libextractor: CVE-2018-16430: Out of Bound Read

Debian Bug report logs - #907987
libextractor: CVE-2018-16430: Out of Bound Read

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libextractor: CVE-2018-16430: Out of Bound Read

Date: Tue, 04 Sep 2018 22:24:20 +0200

Source: libextractor
Version: 1:1.6-2
Severity: important
Tags: patch security upstream
Forwarded: https://gnunet.org/bugs/view.php?id=5405

Hi,

The following vulnerability was published for libextractor.

CVE-2018-16430[0]:
| GNU Libextractor through 1.7 has an out-of-bounds read vulnerability in
| EXTRACTOR_zip_extract_method() in zip_extractor.c.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16430
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16430
[1] https://gnunet.org/bugs/view.php?id=5405
[2] https://gnunet.org/git/libextractor.git/commit/?id=24c8d489797499c0331f4d1039e357ece1ae98a7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 907987@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 907987@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org

Subject: Re: libextractor: CVE-2018-16430: Out of Bound Read

Date: Wed, 05 Sep 2018 22:57:19 +0100

Hi,

> libextractor: CVE-2018-16430: Out of Bound Read

Happy to prepare a stable-security upload of this if team@security.d.o
are interested?


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #17 received at 907987@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Chris Lamb <lamby@debian.org>

Cc: 907987@bugs.debian.org, team@security.debian.org

Subject: Re: libextractor: CVE-2018-16430: Out of Bound Read

Date: Thu, 6 Sep 2018 06:37:51 +0200

Hi Chris,

On Wed, Sep 05, 2018 at 10:57:19PM +0100, Chris Lamb wrote:
> Hi,
> 
> > libextractor: CVE-2018-16430: Out of Bound Read
> 
> Happy to prepare a stable-security upload of this if team@security.d.o
> are interested?

Think this will not be needed this time, but thanks for the offer!
Maintainer prepared an update for the previous two CVEs, and is
pending, and we asked if he can include the fix for CVE-2018-16430 as
well already in the new debdiff.

Regards,
Salvatore

Message #22 received at 907987@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 907987@bugs.debian.org, team@security.debian.org

Subject: Re: libextractor: CVE-2018-16430: Out of Bound Read

Date: Thu, 06 Sep 2018 20:16:55 +0100

Hi Salvatore,

> > > libextractor: CVE-2018-16430: Out of Bound Read
> > 
> > Happy to prepare a stable-security upload of this if team@security.d.o
> > are interested?
> 
> Think this will not be needed this time, but thanks for the offer!
> Maintainer prepared an update for the previous two CVEs

CVE-2018-14346 & CVE-2018-14347?

(I see these are fixed in jessie)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #31 received at 907987@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Chris Lamb <lamby@debian.org>

Cc: 907987@bugs.debian.org, team@security.debian.org

Subject: Re: libextractor: CVE-2018-16430: Out of Bound Read

Date: Sun, 9 Sep 2018 14:58:37 +0200

Hi Chris,

On Thu, Sep 06, 2018 at 08:16:55PM +0100, Chris Lamb wrote:
> Hi Salvatore,
> 
> > > > libextractor: CVE-2018-16430: Out of Bound Read
> > > 
> > > Happy to prepare a stable-security upload of this if team@security.d.o
> > > are interested?
> > 
> > Think this will not be needed this time, but thanks for the offer!
> > Maintainer prepared an update for the previous two CVEs
> 
> CVE-2018-14346 & CVE-2018-14347?
> 
> (I see these are fixed in jessie)

yupp, exactly.

Regards,
Salvatore

Message #36 received at 907987-close@bugs.debian.org (full text, mbox, reply):

From: Bertrand Marc <bmarc@debian.org>

To: 907987-close@bugs.debian.org

Subject: Bug#907987: fixed in libextractor 1:1.7-1

Date: Sun, 30 Sep 2018 14:44:11 +0000

Source: libextractor
Source-Version: 1:1.7-1

We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 907987@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bertrand Marc <bmarc@debian.org> (supplier of updated libextractor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 09 Sep 2018 07:15:53 +0200
Source: libextractor
Binary: libextractor3 libextractor-dev extract
Architecture: source amd64
Version: 1:1.7-1
Distribution: unstable
Urgency: medium
Maintainer: Bertrand Marc <bmarc@debian.org>
Changed-By: Bertrand Marc <bmarc@debian.org>
Description:
 extract    - displays meta-data from files of arbitrary type
 libextractor-dev - extracts meta-data from files of arbitrary type (development)
 libextractor3 - extracts meta-data from files of arbitrary type (library)
Closes: 888373 904903 904905 907987
Changes:
 libextractor (1:1.7-1) unstable; urgency=medium
 .
   * New upstream version 1.7:
     + fix stack-buffer-underflow (Closes: #904903, CVE-2018-14346).
     + fix infinite loop in extract (Closes: #904905, CVE-2018-14347).
     + fix build with FFmpeg 4.0 (Closes: #888373).
   * Move the package to salsa and update Vcs-browser and Vcs-git accordingly.
   * Remove build-dependency on mp4v2, as the plugin is not working anyway.
   * Remove CVE-2017-15922.patch and CVE-2017-17440.patch, included upstream.
   * Add a patch to fix missing 0-terminator on corrupted ZIP files
     (Closes: #907987, CVE-2018-16430).
   * Standards-version: 4.2.1.
Checksums-Sha1:
 6e1f98225c1bc2b678004a3c6b2a370568352f37 2435 libextractor_1.7-1.dsc
 d1c4e870cc327aa6527621c3ef497968471e2f05 8075299 libextractor_1.7.orig.tar.gz
 95ab74a8a2626b14c74a21b354470d50ad54b401 17220 libextractor_1.7-1.debian.tar.xz
 b0b2d539563dc36cfd2e2cad39b9c9cc6f96f287 26680 extract-dbgsym_1.7-1_amd64.deb
 37fe87111211ac222adcb3e74975eba8bbaf00b6 111816 extract_1.7-1_amd64.deb
 1892e4e1dcc1c4b5ad85cfdefa0b4e6840a3d381 27240 libextractor-dev_1.7-1_amd64.deb
 4e918ce8c45c8f9bf0b08528459a3faf8e6a9b9f 603740 libextractor3-dbgsym_1.7-1_amd64.deb
 9bf838c32a7f7cceb398c1759a16e697bffda4a2 112904 libextractor3_1.7-1_amd64.deb
 98cacb0fba7c277104b0b84ee4afdb41099611c3 18663 libextractor_1.7-1_amd64.buildinfo
Checksums-Sha256:
 fc3aae0f1919741d28ec2352ba4d54b7a9905df927e83677feaf1e035bbe35f1 2435 libextractor_1.7-1.dsc
 e0a6fde824cf2212c4f217a5e0fc03391251cfb46ca000117f66cf7ae4368e8f 8075299 libextractor_1.7.orig.tar.gz
 c0c4e7980b97643d69ff03031ada4814c9d57b9fcb47f8c32377f7426fa8bb25 17220 libextractor_1.7-1.debian.tar.xz
 dad6bb165d0053b8c04a6501650129498e67642fa9b2467e7a6f11d3121aca32 26680 extract-dbgsym_1.7-1_amd64.deb
 54be9c8093b490e6cc28370b429f53fc009ac5d1cd9254186f2a0ea55582d7e1 111816 extract_1.7-1_amd64.deb
 34238cb24e03aea02989aa925a551abb74e01e816b407f7dbc0093ea0b57943a 27240 libextractor-dev_1.7-1_amd64.deb
 c623564ab808c5003384da03bbad7d3a0bb92534eb2442aef1a40a0947ddc5cc 603740 libextractor3-dbgsym_1.7-1_amd64.deb
 bf5edf01960b54f1fa5d17131ca6d27d26d46e5c4bf5b3493f8a2695d19ede14 112904 libextractor3_1.7-1_amd64.deb
 60da98c95c6d2ec653074dc3ff1b1ec94f57a7dc05d18ec10e3d94ac05ad0f4c 18663 libextractor_1.7-1_amd64.buildinfo
Files:
 a9a862ed791a5af84d67241227a70e5e 2435 libs optional libextractor_1.7-1.dsc
 bbc301fd71a8ee2889d3c69988910faf 8075299 libs optional libextractor_1.7.orig.tar.gz
 6dd062a5c77e63b59bad223a5652746c 17220 libs optional libextractor_1.7-1.debian.tar.xz
 c470046fc276aaaddb51e5aadf115994 26680 debug optional extract-dbgsym_1.7-1_amd64.deb
 968558fc2ec59fb234706ede8d951140 111816 utils optional extract_1.7-1_amd64.deb
 19c3241e4116a0cc03f44eb59f74f895 27240 libdevel optional libextractor-dev_1.7-1_amd64.deb
 fa619eb4c64a339a27e434b2ba498e6a 603740 debug optional libextractor3-dbgsym_1.7-1_amd64.deb
 30f9b0dd4745d97293d3f95c1ee647c0 112904 libs optional libextractor3_1.7-1_amd64.deb
 f07d35904b2a8e034e78ad1d849ee76c 18663 libs optional libextractor_1.7-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEKUUr1GPOZwMj0JuIoEqzutviY+4FAluUrmARHGJtYXJjQGRl
Ymlhbi5vcmcACgkQoEqzutviY+5Kyw//YyaYNPikzVbGDI3+4BrQ8/yN2qd1hSvg
INnkpROYweBautZ7yIcmBjE9oP0UlvQyAV6kIpwqncsuQyPsWMnEEU4y3RuGhZt0
V6ChtFWCY+7CyjodGETsNHTQKjJ+EKjiEtn4Wy0LyKwaMbH9V1b94nw/hcisByRb
aRMb/Ce3yrXTX0sYm3RSopSKRtKZrFch4eV3SLeh6OjuUkjT6wS0S5mGkKFUHLBE
wwXezpuxVG3X78RmM+y92NyEheZg2IPm07pqcoLbfLc55FyLX+tVkxG2LqcE/V+L
Yh/IF8QRCweWF4hbrlsClF3QqYP81hmMyDbDDKzE6TKD+Q5irSYCyF0X5jmgyZfy
1UIMpGJHFLSbhkr33Vh4o0Mj19ahn5FkuBQQ//hf4t/eL47OI1N/6yZvfV3rRVKa
5/3/kv0wv/aMDAnWyHZeYaNsGkEFyGxyAD6KQIXNFUTFnY5N88Jsns9YV9O9BU+a
1hcGd6tT1D2hc0n7ZwI1gS3BUU7ANXbBzyhklN/vscV8N2AAVlue0PWrudCV705g
hWMqiv/Gu+G4K7Rl0G43nAqcMNZ16ZdINjmMTqBxjP8fFFkl/z+Tv2Y5Lu7Xe9gF
fcEoJ9LRiibL0Pytomuum1d7A04eQFqTxnugIht+b8Yon5ccqu8tRrbekOY9Awcc
gRj4c0R9A3w=
=BB8p
-----END PGP SIGNATURE-----

Message #41 received at 907987-close@bugs.debian.org (full text, mbox, reply):

From: Bertrand Marc <bmarc@debian.org>

To: 907987-close@bugs.debian.org

Subject: Bug#907987: fixed in libextractor 1:1.3-4+deb9u2

Date: Tue, 02 Oct 2018 06:03:30 +0000

Source: libextractor
Source-Version: 1:1.3-4+deb9u2

We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 907987@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bertrand Marc <bmarc@debian.org> (supplier of updated libextractor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 08 Sep 2018 15:30:55 +0200
Source: libextractor
Binary: libextractor3 libextractor-dbg libextractor-dev extract
Architecture: source
Version: 1:1.3-4+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Bertrand Marc <beberking@gmail.com>
Changed-By: Bertrand Marc <bmarc@debian.org>
Closes: 904903 904905 907987
Description: 
 extract    - displays meta-data from files of arbitrary type
 libextractor-dbg - extracts meta-data from files of arbitrary type (debug)
 libextractor-dev - extracts meta-data from files of arbitrary type (development)
 libextractor3 - extracts meta-data from files of arbitrary type (library)
Changes:
 libextractor (1:1.3-4+deb9u2) stretch-security; urgency=high
 .
   * Fix CVE-2018-14346 (Closes: #904903), a stack-based buffer overflow
     in unzip.c.
   * Fix CVE-2018-14347 (Closes: #904905), infinite loop vulnerability in
     mpeg_extractor.c.
   * Fix CVE-2018-16430 (Closes: #907987), missing 0-terminator on corrupted
     ZIP files.
Checksums-Sha1: 
 12a73e29a4e7f5ec585564dadd09398f1c54b866 2701 libextractor_1.3-4+deb9u2.dsc
 3fe0c0bfc5a3b02913b0e9f755779dabf3e54750 19284 libextractor_1.3-4+deb9u2.debian.tar.xz
Checksums-Sha256: 
 738b7dd78f94dd97615f3e83c4380ce4a2b9ca7afbe91198f77e4bfdba783d04 2701 libextractor_1.3-4+deb9u2.dsc
 ea011219600ae53e9badc5275179547dbfc6d988e48a4bda5ce8328ad603f2ba 19284 libextractor_1.3-4+deb9u2.debian.tar.xz
Files: 
 81eab9b08f700fbb464a80f40d1c9b66 2701 libs optional libextractor_1.3-4+deb9u2.dsc
 14aff172eaca0a7f47770992cad036ed 19284 libs optional libextractor_1.3-4+deb9u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluVFTBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EB8AQAIa/wooJQs2tBRcEdcIMSshNZ65f8ALq
zRYaNq8WBm0cXWPFNLZWQhMMKlAXBZiR080q5SOq8a3HX0m9M0ACiPdnSv8EEgoE
7oW+Y8Pf722AnO4blFu9rAsMsMlrgsJT0kR6Q3ZaB/HEt7NUy9pqhf1rtBxaG3Dk
L2d1TM5kOxqeho+padPdY8ZjIqkfyK7w6m7wc3P3sDx5LPnNIfkTqWbz1d2QDN86
IroJ4vdrbALsEBn0yIIjk1HRZ+GZVE7CqXDixwPpV0uysadRck3URYnQrGrUUPLM
64ZBct4WGx9Siootgem9pFxAkI9cWZ3vIWL3LjpZeKbK08SJ2qn9h9yHE8QmzI0D
sNhN11Sc+w3lhmGNcr+VdQRCoffHogD/5yLTs5ukV7AoYyjzMw2jSeSS793yNvpB
YZLMe5eHFQOs+I5WO70vnZeY+VLZCLAK3W85UiF3NmjUPm/sqcVw9AIOir33OXTs
pQPUxEPk4JYj9ofgOcmtbB5rX15RHgPvoIHHpJFwh7sM1WAFZANIw7hGU7wMy0uk
7jab3QehAtYtUePItrQ6i8rhe0aWrgsN2aJmVPvOF0fmDQK5XpXi8mIWre1QPSo3
oxjrdSQfvHb4ESfTEYsyJCqKSlOH7eyWKOt0exNMZMpa0nSjkcCY9ib3VyFdl099
E0IsG6DqX8+r
=VQhy
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.