Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gettext: CVE-2018-18751

Related Vulnerabilities: CVE-2018-18751  

Source

Debian Bug report logs - #913173
gettext: CVE-2018-18751

version graph

Package: src:gettext; Maintainer for src:gettext is Santiago Vila <sanvila@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 7 Nov 2018 19:57:02 UTC

Severity: minor

Tags: security, upstream

Found in version gettext/0.19.8.1-8

Fixed in version gettext/0.19.8.1-9

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#913173; Package src:gettext. (Wed, 07 Nov 2018 19:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Santiago Vila <sanvila@debian.org>. (Wed, 07 Nov 2018 19:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gettext: CVE-2018-18751
Date: Wed, 07 Nov 2018 20:54:16 +0100
Source: gettext
Version: 0.19.8.1-8
Severity: minor
Tags: security upstream

Hi Santiago,

The following vulnerability was published for gettext, and as
discussed already this has negligable security impact if at all. But
still filling the bug for tracking purpose so we can update the
tracker entry once the issue is fixed. Choosed severity minor as well.

CVE-2018-18751[0]:
| An issue was discovered in GNU gettext 0.19.8. There is a double free
| in default_add_message in read-catalog.c, related to an invalid free in
| po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-18751
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18751

Regards,
Salvatore

Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. (Sat, 10 Nov 2018 18:06:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 10 Nov 2018 18:06:03 GMT) (full text, mbox, link).

Message #10 received at 913173-close@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@debian.org>
To: 913173-close@bugs.debian.org
Subject: Bug#913173: fixed in gettext 0.19.8.1-9
Date: Sat, 10 Nov 2018 18:04:15 +0000
Source: gettext
Source-Version: 0.19.8.1-9

We believe that the bug you reported is fixed in the latest version of
gettext, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 913173@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated gettext package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Nov 2018 18:34:46 +0100
Source: gettext
Binary: gettext-base gettext gettext-el gettext-doc autopoint libgettextpo0 libasprintf0v5 libgettextpo-dev libasprintf-dev
Architecture: source
Version: 0.19.8.1-9
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
 autopoint  - The autopoint program from GNU gettext
 gettext    - GNU Internationalization utilities
 gettext-base - GNU Internationalization utilities for the base system
 gettext-doc - Documentation for GNU gettext
 gettext-el - Emacs po-mode for editing gettext .po files
 libasprintf-dev - GNU Internationalization library development files
 libasprintf0v5 - GNU library to use fprintf and friends in C++
 libgettextpo-dev - GNU Internationalization library development files
 libgettextpo0 - GNU Internationalization library
Closes: 913173
Changes:
 gettext (0.19.8.1-9) unstable; urgency=medium
 .
   * Fix double-free problem with *.po file input. Closes: #913173.
     Patch extracted from upstream git where it was fixed by Daiki Ueno.
     For reference, this is CVE-2018-18751.
   * Add bison to Build-Depends, required by the above.
Checksums-Sha1:
 a6fce80e66c025aac4102898fe53b92ae11db50a 2011 gettext_0.19.8.1-9.dsc
 a798fb0408739e36b09a8f93af6c630bb29d1578 32792 gettext_0.19.8.1-9.debian.tar.xz
 586a7c4c807f82e0b23819d8da24fcd69ca52d95 10751 gettext_0.19.8.1-9_source.buildinfo
Checksums-Sha256:
 1854346197e167b6ac7eaa3cc0630cbfcad4b47c21980f045ee5c82fe37f9593 2011 gettext_0.19.8.1-9.dsc
 646bee2ac7de6d6c8e64a612a03abaf9dab116671ec258199671894e90faf73e 32792 gettext_0.19.8.1-9.debian.tar.xz
 1d7fa6627642a4b8cf510bccf7b9ed389246f59b5657bc4f5132ffc692d88042 10751 gettext_0.19.8.1-9_source.buildinfo
Files:
 fefbe58f8c469eefb833d30aac4dc9be 2011 devel optional gettext_0.19.8.1-9.dsc
 8e8190d1de59901c5064e4d01dc76c56 32792 devel optional gettext_0.19.8.1-9.debian.tar.xz
 7234ef96b70f2c5345743f8a669249fc 10751 devel optional gettext_0.19.8.1-9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAlvnFzAACgkQQc5/C58b
izIJgAf9FH8FfEnKEdbDAOScxzm3Bq3gATuCjnkr7t0phMH8U5wEjVVajfNm4brB
2JRcM3kv6RTv28ATt6ADuYGcm7JodYbTthiTEwHArUqg4/kLT9mV1b9ddEWVcvq3
T6Z/iSHkg0YpYW5LsYPOvElGUxXbWYsmEidngxbFAcuFXhQ8+/KMO09yk1sJKjU/
jfQMghOxgvkON+X0488dAwL6lSwYzOyysf7dk/esZ1FC3fmS++rhPDKt+tj5dEo3
ASbB0taUS32VhWqLx71Cw0RGAbLZEgMSC/PykvJk/OV3Lbt20KqF1ujWugitjzSR
VD8zOj7Vwtkwg+cczsK6SE4T/lFWaA==
=mDy5
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 14 Dec 2018 07:33:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:15:30 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started