Debian Bug report logs -
#880116
CVE-2017-15953 / CVE-2017-15954 / CVE-2017-15955
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 29 Oct 2017 17:30:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version bchunk/1.2.0-12
Fixed in versions 1.2.0-12.1, bchunk/1.2.0-12+deb9u1, bchunk/1.2.0-12+deb8u1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Praveen Arimbrathodiyil <pravi.a@gmail.com>:
Bug#880116; Package bchunk.
(Sun, 29 Oct 2017 17:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Praveen Arimbrathodiyil <pravi.a@gmail.com>.
(Sun, 29 Oct 2017 17:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: bchunk
Severity: grave
Tags: security
Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15954
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15953
Cheers,
Moritz
Marked as found in versions bchunk/1.2.0-12.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 29 Oct 2017 17:45:06 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 29 Oct 2017 17:45:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Praveen Arimbrathodiyil <pravi.a@gmail.com>:
Bug#880116; Package bchunk.
(Thu, 02 Nov 2017 22:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Praveen Arimbrathodiyil <pravi.a@gmail.com>.
(Thu, 02 Nov 2017 22:33:05 GMT) (full text, mbox, link).
Message #14 received at 880116@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 patch
Hi,
upstream has released two patches to address the issue. I have verified
that they work by testing against the provided poc files. They are
attached to the upstream bug reports, for example here:
https://github.com/extramaster/bchunk/issues/3
Please find attached the debdiff against the version in Sid. I have
already released a security update for Wheezy and could also get in
contact with the security team to do the same for Jessie and Stretch.
Please note that CVE-2017-15954 was also fixed with these two patches.
Regards,
Markus
[bchunk.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) patch.
Request was from Markus Koschany <apo@debian.org>
to 880116-submit@bugs.debian.org.
(Thu, 02 Nov 2017 22:33:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Henri S. <henri@nerv.fi>
to control@bugs.debian.org.
(Sun, 05 Nov 2017 11:06:05 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Mon, 06 Nov 2017 17:09:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 06 Nov 2017 17:09:03 GMT) (full text, mbox, link).
Message #23 received at 880116-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.2.0-12.1
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Sebastien Delafond <seb@debian.org>:
You have taken responsibility.
(Sun, 12 Nov 2017 15:33:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 12 Nov 2017 15:33:06 GMT) (full text, mbox, link).
Message #28 received at 880116-close@bugs.debian.org (full text, mbox, reply):
Source: bchunk
Source-Version: 1.2.0-12+deb9u1
We believe that the bug you reported is fixed in the latest version of
bchunk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 880116@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated bchunk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 Nov 2017 14:28:06 +0100
Source: bchunk
Binary: bchunk
Architecture: source amd64
Version: 1.2.0-12+deb9u1
Distribution: stable
Urgency: high
Maintainer: Praveen Arimbrathodiyil <pravi.a@gmail.com>
Changed-By: Sebastien Delafond <seb@debian.org>
Description:
bchunk - CD image format conversion from bin/cue to iso/cdr
Closes: 880116
Changes:
bchunk (1.2.0-12+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2017-15953, CVE-2017-15954 and CVE-2017-15955.
bchunk was vulnerable to a heap-based buffer overflow with an resultant
invalid free when processing a malformed CUE (.cue) file that may lead to
the execution of arbitrary code or a application crash. (Closes: #880116)
Checksums-Sha1:
5a0b53bf7c121efb91f55d36e7b2d1b10075bb3d 1496 bchunk_1.2.0-12+deb9u1.dsc
322cab011f66776fd1fdf3f60a397049ce73a39d 5500 bchunk_1.2.0-12+deb9u1.debian.tar.xz
fd3fc0ed55adf46cf0e8c57a70ed308d21f810e2 5258 bchunk_1.2.0-12+deb9u1_amd64.buildinfo
11e26b9b2abb5968e89c81d2ab94916ba234b78e 14022 bchunk_1.2.0-12+deb9u1_amd64.deb
Checksums-Sha256:
78b75e48f91022c25eb1e1a7d387a8c8f8d60e206370f9321d24d754844cbe5d 1496 bchunk_1.2.0-12+deb9u1.dsc
94a8ac8f5a69fcec6536760378ae90a075a154b9f996692fc31f5ec0ee71918c 5500 bchunk_1.2.0-12+deb9u1.debian.tar.xz
bfa870678c3c27fcc624f9f3512557c9122788fa00d962505887ae3291cab27c 5258 bchunk_1.2.0-12+deb9u1_amd64.buildinfo
2717d40a003557f23bacf1d229c13928f9d98c02ab95a69405d874b07c5d53ea 14022 bchunk_1.2.0-12+deb9u1_amd64.deb
Files:
fb141ef6678f5a0763c1f40efce302ce 1496 otherosfs optional bchunk_1.2.0-12+deb9u1.dsc
0665a5e9d71e12ae0b616293717466f7 5500 otherosfs optional bchunk_1.2.0-12+deb9u1.debian.tar.xz
bad598309a8f20c2302e8bfa8579727c 5258 otherosfs optional bchunk_1.2.0-12+deb9u1_amd64.buildinfo
ee002669531f301d0eebe7844a345754 14022 otherosfs optional bchunk_1.2.0-12+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh4EL6Jg/PVnWQFAloEcuEACgkQEL6Jg/PV
nWRN3QgAj19DjG4zinyAj1QUXoPvr8GlyTzSebzSrnsxU30XN6pSpi8pJtTPlIsg
/WI2t3UcmSzSnwW7KMnoWDezyLemj16q7m6xbfp1XaD6g1Q3Ds3M25PsMnJinjL7
8DWvv3rcCTCUF+cr9T8Fh5cd+ztm4cOD1O4JHQpYIKrTcL2FpgjJSF5VL9IrtNrC
NAxvT3lgKl3N2dkH9bodvr9GYbsGfXiz1AhEE83yNeKiHJtgDtO9gYVspaoDv/ZF
c1uENW1f9HNEKyEarhhFqtNJ4AVbDQ0O+gGAeLfmTAFoooPdzO7xJGZXuwn+HHiX
nz96v+fYCE1c9tO+Oz3OQBUtE44YUw==
=2EFv
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sat, 18 Nov 2017 22:21:46 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Nov 2017 22:21:46 GMT) (full text, mbox, link).
Message #33 received at 880116-close@bugs.debian.org (full text, mbox, reply):
Source: bchunk
Source-Version: 1.2.0-12+deb8u1
We believe that the bug you reported is fixed in the latest version of
bchunk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 880116@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated bchunk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Nov 2017 19:41:33 +0100
Source: bchunk
Binary: bchunk
Architecture: source amd64
Version: 1.2.0-12+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Praveen Arimbrathodiyil <pravi.a@gmail.com>
Changed-By: Markus Koschany <apo@debian.org>
Description:
bchunk - CD image format conversion from bin/cue to iso/cdr
Closes: 880116
Changes:
bchunk (1.2.0-12+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2017-15953, CVE-2017-15954 and CVE-2017-15955.
bchunk was vulnerable to a heap-based buffer overflow with an resultant
invalid free when processing a malformed CUE (.cue) file that may lead to
the execution of arbitrary code or a application crash. (Closes: #880116)
Checksums-Sha1:
81aebe5683cd802defc06114a2078eadd3315718 1992 bchunk_1.2.0-12+deb8u1.dsc
54309a79f5e90d845d836cad901ca5f0a8cd5184 5440 bchunk_1.2.0-12+deb8u1.debian.tar.xz
17bb2d6fc9b36ec88862ac903ad47d4c80aab8a4 13864 bchunk_1.2.0-12+deb8u1_amd64.deb
Checksums-Sha256:
12114df1896dcb4b983641700cf7c6a8cbc9912bbae982970a2a5bbcf5b9650c 1992 bchunk_1.2.0-12+deb8u1.dsc
4675cb7b566b514e0fb2b7b5a1cf7b77df7443f22f7dd3eccd178fcffbf8161e 5440 bchunk_1.2.0-12+deb8u1.debian.tar.xz
420d6352929d09aaa632a1168e60c39f93593d36cc4023ca52198f919d3ec463 13864 bchunk_1.2.0-12+deb8u1_amd64.deb
Files:
6e3c98ec0c298aaa6a78de8af0ccd9f7 1992 otherosfs optional bchunk_1.2.0-12+deb8u1.dsc
46e56c811a30bbdbf839d9a2c80c07e2 5440 otherosfs optional bchunk_1.2.0-12+deb8u1.debian.tar.xz
1043ffd19658501b4ec84ab583d1a400 13864 otherosfs optional bchunk_1.2.0-12+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloEVgxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkebgP/1oddsoozMfNnHme2Lk1TF09gX6TaEQA00fx
98FuPGuv17Wd/qO/WXPiflTrz/HiiEwHwfl5HHfMZBxKjTp409rIgnR+NIvkvD/K
KFteObQQ+bwGB/Zth6KoRISHe9nhPyPp5L+YK4uc5s0qjWjZNzjWOtwUtBklNZvb
dfvR+7RC8ITNjA4PJ9WFl4+fmJuuwgaYRltjxURLOhMI3AJBCMj20lU9h4+9c9YD
VuRj8hXIybSo1K6mgJHnbxvoCgEqqaZrk86JgAw7oWyd9dTUxyeARpttm9Zlzi3q
ePBWZcLc055n/cuSrJ5Pyg+8eFLaQxTr4MBPrie5T+4tp9StHR57BzGrM1BktqeE
6Ul8wtvMHxlLx7dFu8tD0fNth88X0xIdHEhPjlagCpC0aAUBt1Z9laXu+aTPqCaj
vQrTpKJP99o3qrzgKY6zutie9+ItMcbthVh4UYAyL8k/VcICrJVk+q7/7TdwujAG
jHJvBkO9CJS2q9aIMfY9Xhd+vUT8w3Z1zM0ZoiGLXYUP3Ur6DweExxOKYWez6rG3
btfVU6udQVAh53Q8yR19mYvlzu33VrIgzGlaqoxeii22aR6oPajMiyACsOugzrf0
xQ1k2kKKvdyvFWjeknNC7kd46ejEcZmVim8CFIvLqaETlmAUTj58rmX/q098Hp0h
6zBLBprH
=blqQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Dec 2017 07:26:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon