Debian Bug report logs -
#913817
uriparser: CVE-2018-19198 CVE-2018-19199 CVE-2018-19200
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 15 Nov 2018 15:54:02 UTC
Severity: important
Tags: security, upstream
Found in versions uriparser/0.8.4-1, uriparser/0.8.6-1
Fixed in version uriparser/0.9.0-1
Done: Jörg Frings-Fürst <debian@jff.email>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Jörg Frings-Fürst <debian@jff.email>:
Bug#913817; Package src:uriparser.
(Thu, 15 Nov 2018 15:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Jörg Frings-Fürst <debian@jff.email>.
(Thu, 15 Nov 2018 15:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: uriparser
Version: 0.8.6-1
Severity: important
Tags: security upstream
Control: found -1 0.8.4-1
Hi,
The following vulnerabilities were published for uriparser.
CVE-2018-19198[0]:
| An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an
| out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx*
| function because the '&' character is mishandled in certain contexts.
CVE-2018-19199[1]:
| An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an
| integer overflow via a uriComposeQuery* or uriComposeQueryEx* function
| because of an unchecked multiplication.
CVE-2018-19200[2]:
| An issue was discovered in uriparser before 0.9.0. UriCommon.c allows
| attempted operations on NULL input via a uriResetUri* function.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19198
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19198
[1] https://security-tracker.debian.org/tracker/CVE-2018-19199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19199
[2] https://security-tracker.debian.org/tracker/CVE-2018-19200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19200
Regards,
Salvatore
Marked as found in versions uriparser/0.8.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 15 Nov 2018 15:54:04 GMT) (full text, mbox, link).
Reply sent
to Jörg Frings-Fürst <debian@jff.email>:
You have taken responsibility.
(Mon, 19 Nov 2018 00:30:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 19 Nov 2018 00:30:03 GMT) (full text, mbox, link).
Message #12 received at 913817-close@bugs.debian.org (full text, mbox, reply):
Source: uriparser
Source-Version: 0.9.0-1
We believe that the bug you reported is fixed in the latest version of
uriparser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 913817@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jörg Frings-Fürst <debian@jff.email> (supplier of updated uriparser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Nov 2018 07:57:14 +0100
Source: uriparser
Binary: liburiparser1 liburiparser-dev liburiparser-doc
Architecture: source
Version: 0.9.0-1
Distribution: unstable
Urgency: medium
Maintainer: Jörg Frings-Fürst <debian@jff.email>
Changed-By: Jörg Frings-Fürst <debian@jff.email>
Description:
liburiparser-dev - development files for uriparser
liburiparser-doc - documentation files for uriparser
liburiparser1 - URI parsing library compliant with RFC 3986
Closes: 913817
Changes:
uriparser (0.9.0-1) unstable; urgency=medium
.
* New upstream release (Closes: #913817):
- Fix CVE-2018-19198.
- Fix CVE-2018-19199.
- Fix CVE-2018-19200.
* Refresh debian/liburiparser1.symbols.
Checksums-Sha1:
9a06e3205aeeeb207baa1731dc042b0cd4774c24 2069 uriparser_0.9.0-1.dsc
9b5d849e2fc8f96c1b832c4510ca05d092d02ba6 371895 uriparser_0.9.0.orig.tar.bz2
cb2824acb8c391dd84fb553d4f878d8066e9343d 6596 uriparser_0.9.0-1.debian.tar.xz
1a1d3294385902c98d47194af8f2ae6c3a4a0249 5321 uriparser_0.9.0-1_source.buildinfo
Checksums-Sha256:
13c8e0dbd4687027134dec7f50b9e84d946228e04ec6ba1a08fff69a8f65d151 2069 uriparser_0.9.0-1.dsc
ec67eb34feda8eac166f281799f03ed48387694fca44f6f5852f61f8fb535e2c 371895 uriparser_0.9.0.orig.tar.bz2
cc82e295c7b33b1124f90fa5223c6681dcc786aa144e35d50218f55af90eda08 6596 uriparser_0.9.0-1.debian.tar.xz
86cbb45d96de92885398a8d421e79d3da375b43cff1b033edd31acd0393aa53a 5321 uriparser_0.9.0-1_source.buildinfo
Files:
4bae7940001f9f9550cbe68af5d8dc86 2069 libs optional uriparser_0.9.0-1.dsc
16452063f65826f8d1b5fc3b13e71d3a 371895 libs optional uriparser_0.9.0.orig.tar.bz2
7a417d56c9d4129383f391fa10296267 6596 libs optional uriparser_0.9.0-1.debian.tar.xz
b22fda8bf0e38de2f1ac8cb3d6513e2c 5321 libs optional uriparser_0.9.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAlvx/mAACgkQweDZLphv
fH5Awg//UN4G8n1P0lfaRqrZQdbQRfbR9pSQ0IKoKf+RkRCF5rkGOqEseyG2vIpd
Yt2WVL08K8RcTRl7CSJ6zYq7nE/JvlP/7rqRHUXMPcYR+Whmt4yNZjyplphNnIJP
NlnaVU+0uYw108mxLS4xKKochRYxL8BnbtbUl9TcTv+dm3MOJdR0tu4mvu+9kPKv
5K+dBkZb04L1aoKpYFd5O13PU8HtLBG4/WdXPpCTdfHMmMQ/ueOQO8wXoCsjeUIB
UfQ5GXGo/GRGANcZDjhZD6DB2/qFj0el4PNV/SxWZkAXO73bFZbYcsg7CyR/I7qy
oThe8h4wgrHIyyYqIqOlN14tPj0rieeTPrqurw8fKdqYvRUY5Aa8prb4KmAP8i7J
1HscKlD4gIJdENOQ1ZMHF6A0JAjUUFQCXbRHxQYAdMft6TZqFyBYgaUSf1HDmrBW
KzJYCy0KsMqoMojh07AfA1JckDlDx/IzjynNMxgf5g9sNSW+CqTIxMSL67p3hnfL
diUg7dClTG7UWVVev+sLtOHOrrswchN8ASWh6ekXFCbOV6YMDW0sqywf18ji9BSl
yAkTGFxs/MHATETmvl0YERnBWehoZhoQY1xfw9ZZNmalFN18CG4qZvGeZSlelBFq
PhguCAQk1/k/fvrk/W0mUik1k3GCjnDOJiVYyxSivYF1/oCzKhA=
=N7LR
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 22 Dec 2018 07:27:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:20:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon