Debian Bug report logs -
#899335
CVE-2018-11364 CVE-2018-11365
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 22 May 2018 21:42:02 UTC
Severity: normal
Tags: security, upstream
Found in version r-cran-haven/1.1.1-1
Fixed in version r-cran-haven/1.1.1-2
Done: Dirk Eddelbuettel <edd@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#899335; Package r-cran-haven.
(Tue, 22 May 2018 21:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Dirk Eddelbuettel <edd@debian.org>.
(Tue, 22 May 2018 21:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: r-cran-haven
Severity: normal
Tags: security
r-cran-haven embeds a copy of ReadStat for which two security issues have been
reported:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11365
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 23 May 2018 04:39:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#899335; Package r-cran-haven.
(Thu, 24 May 2018 01:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Thu, 24 May 2018 01:48:03 GMT) (full text, mbox, link).
Message #12 received at 899335@bugs.debian.org (full text, mbox, reply):
On 22 May 2018 at 23:38, Moritz Muehlenhoff wrote:
| Package: r-cran-haven
| Severity: normal
| Tags: security
|
| r-cran-haven embeds a copy of ReadStat for which two security issues have been
| reported:
|
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11364
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11365
Just to keep everybody in the loop, I contact upstream for the actual library
code (ie Evan, CC'ed, for ReadStat -- which is used in the R package haven
for which this CVE came in) and he was / is aware. This really came from a
set of Google auto-fuzzer reports.
Work is ongoing, but this may take a moment.
Cheers, Dirk
|
| Cheers,
| Moritz
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#899335; Package r-cran-haven.
(Thu, 07 Jun 2018 02:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Thu, 07 Jun 2018 02:33:03 GMT) (full text, mbox, link).
Message #17 received at 899335@bugs.debian.org (full text, mbox, reply):
On 23 May 2018 at 20:44, Dirk Eddelbuettel wrote:
|
| On 22 May 2018 at 23:38, Moritz Muehlenhoff wrote:
| | Package: r-cran-haven
| | Severity: normal
| | Tags: security
| |
| | r-cran-haven embeds a copy of ReadStat for which two security issues have been
| | reported:
| |
| | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11364
| | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11365
|
| Just to keep everybody in the loop, I contact upstream for the actual library
| code (ie Evan, CC'ed, for ReadStat -- which is used in the R package haven
| for which this CVE came in) and he was / is aware. This really came from a
| set of Google auto-fuzzer reports.
|
| Work is ongoing, but this may take a moment.
Just uploaded r-cran-haven_1.1.1-2 to unstable right now.
Moritz: The r-cran-haven package is not in stable. So ... are we done with
this then via unstable + testing?
Dirk
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Reply sent
to Dirk Eddelbuettel <edd@debian.org>:
You have taken responsibility.
(Thu, 07 Jun 2018 02:51:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 07 Jun 2018 02:51:06 GMT) (full text, mbox, link).
Message #22 received at 899335-close@bugs.debian.org (full text, mbox, reply):
Source: r-cran-haven
Source-Version: 1.1.1-2
We believe that the bug you reported is fixed in the latest version of
r-cran-haven, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 899335@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dirk Eddelbuettel <edd@debian.org> (supplier of updated r-cran-haven package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 06 Jun 2018 21:11:10 -0500
Source: r-cran-haven
Binary: r-cran-haven
Architecture: source amd64
Version: 1.1.1-2
Distribution: unstable
Urgency: medium
Maintainer: Dirk Eddelbuettel <edd@debian.org>
Changed-By: Dirk Eddelbuettel <edd@debian.org>
Description:
r-cran-haven - GNU R package to import/export SPSS, Stata and SAS files
Closes: 899335
Changes:
r-cran-haven (1.1.1-2) unstable; urgency=medium
.
* Rebuilding for R 3.5.0 transition
.
* debian/control: Set Build-Depends: to current R version
* debian/control: Set Build-Depends: to 'debhelper (>= 10)'
* debian/control: Set Standards-Version: to current version
* debian/control: Add Vcs-Browser: and Vcs-Git:
.
* src/readstat/sas/readstat_sas7bcat_read.c: Upstream ReadStat patch
* src/readstat/spss/readstat_sav.c: Idem
* src/readstat/spss/readstat_sav_read.c: Idem
(Closes: #899335)
Checksums-Sha1:
7e15abb3fd260359053d1f933509d0a958319b98 1920 r-cran-haven_1.1.1-2.dsc
5f5108cc9fbe1db875f2b955731f54f8140150e2 3232 r-cran-haven_1.1.1-2.debian.tar.xz
84d66f186bba42c188a792ff388b0ef2c80b4cfc 882276 r-cran-haven-dbgsym_1.1.1-2_amd64.deb
5fc8881193d813ec2f637e7bf74e889df93009f2 9284 r-cran-haven_1.1.1-2_amd64.buildinfo
57c93bc129003a59c17f9d89f59df1a63562d0bc 234864 r-cran-haven_1.1.1-2_amd64.deb
Checksums-Sha256:
803b755f9147af73d04380aa57720fa4ecc8f83be0c16481ef200e3228526295 1920 r-cran-haven_1.1.1-2.dsc
d3430983b94db50c729873ad45681cf9c0be04d210867f6f5232efb30698347c 3232 r-cran-haven_1.1.1-2.debian.tar.xz
7501f3ee7dd7398651da3b05396795fac558473e36c68b4711f1c5cd9d2e63b4 882276 r-cran-haven-dbgsym_1.1.1-2_amd64.deb
a6231e252035197bb8ba6df319b06e433d6c4f3990ad114921aeb2e12d13207a 9284 r-cran-haven_1.1.1-2_amd64.buildinfo
c5c38b49fc8530c4263484d7b61b03886be6e87050552948e66bb59c4edac16a 234864 r-cran-haven_1.1.1-2_amd64.deb
Files:
430e77652f76915dfd3f6322044d8c77 1920 gnu-r optional r-cran-haven_1.1.1-2.dsc
abd8306523e20e32007735535b64943f 3232 gnu-r optional r-cran-haven_1.1.1-2.debian.tar.xz
11b611f15a404faa55891a98caa5324d 882276 debug optional r-cran-haven-dbgsym_1.1.1-2_amd64.deb
8ea5c4a5af1012dcb9bef3a8424d73f4 9284 gnu-r optional r-cran-haven_1.1.1-2_amd64.buildinfo
6c46168103b81e0b2aa5ff22963244b8 234864 gnu-r optional r-cran-haven_1.1.1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBWxiX+KFIn+KrmaIaAQgDtQ/+LifrVcwM/tQvqvMBUPy6oEbCrTbZBvMl
voyovK832dr394oRSjeS1Jk5V4v4KvWe5UOnLDYz2GlB/nnrarfv5pUI8ZQrcg9B
V8ArfuwmusfVhcvwf0tHh9jDNFbM8cu64UngUTmN91RZeJ1S8gw/coKEMxSnIttJ
C1WlYmjEB8FFyOILy8E/YYMl+y3NxYjH/cEmsCMurlDWfNYDqYjCj/a4hMKkOuCV
1Oi2pcPMEdnpkWhd95i66MIk2k8Kl51UBTvzbj1kzZwiKqMPJxuyLFotJLkCJW9O
lT5KzOCYapyJBBi/0iKwVf/D8+1gEW4AEKOEiJv0HYKJyLQ/aH25WqZncHrfJMGZ
7wXAnaGIPAjtBTcfYu0AS89sy3MWsoqez/+mtup0AQJgUsAnUcQaHgoelu+TDrJF
9GjLw+dWyK5UHEKs4MMiKWNlnYi0v/m5O318Y7XIhPkFfG6/9Rg6mhnvo3Zi7MOa
ogi4rm/HDNmRarO61Qw2l5kO/O8CoaNeSX0efJw1K3A/1mTKrSKKB6t3dDqGfV2p
e3H0q0kwef2AmA0osPmt64zdLF+u5haNSP43hXdtuykB8WITsHsqUlTmFoSqJTaZ
VbHCfsYktLs2sGYowe8tGOD7CnXh4fRPkCePoGEN9OI+YNUIf81dl/CJgTz4hv5R
RHl6JlhUY6M=
=bd95
-----END PGP SIGNATURE-----
Marked as found in versions r-cran-haven/1.1.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 07 Jun 2018 04:33:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#899335; Package r-cran-haven.
(Thu, 07 Jun 2018 06:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(Thu, 07 Jun 2018 06:54:03 GMT) (full text, mbox, link).
Message #29 received at 899335@bugs.debian.org (full text, mbox, reply):
On Wed, Jun 06, 2018 at 09:28:06PM -0500, Dirk Eddelbuettel wrote:
>
> On 23 May 2018 at 20:44, Dirk Eddelbuettel wrote:
> |
> | On 22 May 2018 at 23:38, Moritz Muehlenhoff wrote:
> | | Package: r-cran-haven
> | | Severity: normal
> | | Tags: security
> | |
> | | r-cran-haven embeds a copy of ReadStat for which two security issues have been
> | | reported:
> | |
> | | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11364
> | | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11365
> |
> | Just to keep everybody in the loop, I contact upstream for the actual library
> | code (ie Evan, CC'ed, for ReadStat -- which is used in the R package haven
> | for which this CVE came in) and he was / is aware. This really came from a
> | set of Google auto-fuzzer reports.
> |
> | Work is ongoing, but this may take a moment.
>
> Just uploaded r-cran-haven_1.1.1-2 to unstable right now.
>
> Moritz: The r-cran-haven package is not in stable. So ... are we done with
> this then via unstable + testing?
Yep, all good now :-)
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 11 Jul 2018 07:26:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:23:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon