Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

rust-bzip2: CVE-2023-22895

Related Vulnerabilities: CVE-2023-22895  

Source

Debian Bug report logs - #1029158
rust-bzip2: CVE-2023-22895

version graph

Package: src:rust-bzip2; Maintainer for src:rust-bzip2 is Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Wed, 18 Jan 2023 16:36:15 UTC

Severity: important

Tags: security, upstream

Found in version rust-bzip2/0.4.3-1

Fixed in version rust-bzip2/0.4.4-1

Done: Peter Michael Green <plugwash@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>:
Bug#1029158; Package src:rust-bzip2. (Wed, 18 Jan 2023 16:36:17 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>. (Wed, 18 Jan 2023 16:36:17 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: rust-bzip2: CVE-2023-22895
Date: Wed, 18 Jan 2023 17:35:28 +0100
Source: rust-bzip2
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for rust-bzip2.

CVE-2023-22895[0]:
| The bzip2 crate before 0.4.4 for Rust allow attackers to cause a
| denial of service via a large file that triggers an integer overflow
| in mem.rs. NOTE: this is unrelated to the
| https://crates.io/crates/bzip2-rs product.

https://github.com/alexcrichton/bzip2-rs/pull/86
https://github.com/alexcrichton/bzip2-rs/commit/90c9c182cd5a5ebc75810aebd89b347a7bdf590b (0.4.4)
		

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-22895
    https://www.cve.org/CVERecord?id=CVE-2023-22895

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Jan 2023 19:33:06 GMT) (full text, mbox, link).

Reply sent to Peter Michael Green <plugwash@debian.org>:
You have taken responsibility. (Thu, 19 Jan 2023 00:15:03 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 19 Jan 2023 00:15:04 GMT) (full text, mbox, link).

Message #12 received at 1029158-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1029158-close@bugs.debian.org
Subject: Bug#1029158: fixed in rust-bzip2 0.4.4-1
Date: Thu, 19 Jan 2023 00:12:35 +0000
Source: rust-bzip2
Source-Version: 0.4.4-1
Done: Peter Michael Green <plugwash@debian.org>

We believe that the bug you reported is fixed in the latest version of
rust-bzip2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1029158@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Michael Green <plugwash@debian.org> (supplier of updated rust-bzip2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 18 Jan 2023 23:00:57 +0000
Source: rust-bzip2
Architecture: source
Version: 0.4.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
Changed-By: Peter Michael Green <plugwash@debian.org>
Closes: 1029158
Changes:
 rust-bzip2 (0.4.4-1) unstable; urgency=medium
 .
   * Team upload.
   * Package bzip2 0.4.4 from crates.io using debcargo 2.6.0
     + New upstream fixes CVE-2023-22895 (Closes: #1029158)
   * Update remove-futures-and-tokio.diff
Checksums-Sha1:
 78a9e9fc9d77b82109a64d1e49c2a8f0d65aece2 2442 rust-bzip2_0.4.4-1.dsc
 632b230ab279c22b055a301438749d2fa39215f9 34197 rust-bzip2_0.4.4.orig.tar.gz
 f2fd330aa4942ec91e70dd21007e67363cae7778 3184 rust-bzip2_0.4.4-1.debian.tar.xz
 823b921bf19be7191b6665024aa4c1e6cb042eff 7654 rust-bzip2_0.4.4-1_source.buildinfo
Checksums-Sha256:
 b1be4dc51b67b8e0931224b0924a0ce2d60d1b3a1f19ea12217e60466ed1e1df 2442 rust-bzip2_0.4.4-1.dsc
 bdb116a6ef3f6c3698828873ad02c3014b3c85cadb88496095628e3ef1e347f8 34197 rust-bzip2_0.4.4.orig.tar.gz
 6c604bec6c24d5ce33f9bdcca464643bcc78b4d4a5eb021383f30296b8f1eb87 3184 rust-bzip2_0.4.4-1.debian.tar.xz
 ea2a2e12358e09d6a298daee15dcab699d001876e62b6ec6c0af7b19dbc4e0c8 7654 rust-bzip2_0.4.4-1_source.buildinfo
Files:
 518f987141d0ef3da4db7e272aa0dfbb 2442 rust optional rust-bzip2_0.4.4-1.dsc
 b80c91663e5990a3770774abdce0f257 34197 rust optional rust-bzip2_0.4.4.orig.tar.gz
 e225f834c3633f89106a5ce1ca054e59 3184 rust optional rust-bzip2_0.4.4-1.debian.tar.xz
 0f4985f3a03c3ba708a5ff34cb83ed29 7654 rust optional rust-bzip2_0.4.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmPIfTAUHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XubeA//RsUMuepAZ99d+RhoebGL5A9Rpg48
QpbqABHRCbBghu2ojcWFt7prdfAoANX/HtiPz5xX5tb9MDyOo9cB+jfPPPHRlwUD
gN4NzWUqmvYLVDyEsVratqvTMFcJ2x20GAajZjgSpdX4G3iZGp/UI9AIQDuY5+Ly
/pnEoVTiMhF/Wi9VIlUQh+9SG6moNt3h+GoL9gQNx/UJxKg2q0HDkbhipUvqG59y
v3KyiUzNK6mySB2enBCImf3XQ59q5Z2ZgxosN/w7phc+GpFMLI0V2KGVs3qIzQpK
IZOIYGJG6rWoHSYcfUjpNM5/n48g8qyRVjbXUCfedK2rziOcufz1mECd19ieMZPj
IlETpCSRN9jD3/vzzQD7AKzkW3OzVRwJ8PAg9jf2UFeG35by0mHcS+rPr7CDagqA
EOr6544Ws2UmSEUb+LjdWQZsci/S+TZ2dfHQvLBBL5qiJtnfmqScRbbTewSvnB+w
4q6iajAYWtGLD29u8hBu02cGcByiRI1g4JstU3MQfxaCTMNgYcpbD4aQ1kjEORL0
rnfQZQmzWZhEStkcGZFiKX8cuRj2FCSrxh/hjNK2ldCYEnAaMxdz+Jsm2KfNJtHI
gcAtqcElStPox3e8fG5CXkCOZOMW1kUxRjbs74STMw64EoeEP2h/f/8ZWHkHOYpj
yxgcxpKWY/1EAJA=
=+0UV
-----END PGP SIGNATURE-----

Marked as found in versions rust-bzip2/0.4.3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 19 Jan 2023 06:09:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jan 19 13:05:12 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started