free
to downgrade.
Regards,
Salvatore
[advancecomp-2.1-2.1-nmu.diff (text/x-diff, attachment)]
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 18 May 2019 21:03:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 23 May 2019 21:36:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 23 May 2019 21:36:06 GMT) (full text, mbox, link).
Message #25 received at 928730-close@bugs.debian.org (full text, mbox, reply):
Source: advancecomp
Source-Version: 2.1-2.1
We believe that the bug you reported is fixed in the latest version of
advancecomp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928730@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated advancecomp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 May 2019 22:50:20 +0200
Source: advancecomp
Architecture: source
Version: 2.1-2.1
Distribution: unstable
Urgency: medium
Maintainer: Piotr Ożarowski <piotr@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 928729 928730
Changes:
advancecomp (2.1-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix a buffer overflow caused by invalid images (CVE-2019-8383)
(Closes: #928730)
* Fix a buffer overflow caused by invalid chunks (CVE-2019-8379)
(Closes: #928729)
Checksums-Sha1:
acd0f3fecb497059d30639edf38addf1d9d922d3 1918 advancecomp_2.1-2.1.dsc
1b5faf5f9ddc4d5e0b18d9fa39dbbd846315b53e 4876 advancecomp_2.1-2.1.debian.tar.xz
Checksums-Sha256:
52a1d5e226e633b58a7bf7db07a7b55945c71ec42b5f7e38121257feebf57c2b 1918 advancecomp_2.1-2.1.dsc
1869ffc65a603769873fff8672e17d91a2ff8daf721d4b0403e05fc1ba37741a 4876 advancecomp_2.1-2.1.debian.tar.xz
Files:
c11ff44db2c09aa9f1d94e0a4262449a 1918 utils optional advancecomp_2.1-2.1.dsc
21d6c052e2e4ad6c98f4e60cd8ab20b6 4876 utils optional advancecomp_2.1-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzgcLBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EA/IP/RDSF/K3x40FNHVikY+Ciu44usG+UymO
ZrLgAGIRJsLYfRv9c9bZcau+aX+AVMFR0W0qVOaX7GB8W/E//KlZqDf3i8JPgBuU
/VGdtORJuOLCCCMqxCgEPvJdVy1l6Js0NdQeHHAzCYARyj+G0ecjd8qlKCyllS8q
BKK4N4fN3hROjAH0FRmTQ38HteSDivIYLnbYakNEBfRpm2ZgjndNbpaU9lfNuiAb
J5X84rvJydyyL6zx2QYZ7BmjUG/xdl5WmO4Mqfxh4KKN7BVdBP00Hc3z+MuQypBF
SJbwVKzRjDrPzyf7tvPxvpK6zniP167y9yMb4wkfBFdgGOSTa0cV8UND+EsdyTZ+
9q0XbvzsP/tjpCKjPvedP7pSzv2gR+FOisrfrGWSiNhnd6CXg+ISdc1q0BSZJagj
99PP+WDFqm44hPMTHHUc3wY/Se8m1k3PDsF6OzBSlN1lX23kGhiha3GOnc9yhkTw
qupZCruK28IKteNmrHcREE/eAvIONe4Q3jfTEiVTWrCvjmlXFIxQbXiQ12B//YXi
QpZRf6KshD8FpWMuV6MLENb4UjRbOu+VvfqcQ/q1I9ZrJFcDuPR7HQSgb5tT38TK
HT2xBDksKVU2EpiU+6FmFVFxVD/y8IZXdkHrWmrLIJJ29s9do4kGukpbmkl5UJVF
koZlZax0elpc
=lCAb
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:07:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon