Debian Bug report logs -
#917807
libcaca: CVE-2018-20544 CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 30 Dec 2018 15:45:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version libcaca/0.99.beta19-2
Fixed in versions libcaca/0.99.beta19-2+deb8u1, libcaca/0.99.beta19-2.1
Done: Tobias Frost <tobi@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Sam Hocevar <sho@debian.org>:
Bug#917807; Package src:libcaca.
(Sun, 30 Dec 2018 15:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Sam Hocevar <sho@debian.org>.
(Sun, 30 Dec 2018 15:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libcaca
Version: 0.99.beta19-2
Severity: important
Tags: security upstream fixed-upstream
Hi,
The following vulnerabilities were published for libcaca.
CVE-2018-20544[0]:
| There is floating point exception at caca/dither.c (function
| caca_dither_bitmap) in libcaca 0.99.beta19.
CVE-2018-20545[1]:
| There is an illegal WRITE memory access at common-image.c (function
| load_image) in libcaca 0.99.beta19 for 4bpp data.
CVE-2018-20546[2]:
| There is an illegal READ memory access at caca/dither.c (function
| get_rgba_default) in libcaca 0.99.beta19 for the default bpp case.
CVE-2018-20547[3]:
| There is an illegal READ memory access at caca/dither.c (function
| get_rgba_default) in libcaca 0.99.beta19 for 24bpp data.
CVE-2018-20548[4]:
| There is an illegal WRITE memory access at common-image.c (function
| load_image) in libcaca 0.99.beta19 for 1bpp data.
CVE-2018-20549[5]:
| There is an illegal WRITE memory access at caca/file.c (function
| caca_file_read) in libcaca 0.99.beta19.
Note: obviously I realize given you are both upstream am Debian
maintainer you have already fixed this upstream with the reports
submitted and two of those issues are actually unimportant as the
Debian build does not use the fallback.
Reporting these issues still in the BTS for tracking purpose.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20544
[1] https://security-tracker.debian.org/tracker/CVE-2018-20545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545
[2] https://security-tracker.debian.org/tracker/CVE-2018-20546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546
[3] https://security-tracker.debian.org/tracker/CVE-2018-20547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20547
[4] https://security-tracker.debian.org/tracker/CVE-2018-20548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20548
[5] https://security-tracker.debian.org/tracker/CVE-2018-20549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20549
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hocevar <sho@debian.org>:
Bug#917807; Package src:libcaca.
(Wed, 02 Jan 2019 09:42:19 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar <sho@debian.org>.
(Wed, 02 Jan 2019 09:42:19 GMT) (full text, mbox, link).
Message #10 received at 917807@bugs.debian.org (full text, mbox, reply):
Also consider adding following commit when fixing these.
https://github.com/cacalabs/libcaca/commit/813baea7a7bc28986e474541dd1080898fac14d7
--
Henri Salo
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 18 Feb 2019 13:33:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hocevar <sho@debian.org>:
Bug#917807; Package src:libcaca.
(Sun, 10 Mar 2019 23:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas Braud-Santoni <nicoo@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar <sho@debian.org>.
(Sun, 10 Mar 2019 23:39:04 GMT) (full text, mbox, link).
Message #17 received at 917807@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
clone 917807 -1
retitle -1 Orphan libcaca
severity -1 normal
thanks
Hi Sam,
I'm planning on fixing those security issues for Buster.
Given that you last touched the package in 2014, and didn't address this critical
bug within 3 months, may I go ahead and orphan the package while I'm at it?
I will do so in the absence of an answer, but I shall make sure that my upload
is delayed until at least next Monday (2019-03-18), so you have time to
intercept it.
Best,
nicoo
On Sun, Dec 30, 2018 at 04:42:04PM +0100, Salvatore Bonaccorso wrote:
> Source: libcaca
> Version: 0.99.beta19-2
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi,
>
> The following vulnerabilities were published for libcaca.
>
> CVE-2018-20544[0]:
> | There is floating point exception at caca/dither.c (function
> | caca_dither_bitmap) in libcaca 0.99.beta19.
>
> CVE-2018-20545[1]:
> | There is an illegal WRITE memory access at common-image.c (function
> | load_image) in libcaca 0.99.beta19 for 4bpp data.
>
> CVE-2018-20546[2]:
> | There is an illegal READ memory access at caca/dither.c (function
> | get_rgba_default) in libcaca 0.99.beta19 for the default bpp case.
>
> CVE-2018-20547[3]:
> | There is an illegal READ memory access at caca/dither.c (function
> | get_rgba_default) in libcaca 0.99.beta19 for 24bpp data.
>
> CVE-2018-20548[4]:
> | There is an illegal WRITE memory access at common-image.c (function
> | load_image) in libcaca 0.99.beta19 for 1bpp data.
>
> CVE-2018-20549[5]:
> | There is an illegal WRITE memory access at caca/file.c (function
> | caca_file_read) in libcaca 0.99.beta19.
>
> Note: obviously I realize given you are both upstream am Debian
> maintainer you have already fixed this upstream with the reports
> submitted and two of those issues are actually unimportant as the
> Debian build does not use the fallback.
>
> Reporting these issues still in the BTS for tracking purpose.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-20544
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20544
> [1] https://security-tracker.debian.org/tracker/CVE-2018-20545
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545
> [2] https://security-tracker.debian.org/tracker/CVE-2018-20546
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546
> [3] https://security-tracker.debian.org/tracker/CVE-2018-20547
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20547
> [4] https://security-tracker.debian.org/tracker/CVE-2018-20548
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20548
> [5] https://security-tracker.debian.org/tracker/CVE-2018-20549
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20549
>
> Regards,
> Salvatore
>
[signature.asc (application/pgp-signature, inline)]
Bug 917807 cloned as bug 924281
Request was from Nicolas Braud-Santoni <nicoo@debian.org>
to control@bugs.debian.org.
(Sun, 10 Mar 2019 23:39:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hocevar <sho@debian.org>:
Bug#917807; Package src:libcaca.
(Mon, 11 Mar 2019 05:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar <sho@debian.org>.
(Mon, 11 Mar 2019 05:39:04 GMT) (full text, mbox, link).
Message #24 received at 917807@bugs.debian.org (full text, mbox, reply):
Hi nicoo,
On Mon, Mar 11, 2019 at 12:34:56AM +0100, Nicolas Braud-Santoni wrote:
> clone 917807 -1
> retitle -1 Orphan libcaca
> severity -1 normal
> thanks
>
>
> Hi Sam,
>
> I'm planning on fixing those security issues for Buster.
>
> Given that you last touched the package in 2014, and didn't address this critical
> bug within 3 months, may I go ahead and orphan the package while I'm at it?
>
> I will do so in the absence of an answer, but I shall make sure that my upload
> is delayed until at least next Monday (2019-03-18), so you have time to
> intercept it.
Not the maintainer hiere, so disclaimer.
When fixing the isuse just make sure to cherry-pick all needed
changes, as far I remember there were for some of the upstream bugs
iterations on the commits.
Notabene: Upstream is same as Debian maintainer, so Sam might give
you the needed input!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hocevar <sho@debian.org>:
Bug#917807; Package src:libcaca.
(Sat, 06 Apr 2019 20:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tobias Frost <tobi@coldtobi.de>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar <sho@debian.org>.
(Sat, 06 Apr 2019 20:27:03 GMT) (full text, mbox, link).
Message #29 received at 917807@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 917807 + patch
Control: tags 917807 + pending
Dear maintainer,
I've prepared an NMU for libcaca (versioned as 0.99.beta19-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards.
[libcaca-0.99.beta19-2.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Tobias Frost <tobi@coldtobi.de>
to 917807-submit@bugs.debian.org.
(Sat, 06 Apr 2019 20:27:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Tobias Frost <tobi@coldtobi.de>
to 917807-submit@bugs.debian.org.
(Sat, 06 Apr 2019 20:27:03 GMT) (full text, mbox, link).
Reply sent
to Tobias Frost <tobi@debian.org>:
You have taken responsibility.
(Mon, 08 Apr 2019 20:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 08 Apr 2019 20:51:03 GMT) (full text, mbox, link).
Message #38 received at 917807-close@bugs.debian.org (full text, mbox, reply):
Source: libcaca
Source-Version: 0.99.beta19-2.1
We believe that the bug you reported is fixed in the latest version of
libcaca, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 917807@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated libcaca package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 06 Apr 2019 22:18:41 +0200
Source: libcaca
Architecture: source
Version: 0.99.beta19-2.1
Distribution: unstable
Urgency: medium
Maintainer: Sam Hocevar <sho@debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Closes: 917807
Changes:
libcaca (0.99.beta19-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Cherry-Pick fixes from upstream git repository:
- CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and
CVE-2018-20549 (Closes: #917807)
Checksums-Sha1:
2e1614dd299b7b7c39425e48b2d31c63ca9f7754 2224 libcaca_0.99.beta19-2.1.dsc
2d1ec4d5c49f78ed4348484c5c32c9dc8c10dc3a 12624 libcaca_0.99.beta19-2.1.debian.tar.xz
25dd46f63e4c858645423de74a5c337694e82e6a 8416 libcaca_0.99.beta19-2.1_source.buildinfo
Checksums-Sha256:
952f7ad2716b6c227597298ffc7d37b0ce199e18b58a5a810019473299e72b99 2224 libcaca_0.99.beta19-2.1.dsc
7e2e265972d56c9aeb46686378a25543c6a3d2810cc1649102884dbe9aaf947a 12624 libcaca_0.99.beta19-2.1.debian.tar.xz
429ca726810739703e22cd18e6e1c01bbb1798024eaef596739091708199eaba 8416 libcaca_0.99.beta19-2.1_source.buildinfo
Files:
436e73482e570ec80763d4839ea6aa3a 2224 libs optional libcaca_0.99.beta19-2.1.dsc
c7b52b38fcf26c2fcbc8bdef5cc99928 12624 libs optional libcaca_0.99.beta19-2.1.debian.tar.xz
414a1cc1b23fc0acc6bd653c86be9151 8416 libs optional libcaca_0.99.beta19-2.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAlypCjIACgkQkWT6HRe9
XTYHZBAA0WPV2UWce3+bRaq6uUYOARUiW3bplW1JdNeDbh4po5LIgUJlyqYDk+3d
/5cBuK+5M0Xz8KVn/2TYIKYW8RM6E5/6atWiNWHaWFwOqUr4n2juaMy3WyuMxb/c
qp/m4VPgYyfMz7CSsnQS3CiEgD0ZVq2MCMFSDfnz6h5RffHNunHW1rz4aNS9kjP1
qIRNMThJY6PqygrIez4tP7lhBPYBvaj8DSZlsrkm4jV2RfxHvWTOfZzpgB6jvFWl
/CkqX+wLDiXM/Vh4kJKV5f+MkAvd7UnWqCq/+qRe0j+oj28RsbQ6DdrEVU9zZQA5
NGGqsyr/2sd8Fi7BQzazR//rWlg4S1fRiukihuTaPv7GNMaDi7/Cv4UBTpb3FmQs
BeLRgSxEeM6xoi7RuDw65BZunaJWLxrSiMwwImW98n2p6MgQaX8wvid7rHBnp4Rl
rCoFV+aadzdn+TzleFLQMkBlCHSv1zIMcTn2l+MQommOmLe+BcS1x7TfzPyrehW1
hLLz7Qu5M5swlISpA04OErCEx7y6uPqwPK4s8RALQNR5WPpYjTVuHRa1jeVG0w/8
+jjpyYD2IpKGEeSi+Csok6LVcQu65UMleGnayjpjxKh4GO/wNsh+zNuxxUal0JwF
QrAgy+gpLCIdp0HzUv4X6OPKp25SxD4/bEIm6sCcALCsuASsI3Y=
=MvhB
-----END PGP SIGNATURE-----
Marked as fixed in versions libcaca/0.99.beta19-2+deb8u1.
Request was from Andreas Beckmann <anbe@debian.org>
to submit@bugs.debian.org.
(Mon, 29 Apr 2019 22:51:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:50:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon