Debian Bug report logs -
#872400
augeas: CVE-2017-7555: Improper handling of escaped strings leading to memory corruption
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#872400; Package src:augeas.
(Thu, 17 Aug 2017 05:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Hilko Bengen <bengen@debian.org>.
(Thu, 17 Aug 2017 05:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: augeas
Version: 1.8.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/hercules-team/augeas/pull/480
Hi,
the following vulnerability was published for augeas.
CVE-2017-7555[0]:
crash/memory corruption when handling certain escaped strings
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7555
[1] https://github.com/hercules-team/augeas/pull/480
[2] https://github.com/hercules-team/augeas/pull/480/commits/39592c4eef8d4826947adca94c7fbd6efb8d47ca
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1475621 (not
addessible at time of writing)
[4] http://www.openwall.com/lists/oss-security/2017/08/17/3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions augeas/1.2.0-0.2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 17 Aug 2017 05:30:03 GMT) (full text, mbox, link).
Reply sent
to Hilko Bengen <bengen@debian.org>:
You have taken responsibility.
(Fri, 18 Aug 2017 06:06:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 18 Aug 2017 06:06:05 GMT) (full text, mbox, link).
Message #12 received at 872400-close@bugs.debian.org (full text, mbox, reply):
Source: augeas
Source-Version: 1.8.1-1
We believe that the bug you reported is fixed in the latest version of
augeas, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated augeas package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 18 Aug 2017 07:15:24 +0200
Source: augeas
Binary: augeas-tools libaugeas-dev libaugeas0 augeas-dbg augeas-lenses augeas-doc
Architecture: source
Version: 1.8.1-1
Distribution: unstable
Urgency: high
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description:
augeas-dbg - Debugging symbols for libaugeas0
augeas-doc - Augeas lenses documentation
augeas-lenses - Set of lenses needed by libaugeas0 to parse config files
augeas-tools - Augeas command line tools
libaugeas-dev - Development files for writing applications based on libaugeas0
libaugeas0 - Augeas configuration editing library and API
Closes: 715554 872400
Changes:
augeas (1.8.1-1) unstable; urgency=high
.
* New upstream version 1.8.1
- Fixes CVE-2017-7555 (Closes: #872400)
* Add Multi-Arch support (Closes: #715554)
Checksums-Sha1:
4a7dd0d16757d0f1f9954170092a37b43d727a31 2306 augeas_1.8.1-1.dsc
24ebfd91e28af5c1392c5c6f42756f2b9d2327be 2165325 augeas_1.8.1.orig.tar.gz
e676ccb216a524a28ef99bbff72ced69ba1c2e4d 9440 augeas_1.8.1-1.debian.tar.xz
b5bb32439836512f7e86759abab3ea95ecda2f75 8394 augeas_1.8.1-1_source.buildinfo
Checksums-Sha256:
70a5c5bcfd0606aa507d3c2602b0558fc96e9ff6da92d66dd5f6722df070d6a5 2306 augeas_1.8.1-1.dsc
65cf75b5a573fee2a5c6c6e3c95cad05f0101e70d3f9db10d53f6cc5b11bc9f9 2165325 augeas_1.8.1.orig.tar.gz
155beb5e76916690d8c49e3d696069a72c61c174798b0f0cbea509e2ea5df2ff 9440 augeas_1.8.1-1.debian.tar.xz
50f402ed86618a35849b54149cceb9b5b0a9887ed8c4e77960255079dd099a6f 8394 augeas_1.8.1-1_source.buildinfo
Files:
aa9b1c656c3b514b450ab28e5382e81d 2306 libs optional augeas_1.8.1-1.dsc
623ff89d71a42fab9263365145efdbfa 2165325 libs optional augeas_1.8.1.orig.tar.gz
924622bdc9717034f496de02d80feb09 9440 libs optional augeas_1.8.1-1.debian.tar.xz
32ae69e19a263442e5787c50bf948334 8394 libs optional augeas_1.8.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAlmWeEEACgkQdbcQY1wh
On7QPxAAsK8GhyzIO2YAM+jQGojkEUTmhMowYBmKg5FLgq5vRPPqFAMOrpeADYJr
EEkkP+vPY9feEVpG0YQ8fFaWYIg4qzk34A20xWnXrER7xEd+eK07SiPV+mDKjbkw
IJQ7C3LuXDxbAe85Xb23UxhuGT3icedqboOcxpJCvP8SG8mo/L6BUa4Dklr2vyDE
KCbkCOCX1j5q5iYzYXI16OxNBHhgmpPUtAnQeTzdIOQbtsWaoVZYKKUf4Ztfe/nh
zZKsMxv09/6tzBebjU0BmYDGc3NLNnCENwkQpzpiWSWI3rzY4pIHc+BdxxBihTXw
+mrE369fW5PQIoRVBVrcmTKvYBjOfHre3xhep9FrXxI+Li/Kd4rH1x/EE0TLxZRI
0TCW1qA9LxU0OAJ356AAnnhap/QFSQ0IgWo88oV5cnjoJgvDQmZ2mi4bvLZjV0Fj
YE/PQO080PcaXM3moMl17J3CJ08WhStBnHnmn40Dyorw8MvAsnW/6S9A6MPncNmu
GEoEzEZpOuIFmGiOKL8/LL0sRIYak3fobBHiyGimJiUvZ0tn/mqfa4s6swDdWaR0
SRjCzR6PU0e8v/UY7tHmqykYFDvxLnm7qfWzFmJgG0BC9QcitRyuFD+4FIBl3Meu
DfmsUBOG6SED9pRlkFSTvHx6n1x/I77GbTlshTZeKdzWgaF/yjE=
=E7h+
-----END PGP SIGNATURE-----
Reply sent
to Hilko Bengen <bengen@debian.org>:
You have taken responsibility.
(Tue, 22 Aug 2017 21:36:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 22 Aug 2017 21:36:08 GMT) (full text, mbox, link).
Message #17 received at 872400-close@bugs.debian.org (full text, mbox, reply):
Source: augeas
Source-Version: 1.8.0-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
augeas, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated augeas package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 18 Aug 2017 07:56:15 +0200
Source: augeas
Binary: augeas-tools libaugeas-dev libaugeas0 augeas-dbg augeas-lenses augeas-doc
Architecture: source
Version: 1.8.0-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description:
augeas-dbg - Debugging symbols for libaugeas0
augeas-doc - Augeas lenses documentation
augeas-lenses - Set of lenses needed by libaugeas0 to parse config files
augeas-tools - Augeas command line tools
libaugeas-dev - Development files for writing applications based on libaugeas0
libaugeas0 - Augeas configuration editing library and API
Closes: 872400
Changes:
augeas (1.8.0-1+deb9u1) stretch-security; urgency=high
.
* Add patch to fix CVE-2017-7555 (Closes: #872400)
Checksums-Sha1:
dc44abe4513c4f2721740d3df23615156945239e 2337 augeas_1.8.0-1+deb9u1.dsc
6ddcffab2665b8c0f286a1201afb251e354f426a 2164146 augeas_1.8.0.orig.tar.gz
d80544c9ab5c23e0c627d4b09a0988885422eb53 11252 augeas_1.8.0-1+deb9u1.debian.tar.xz
82597712dc9761e2926feab4ff1abb01c6e64a13 8422 augeas_1.8.0-1+deb9u1_source.buildinfo
Checksums-Sha256:
92e80698341f3870d302e6f92e03b8b411a1ab91d3c25512ac97023b9e0e1268 2337 augeas_1.8.0-1+deb9u1.dsc
515ce904138d99ff51d45ba7ed0d809bdee6c42d3bc538c8c820e010392d4cc5 2164146 augeas_1.8.0.orig.tar.gz
a2f70082f851f126b39d7fdeb835e769de0bb207a85a0bf8598b94797823f84b 11252 augeas_1.8.0-1+deb9u1.debian.tar.xz
5c1be715c9b9ea453697c7ecca912a995a30ef3a1752c58fb6a9c18c69fde999 8422 augeas_1.8.0-1+deb9u1_source.buildinfo
Files:
dfa52571831df621834207251a3e231b 2337 libs optional augeas_1.8.0-1+deb9u1.dsc
cc99cf86ec5f5c4dac71f2800bde2758 2164146 libs optional augeas_1.8.0.orig.tar.gz
a28660bc019efe2b32872bdf024f87d7 11252 libs optional augeas_1.8.0-1+deb9u1.debian.tar.xz
c0eff3172baad944953c2c8ed11c9af0 8422 libs optional augeas_1.8.0-1+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAlmW008ACgkQdbcQY1wh
On4H6g/8ClTSlmX4sVuzoxdK+YGj0E7asnu26tBcoOSy4w0QwQ09bOmt25RSudmv
uptPIiAtm6+ts4kpTeNTR0ostb+NMoUDbYFvWaoapt32RL9jWA7JLu4A0PnL+3Y0
UEpEbO2B8niiGsTHPluljcIw3OVHzY2dKfVNUwJaigILC16Q09meBa4vE8+RpixF
05pbG3+F18cNk7aNi6fSMz99h4iQbxBxHa6jTtvehMRdAPzhOVFLRZEwuLYfJ1Jj
06c68CpHI04PSd5CQogSDqlu8dnF/wtIZj1C9mHAh4Xi/V53tGTihG91sc+h/NEK
gw0wkFAOUu05sbf0N38M0enIkXk4IoOn7fWlz2dl4KpprXr9i5G0WRP8pTH8QKOo
Pupzai6nGQIRW2h8tx25oY6vqb2XhgmenENk0D2zQrXgjdIqQpRP+atlRwe3DI+D
64QVJ4jF+diirlQ0Ayq5H/tyIljDGmmGVlZRQgWt7fxlnHisMfxLt9D9zHaSVXQL
+IO/r9eUjpG8dCD4TYCfB5u8Uxpl0fQF4gseMzvYK8bl0MhHE0XqRLZHs4ltzjLb
i4/xcYvrgrSBqUJxYAYnwwGTLuInnM40rbFTfDu4s/2Rgq3QdsPDzChQVphCIxbp
eB+L2+iULdEw/l0+VWYlN4mPGYn+la7AjAaSVX6q8ZgHOdd/xGE=
=3t/f
-----END PGP SIGNATURE-----
Reply sent
to Hilko Bengen <bengen@debian.org>:
You have taken responsibility.
(Tue, 22 Aug 2017 21:51:21 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 22 Aug 2017 21:51:21 GMT) (full text, mbox, link).
Message #22 received at 872400-close@bugs.debian.org (full text, mbox, reply):
Source: augeas
Source-Version: 1.2.0-0.2+deb8u2
We believe that the bug you reported is fixed in the latest version of
augeas, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated augeas package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 18 Aug 2017 23:12:46 +0200
Source: augeas
Binary: augeas-tools libaugeas-dev libaugeas0 augeas-dbg augeas-lenses augeas-doc
Architecture: source amd64 all
Version: 1.2.0-0.2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description:
augeas-dbg - Debugging symbols for libaugeas0
augeas-doc - Augeas lenses documentation
augeas-lenses - Set of lenses needed by libaugeas0 to parse config files
augeas-tools - Augeas command line tools
libaugeas-dev - Development files for writing applications based on libaugeas0
libaugeas0 - Augeas configuration editing library and API
Closes: 872400
Changes:
augeas (1.2.0-0.2+deb8u2) jessie-security; urgency=high
.
* Add patch to fix CVE-2017-7555 (Closes: #872400)
Checksums-Sha1:
e56fdc95428b1d6fd70aa0d1850999e2d8e0e3b8 2352 augeas_1.2.0-0.2+deb8u2.dsc
ab63548ae5462d7b3dc90e74311b8e566ba22485 1957910 augeas_1.2.0.orig.tar.gz
b156c48e9e883a0e5e1f2fba9ec7d9479d3b9528 11960 augeas_1.2.0-0.2+deb8u2.debian.tar.xz
c3cbaed4e51944143f058cbd2aaa8d93193ee1d3 127478 augeas-tools_1.2.0-0.2+deb8u2_amd64.deb
56c7b7183ef1539bea87466605fa26b939d01251 278560 libaugeas-dev_1.2.0-0.2+deb8u2_amd64.deb
91fc2e3940e921d561d6cbf450a3a5a05c9be172 257180 libaugeas0_1.2.0-0.2+deb8u2_amd64.deb
3065a32ea8faffa839df89f27329a5d24bd67059 554128 augeas-dbg_1.2.0-0.2+deb8u2_amd64.deb
e12613645b6187fe75d1c89a289819ebce462faf 336398 augeas-lenses_1.2.0-0.2+deb8u2_all.deb
c1a9c7d5249b1f26ce1dd531fadd49819e808277 455322 augeas-doc_1.2.0-0.2+deb8u2_all.deb
Checksums-Sha256:
c2561b304f073c4dd9fcd1db07014b5f69e8f03a01ffbcec8b96d11835e30f70 2352 augeas_1.2.0-0.2+deb8u2.dsc
f4aeb28ebe0b0921920fe1c9b4c016739c25261a15de04cb97db02d669f481e0 1957910 augeas_1.2.0.orig.tar.gz
56c8504771d32950c3839e803dc8cae64e795b551f186d09238d46dec67a9f86 11960 augeas_1.2.0-0.2+deb8u2.debian.tar.xz
d219907a1ed66cec373bafb2f9f7f94c0d6b1fdce5e6b4eea4145c72fa107cc0 127478 augeas-tools_1.2.0-0.2+deb8u2_amd64.deb
35a3e59db231bb3723f713e2521d706611536e3d1d3138705928c1731c106ecc 278560 libaugeas-dev_1.2.0-0.2+deb8u2_amd64.deb
2867ebe38ae1ae9dc55d790b0f6af663997e1b268b564af190038611df564bbe 257180 libaugeas0_1.2.0-0.2+deb8u2_amd64.deb
c3ff5f81b534d6bfa7a7b10fbe673e5d8e6eb1bd51cfdf8f61d9219e79536b72 554128 augeas-dbg_1.2.0-0.2+deb8u2_amd64.deb
e8dd4446dd13559f94b42d87eef382697e7bfbf9f998963eb5603094f774efcc 336398 augeas-lenses_1.2.0-0.2+deb8u2_all.deb
11db12cd32d3ddb5d6123a6552a1a5c051223db77a3cf4a7688016ca8699e5dd 455322 augeas-doc_1.2.0-0.2+deb8u2_all.deb
Files:
e24a61d05cbbd12332b2aa36091184ec 2352 libs optional augeas_1.2.0-0.2+deb8u2.dsc
dce2f52cbd20f72c7da48e014ad48076 1957910 libs optional augeas_1.2.0.orig.tar.gz
2b718659b0364c412da612ee36aa7740 11960 libs optional augeas_1.2.0-0.2+deb8u2.debian.tar.xz
be065ca73cc5f49e0b85b53f91638a7f 127478 admin optional augeas-tools_1.2.0-0.2+deb8u2_amd64.deb
20955f0a7ad13b3a90680eadfd519618 278560 libdevel optional libaugeas-dev_1.2.0-0.2+deb8u2_amd64.deb
29aaa9025cd86eb5ab771f2476ea8cf5 257180 libs optional libaugeas0_1.2.0-0.2+deb8u2_amd64.deb
0de0f93176529b9238b8d90784d15154 554128 debug extra augeas-dbg_1.2.0-0.2+deb8u2_amd64.deb
697d3f2ba5edb8559eb591d357bf2085 336398 misc optional augeas-lenses_1.2.0-0.2+deb8u2_all.deb
26005642f47ba3ab9d10dd5571d1e935 455322 doc optional augeas-doc_1.2.0-0.2+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAlmZw/8ACgkQdbcQY1wh
On72bw/9GMp8Ps9eovF0bGgiD5N4e7tT2zS9MeojooTOqFCRT6HTVd6b3rR8rhH9
WZ4Pw/D7GDk9N7taOAptVZMenLjaAzJ7Y7OiRXHqM/VVToJ8OX1aAVxpAmqS4534
1gJJ2FoNe+1D12pCNCQljlisPeayiZC8qpRtlNV/458dQnCRJSdihXCmB7ihSGtp
fd2owMiNzvI84YbHwoq++NAVv7yay7ANLepGy7IYp/LWK8b/W91DXw1Y+12E1U/4
5cXu2Lr+KsWH+crDEu9i0pytxZoQztvq+q2Fh0XCq2l5slWnYKgSjjJ1TGcXANXw
CwJ7VK0zokPbo0RYd8C+4kst9lR0UZjTTprxSgE4EK7JFH+Uscfyu8x8vn+scByR
R897HtjE1VvhDO4HbkygUdpsPRkMB5kfKEC4UiOC1cosD778qxpjDyV0N/zng6eB
x1dYIhgHAVAYwyByTrOEosKvN4W/JUMIRp7Lz+Sg5VHyznVFupafzET4OHMJKxeQ
46d6KXjwNhitXN562SnV8wdXS5syiP6EpWivX8Cfq+Z8zBWjakge4e59YX7By8ac
+dLahWnsPGkL5Is8DdXjksM5targzl2aq0MhnJ3VH9gTM4ACsJA2eqoP+qHxbanx
YYslRCQ4M+qwgazP8AdtmyiAevGGVQI+Are0H/YSLXR74DAHVvI=
=okpu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 12 Oct 2017 07:26:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:42:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon