Debian Bug report logs -
#840441
libxrandr: CVE-2016-7947 CVE-2016-7948
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 11 Oct 2016 15:45:01 UTC
Severity: important
Tags: patch, security, upstream
Found in versions libxrandr/2:1.3.2-2, libxrandr/2:1.4.2-1
Fixed in versions libxrandr/2:1.3.2-2+deb7u2, libxrandr/2:1.5.1-1
Done: Emilio Pozuelo Monfort <pochu@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#840441; Package src:libxrandr.
(Tue, 11 Oct 2016 15:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>.
(Tue, 11 Oct 2016 15:45:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxrandr
Version: 2:1.4.2-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerabilities were published for libxrandr.
CVE-2016-7947[0]:
for all of the integer overflows
CVE-2016-7948[1]:
for all of the other mishandling of the reply data
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7947
[1] https://security-tracker.debian.org/tracker/CVE-2016-7948
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from Andreas Boll <andreas.boll.dev@gmail.com>
to control@bugs.debian.org.
(Tue, 25 Oct 2016 10:15:07 GMT) (full text, mbox, link).
Marked as found in versions libxrandr/2:1.3.2-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 29 Oct 2016 18:54:07 GMT) (full text, mbox, link).
Marked as fixed in versions libxrandr/2:1.3.2-2+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 29 Oct 2016 18:54:08 GMT) (full text, mbox, link).
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility.
(Tue, 06 Dec 2016 23:39:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 06 Dec 2016 23:39:05 GMT) (full text, mbox, link).
Message #16 received at 840441-close@bugs.debian.org (full text, mbox, reply):
Source: libxrandr
Source-Version: 2:1.5.1-1
We believe that the bug you reported is fixed in the latest version of
libxrandr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 840441@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated libxrandr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 07 Dec 2016 00:17:09 +0100
Source: libxrandr
Binary: libxrandr2 libxrandr-dev
Architecture: source
Version: 2:1.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
libxrandr-dev - X11 RandR extension library (development headers)
libxrandr2 - X11 RandR extension library
Closes: 840441
Changes:
libxrandr (2:1.5.1-1) unstable; urgency=medium
.
[ Andreas Boll ]
* New upstream release.
- Fixes CVE-2016-7947 and CVE-2016-7948 (Closes: #840441).
* Update d/upstream/signing-key.asc with Matthieu Herrb's key.
* Update a bunch of URLs in packaging to https.
* Bump Standards-Version to 3.9.8, no changes needed.
.
[ Emilio Pozuelo Monfort ]
* Bump debhelper compat to 10.
+ --with autoreconf is enabled by default now. Drop build-deps on
dh-autoreconf, automake and libtool.
* debhelper installs to debian/tmp by default, no need to specify it.
* Switch to -dbgsym packages.
* Pass -c4 to dpkg-gensymbols.
* Drop no longer needed dpkg-dev versioned build-dependency.
Checksums-Sha1:
f7a10997e48045f1153dd0abb511318091366bad 2046 libxrandr_1.5.1-1.dsc
d2d194a00914e863e51bac7c438b437dd490280f 388607 libxrandr_1.5.1.orig.tar.gz
13ba483839c2cc1c4a0638004ef1b1eba09c26e8 16386 libxrandr_1.5.1-1.diff.gz
Checksums-Sha256:
0d7102ab75fdfe06534e842d5dcac8430614c61a061ab12794e2285712b0b103 2046 libxrandr_1.5.1-1.dsc
2baa7fb3eca78fe7e11a09b373ba898b717f7eeba4a4bfd68187e04b4789b0d3 388607 libxrandr_1.5.1.orig.tar.gz
42262cbc2117ea559a4e16a02c6ea6478554aa2128d9fe1e141da07006612a1d 16386 libxrandr_1.5.1-1.diff.gz
Files:
6a1617088d5a0f050951c8c40db03aae 2046 x11 optional libxrandr_1.5.1-1.dsc
59e90a544ee8cf706cf11e3027339f60 388607 x11 optional libxrandr_1.5.1.orig.tar.gz
93e04c9ac48b26d2b3662a6ccbc45d11 16386 x11 optional libxrandr_1.5.1-1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlhHRxwACgkQnUbEiOQ2
gwKadw//QMV6/PJHxV+Ankm1ufj7a5Ou4rf8edZ5HgRmXR6zfS3wKn/71/AUOMRm
OqKhb6eqvYbf3FCIka35a1By6yfW/j+9OFvv0lYakUgRfKhkQWj2vvUiQZX6lzHF
Zwa1pJK5lBmxv/Sx6d3HJTLRxBtsRe+qjWUwP+6S8SopDyktEiyp3LBlqLZ8oVAs
f2pfqxZgCXyoIsjHkY/NeV1jSW5qKM0XFjapIwX7OLAP6xwFt0NjGxZtQU2ICC5H
jDCXoMzWFPcHh4K6nBPq40M83iduHXBhoNyimyz+q21DgZZf+rcwd8ckVJbJ0j90
F4oiEYJYF05MuDz1JQKK5nN9OZZpAjkegrSKoZSGa7xRt4QKnSDXhGhJKbSJztoQ
6ESDUdCkHW2PzmStjpvLKhsC/xhgLiCq6oGqCHVgTfOJxKchEHSpcLrF+HCUpasC
Juy8k23YB30avILbMSLJGAm2pQJbhdxlezq+pt9RQBqXtdN2AAyRzjBNJuoQJNTA
zy3gn6C+3YWZTKomDDHjNDTSvNkxn4Hvc/U6MtOkfsLZWLNLiFkrzY1PVABV4/OH
YE36mmalvKPlc3MbnrImcLE4qnUySZ9/0macpSjVbR5lxLJy5wdGTZH2PyYGnCYr
Mq551QuUeKJeqAkfixynYi2BaXY45nxjGTMxxwyx0NFvgYDqGv8=
=h56z
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 09:22:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon