Debian Bug report logs -
#900845
mruby: CVE-2018-11743
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>:
Bug#900845; Package src:mruby.
(Tue, 05 Jun 2018 20:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>.
(Tue, 05 Jun 2018 20:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mruby
Version: 1.4.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mruby/mruby/issues/4027
Hi,
The following vulnerability was published for mruby.
CVE-2018-11743[0]:
| The init_copy function in kernel.c in mruby 1.4.1 makes initialize_copy
| calls for TT_ICLASS objects, which allows attackers to cause a denial
| of service (mrb_hash_keys uninitialized pointer and application crash)
| or possibly have unspecified other impact.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11743
[1] https://github.com/mruby/mruby/issues/4027
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 11 Jun 2018 17:39:09 GMT) (full text, mbox, link).
Reply sent
to Nobuhiro Iwamatsu <iwamatsu@debian.org>:
You have taken responsibility.
(Fri, 22 Jun 2018 01:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 22 Jun 2018 01:09:03 GMT) (full text, mbox, link).
Message #12 received at 900845-close@bugs.debian.org (full text, mbox, reply):
Source: mruby
Source-Version: 1.4.1+20180622+git640fca32-1
We believe that the bug you reported is fixed in the latest version of
mruby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900845@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <iwamatsu@debian.org> (supplier of updated mruby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Jun 2018 07:59:03 +0900
Source: mruby
Binary: mruby libmruby-dev
Architecture: source amd64
Version: 1.4.1+20180622+git640fca32-1
Distribution: unstable
Urgency: medium
Maintainer: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Changed-By: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Description:
libmruby-dev - lightweight implementation of the Ruby language (development file
mruby - lightweight implementation of the Ruby language
Closes: 900845
Changes:
mruby (1.4.1+20180622+git640fca32-1) unstable; urgency=medium
.
* Snapshot, taken from the master (20180622).
- Fix CVE-2018-11743, CVE-2018-12249 CVE-2018-12248.
Closes: #900845 #901652 #901653
* Remove patches/Fix-test-on-big-endian-CPUs.patch.
Applied to upstream.
Checksums-Sha1:
4f5ed028e310403e9e4c2a5ed937b935fb1d4478 2033 mruby_1.4.1+20180622+git640fca32-1.dsc
873df339835212ca85c8869151d564cbf74d6956 499647 mruby_1.4.1+20180622+git640fca32.orig.tar.gz
c3174b9039627b4ad54400baab5ee57809003ab8 6364 mruby_1.4.1+20180622+git640fca32-1.debian.tar.xz
cd3c59ff5c0f854528269f6d58f9f6e0659124a3 301556 libmruby-dev_1.4.1+20180622+git640fca32-1_amd64.deb
a8fdcf4f0e6d5b03c8552cc17e23c060e3160dbb 1955512 mruby-dbgsym_1.4.1+20180622+git640fca32-1_amd64.deb
f408ee39e9857dabb2e6ddb2a8ded16ecf479564 6714 mruby_1.4.1+20180622+git640fca32-1_amd64.buildinfo
28094196ded2c6c6907cdc58f09cbc5e8e4142fc 320920 mruby_1.4.1+20180622+git640fca32-1_amd64.deb
Checksums-Sha256:
0770dc50692f33463f7e79b06926d4b256d8ec879d89da7e25fd4b4763eda186 2033 mruby_1.4.1+20180622+git640fca32-1.dsc
bc254a76d5110b14beb0346554b56849d35b605b3dc0251f135860e7681c4cfc 499647 mruby_1.4.1+20180622+git640fca32.orig.tar.gz
9b9dde8218f9b35a69ac7c4a7a057f33e8b9c243e4b32fb8fab6291672786096 6364 mruby_1.4.1+20180622+git640fca32-1.debian.tar.xz
15675ff18c24212a4df7ee909bfe64d078c8c1a3b81b4b020cd4eba8fa667a67 301556 libmruby-dev_1.4.1+20180622+git640fca32-1_amd64.deb
dd1ce3dafb912c9ebbf7fe162a3dc642d30b3ca82b51986737c3060e7bbdb9e4 1955512 mruby-dbgsym_1.4.1+20180622+git640fca32-1_amd64.deb
d3f1382d5349891f2f54a0043be73542c42ca67d93e79da1e1d33e44073f5309 6714 mruby_1.4.1+20180622+git640fca32-1_amd64.buildinfo
f2a3c9ba274f3d12623cc24e6416f1638623051ca38c25fb10cc5aead4a908b0 320920 mruby_1.4.1+20180622+git640fca32-1_amd64.deb
Files:
fbba925148d1e941fa12da09532f285d 2033 ruby optional mruby_1.4.1+20180622+git640fca32-1.dsc
d639dfcbbaa700f05f3f432328b46cf3 499647 ruby optional mruby_1.4.1+20180622+git640fca32.orig.tar.gz
622645672fdd888253c4b15beef22a8f 6364 ruby optional mruby_1.4.1+20180622+git640fca32-1.debian.tar.xz
fe86a80c430d110bae42116120ea2299 301556 libdevel optional libmruby-dev_1.4.1+20180622+git640fca32-1_amd64.deb
7c107626e0c7a4bde42cc9bb31e4a2bb 1955512 debug optional mruby-dbgsym_1.4.1+20180622+git640fca32-1_amd64.deb
a2b527834d571305236b0df4113eb14c 6714 ruby optional mruby_1.4.1+20180622+git640fca32-1_amd64.buildinfo
1d204c4bcb7a7d2a6e240b7edb3b28b4 320920 ruby optional mruby_1.4.1+20180622+git640fca32-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAlssRdgACgkQMiR/u0Ct
H6ZF0g/9GwfamPk/kyimZMmFZjypgSCv2nwkdqCfR93kXv0ClbJXYSiZdwXw0mV4
vK72Kq5htQSkZyHsGXipmMtlr19mSZRBTTfHgs0bEH2NRIg7zfxvXGJOlCO/gfvf
afBnmha0efjPinIaoHSBKBjkmLArvyXZ0tfHMdyC7DgrNh9Hv9qmbIE+slOgj2vi
AxM4aP2ogXm+OZNuMq5jtCQDDFvQ80r/4ibNuEUJWgjA3X2Eb7bCv6QwbJSufUzP
8YTYGrBKTWr6rX2J2UluUwj4MMxGuIQCyAxW8DFM2RxNQsca5NIgAOng1UtE3hVy
aBDUtS5tQGnwJdBx1iI3P3+gtUTkAabrjbwdoasxLmh4DvtLlpaVbk7+NkG2kprD
/Y13bjCIeb5IqqQZx8aO62U/EX8pf9AVYwPacTx3uT/3MrL0+rBIhGjUhlcNlLXl
dMJ5V3dWKbPgaHIHAHJEXitKdgvv3hDjgmBmH/URqRFKVjHut3jdhhGK1VAOjaMM
o+sSU2VM2cwntqY4mBdvXvQXWwSLmS2wCqOrg02LrHmm8/m0jqS4imeKW889PB2a
Pw5aibYX45lXuMSR9A8sZGzXwO6aiQmY83Z4BBdy0drvjuGc4nvt3hruqjRrxXdk
YHP8lD5V4nKBMoB7h4PIVg+9a8OV+b25vCcYx4xshyezPaPAeCU=
=5/xj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 20 Jul 2018 07:26:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:23:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon