Debian Bug report logs -
#902176
libjpeg9: CVE-2018-11212 CVE-2018-11213 CVE-2018-11214
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 23 Jun 2018 07:15:02 UTC
Severity: normal
Tags: security
Found in version libjpeg9/1:9b-2
Fixed in version libjpeg9/1:9c-1
Done: Bill Allombert <ballombe@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Bill Allombert <ballombe@debian.org>:
Bug#902176; Package src:libjpeg9.
(Sat, 23 Jun 2018 07:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Bill Allombert <ballombe@debian.org>.
(Sat, 23 Jun 2018 07:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libjpeg9
Severity: normal
Tags: security
There have been three reports of minor bugs in libjpeg, which
ended up getting a CVE ID assigned:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212
They all seem fairly harmless and I'm not sure if they've
been reported upstream.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Bill Allombert <ballombe@debian.org>:
Bug#902176; Package src:libjpeg9.
(Sat, 23 Jun 2018 08:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Bill Allombert <ballombe@debian.org>.
(Sat, 23 Jun 2018 08:45:07 GMT) (full text, mbox, link).
Message #10 received at 902176@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 23, 2018 at 09:11:14AM +0200, Moritz Muehlenhoff wrote:
> Source: libjpeg9
> Severity: normal
> Tags: security
>
> There have been three reports of minor bugs in libjpeg, which
> ended up getting a CVE ID assigned:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11214
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11213
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212
Also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11813
Cheers,
Moritz
Changed Bug title to 'CVE-2018-11212 CVE-2018-11213 CVE-2018-11214 CVE-2018-11813' from 'CVE-2018-11212 CVE-2018-11213 CVE-2018-11214'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 23 Jun 2018 09:54:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#902176; Package src:libjpeg9.
(Thu, 26 Jul 2018 20:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Bill Allombert <ballombe@debian.org>:
Extra info received and forwarded to list.
(Thu, 26 Jul 2018 20:51:06 GMT) (full text, mbox, link).
Message #17 received at 902176@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 23, 2018 at 10:43:30AM +0200, Moritz Mühlenhoff wrote:
> On Sat, Jun 23, 2018 at 09:11:14AM +0200, Moritz Muehlenhoff wrote:
> > Source: libjpeg9
> > Severity: normal
> > Tags: security
> >
> > There have been three reports of minor bugs in libjpeg, which
> > ended up getting a CVE ID assigned:
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11214
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11213
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212
Hello Moritz,
These bugs are fixed in libjpeg 9c that I will upload soon.
> Also:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11813
Could you report this last one as a separate issue ?
Thanks for your report!
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Information forwarded
to debian-bugs-dist@lists.debian.org, Bill Allombert <ballombe@debian.org>:
Bug#902176; Package src:libjpeg9.
(Fri, 27 Jul 2018 06:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bill Allombert <ballombe@debian.org>.
(Fri, 27 Jul 2018 06:21:05 GMT) (full text, mbox, link).
Message #22 received at 902176@bugs.debian.org (full text, mbox, reply):
Control: clone -1 -2
Control: retitle -1 libjpeg9: CVE-2018-11212 CVE-2018-11213 CVE-2018-11214
Control: retitle -2 libjpeg9: CVE-2018-11813
Hi Bill
On Thu, Jul 26, 2018 at 10:49:52PM +0200, Bill Allombert wrote:
> On Sat, Jun 23, 2018 at 10:43:30AM +0200, Moritz Mühlenhoff wrote:
> > On Sat, Jun 23, 2018 at 09:11:14AM +0200, Moritz Muehlenhoff wrote:
> > > Source: libjpeg9
> > > Severity: normal
> > > Tags: security
> > >
> > > There have been three reports of minor bugs in libjpeg, which
> > > ended up getting a CVE ID assigned:
> > >
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11214
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11213
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212
>
> Hello Moritz,
> These bugs are fixed in libjpeg 9c that I will upload soon.
>
> > Also:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11813
>
> Could you report this last one as a separate issue ?
Splitting/clone this bug for your request.
Thanks for your work!
Regards,
Salvatore
Bug 902176 cloned as bug 904719
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 902176-submit@bugs.debian.org.
(Fri, 27 Jul 2018 06:21:05 GMT) (full text, mbox, link).
Changed Bug title to 'libjpeg9: CVE-2018-11212 CVE-2018-11213 CVE-2018-11214' from 'CVE-2018-11212 CVE-2018-11213 CVE-2018-11214 CVE-2018-11813'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 902176-submit@bugs.debian.org.
(Fri, 27 Jul 2018 06:21:06 GMT) (full text, mbox, link).
Marked as found in versions libjpeg9/1:9b-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 Jul 2018 06:33:03 GMT) (full text, mbox, link).
Reply sent
to Bill Allombert <ballombe@debian.org>:
You have taken responsibility.
(Sat, 28 Jul 2018 13:39:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 28 Jul 2018 13:39:06 GMT) (full text, mbox, link).
Message #33 received at 902176-close@bugs.debian.org (full text, mbox, reply):
Source: libjpeg9
Source-Version: 1:9c-1
We believe that the bug you reported is fixed in the latest version of
libjpeg9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 902176@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bill Allombert <ballombe@debian.org> (supplier of updated libjpeg9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Jul 2018 14:35:23 +0200
Source: libjpeg9
Binary: libjpeg9 libjpeg9-dev libjpeg-progs
Architecture: source amd64
Version: 1:9c-1
Distribution: unstable
Urgency: medium
Maintainer: Bill Allombert <ballombe@debian.org>
Changed-By: Bill Allombert <ballombe@debian.org>
Description:
libjpeg-progs - Programs for manipulating JPEG files
libjpeg9 - Independent JPEG Group's JPEG runtime library
libjpeg9-dev - Development files for the IJG JPEG library
Closes: 902176
Changes:
libjpeg9 (1:9c-1) unstable; urgency=medium
.
* New upstream release
- patches CVE-2016-3616, CVE-2016-3616-2: removed
- CVE fixed: CVE-2016-3616, CVE-2018-11212, CVE-2018-11213, CVE-2018-11214
Closes: #902176
* debian/control:
- Bump standard version to 4.1.5.
- replace libjpeg-dbg by libjpeg9-dbgsym, libjpeg-progs-dbgsym
* debian/control, debian/rules, debian/compat:
+ switch to debhelper v9
Checksums-Sha1:
2726acbcde60ff621818f08d20bab635f2519c7d 1816 libjpeg9_9c-1.dsc
2ce111c8c0ac828a44b13ad28c265e954a342d07 1028134 libjpeg9_9c.orig.tar.gz
82d584579767eef3ed4c4b9b5615b3a2dfcb9a0f 12828 libjpeg9_9c-1.debian.tar.xz
43c20c320956e439a2e956347edbf9d251c546cc 126356 libjpeg-progs-dbgsym_9c-1_amd64.deb
aa1fadd2c70d4ddca429b05171b928b09e07ca94 84760 libjpeg-progs_9c-1_amd64.deb
409cfcab34ffbdba36fd774532431f657673b74d 306572 libjpeg9-dbgsym_9c-1_amd64.deb
0ea5700aa74812cadcc9c4eeccb20edf1865148b 220012 libjpeg9-dev_9c-1_amd64.deb
1d5319844399959d4b8a8d4fd588a37cc06e55e3 6640 libjpeg9_9c-1_amd64.buildinfo
9ec36af9ee9dc295367f7223238cc9574746424a 122412 libjpeg9_9c-1_amd64.deb
Checksums-Sha256:
b270957e06ab36abc7fdd41764909a0c0020987d09a8aa2f5b75e36d433d0bd8 1816 libjpeg9_9c-1.dsc
650250979303a649e21f87b5ccd02672af1ea6954b911342ea491f351ceb7122 1028134 libjpeg9_9c.orig.tar.gz
d5618732e61facc3e5dcb6e26b1d383dd9108913a94b0f54994dd42f2859fdbb 12828 libjpeg9_9c-1.debian.tar.xz
ce3944e953d18122f90d90201ac92d6c6bc6cd18f78efa32e65a3754923131f9 126356 libjpeg-progs-dbgsym_9c-1_amd64.deb
4a5d5ee63c0cd96d1879924349c22aa4d2ee6823a8bf6c0c34385e89a806e171 84760 libjpeg-progs_9c-1_amd64.deb
eae3dc5d0ff7ed613e0d290dafbebd948d55c463f99e7541c4328208b6f42bc3 306572 libjpeg9-dbgsym_9c-1_amd64.deb
67194916aacf58bebb35cbbbbe15943f15f0c33c998e0e08ece87157e0da7307 220012 libjpeg9-dev_9c-1_amd64.deb
b7a0aa6827553215fe4bcfbc4db46fe5044000e85c7085890754a6d3069581d4 6640 libjpeg9_9c-1_amd64.buildinfo
ad5ebf2b1f0c6a5fd14aa0d356662b93cff06eb21771ed6ccf8d67d12b25cc35 122412 libjpeg9_9c-1_amd64.deb
Files:
dcdd812f6d8bd448775a8d306e8b188d 1816 graphics optional libjpeg9_9c-1.dsc
93c62597eeef81a84d988bccbda1e990 1028134 graphics optional libjpeg9_9c.orig.tar.gz
94867655717e4d5f624dab87fefe6503 12828 graphics optional libjpeg9_9c-1.debian.tar.xz
b9719dbd92cc282fb49ce230eb1c8e9e 126356 debug optional libjpeg-progs-dbgsym_9c-1_amd64.deb
505e7eb41ac559b6703728ac0c48fe09 84760 graphics optional libjpeg-progs_9c-1_amd64.deb
e809d4002bc69e68f14ecfc5498eaf96 306572 debug optional libjpeg9-dbgsym_9c-1_amd64.deb
19ae65a0929d873fb32a06dc6c1432a5 220012 libdevel optional libjpeg9-dev_9c-1_amd64.deb
c35f63ca83ab7a625f05c1850cf5720d 6640 graphics optional libjpeg9_9c-1_amd64.buildinfo
f3fbae8f2eee813ce06aaa397cf74b07 122412 libs optional libjpeg9_9c-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEQgKOpASi6dgKxFMUjw58K0Ui44cFAltcZjIACgkQjw58K0Ui
44e8VQ//YzDh4zSo/JdubXIu3cR5Jw9uoPEQaA79Zkj5TZ51zmbhmsg9UOpZUq7V
kb8AmLCdoZ1rGK/5t5kWgnmxYHeaE+R0Q/W9J6kT3dJ9zoiK7eG5GN6sopreeN4L
vcRBGQkuVyot4JcSYenQ0Lsc0kwgsM5HhLg5vnO3dWsii+pMdTEVQPI3PDOafkUC
YA1+IZ1fPVjR403NAhw6KaypnyF2z8kdpIPjWmdrNuH+mG7YgT/r/TLA6KwODjxm
QW7MksSlmDj6B1NbGA2AoUQDtJJCLmD4/DE4dsQbFRjFJSXUu9YRSOKUpIhiax0k
WjwdfN7lTvRYPCw0LYq4Q4n5yjq0HKp1FAQs7b8P5QnYsLE94Bsk/2bW7w9SwiI3
buinCYjOe0gVKw6o7ynvuoLYk/kk6+DRLYYtiXAoSzfv3sBR63rS2B2nz3CbE/cY
swCAm0WVQ3Ys/ot9aby9BYkP4/s/RyFR0skX1dy+hr8grpvzzCtW5W8xzo4C5qaR
AKz+tJIOc5rtJ7NW/Vr/Zdz8S8SNMLpg2PNs1Psv2NDtbIS5CXtsJ+5UsoAk7fj0
hG9a8iongFePx6+/k4FbdwVQi2xNVPqEz8NDGdS4l2E85glW0276jLlujaFL/cXI
OD5sj2pIAs61Df7oILghA7jij3WHx6HsgW2HlZKjMa4GOtMp7dU=
=NAO0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Aug 2018 07:28:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:53:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon