Your message dated Sat, 02 Dec 2017 19:32:57 +0000 with message-id <e1eldwz-000cwm...@fasolo.debian.org> and subject line Bug#876744: fixed in sam2p 0.49.2-3+deb8u1 has caused the Debian Bug report #876744, regarding Multiple CVEs in sam2p to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876744: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876744 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: sam2p X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security Hi, the following vulnerabilities were published for sam2p. CVE-2017-14637[0]: | In sam2p 0.49.3, there is an invalid read of size 2 in the parse_rgb | function in in_xpm.cpp. However, this can also cause a write to an | illegal address. CVE-2017-14636[1]: | Because of an integer overflow in sam2p 0.49.3, a loop executes | 0xffffffff times, ending with an invalid read of size 1 in the | Image::Indexed::sortPal function in image.cpp. However, this also | causes memory corruption because of an attempted write to the invalid | d[0xfffffffe] array element. CVE-2017-14628[2]: | In sam2p 0.49.3, a heap-based buffer overflow exists in the | pcxLoadImage24 function of the file in_pcx.cpp. CVE-2017-14629[3]: | In sam2p 0.49.3, the in_xpm_reader function in in_xpm.cpp has an | integer signedness error, leading to a crash when writing to an | out-of-bounds array element. CVE-2017-14630[4]: | In sam2p 0.49.3, an integer overflow exists in the pcxLoadImage24 | function of the file in_pcx.cpp, leading to an invalid write operation. CVE-2017-14631[5]: | In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has an | integer signedness error leading to a heap-based buffer overflow. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14637 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14637 [1] https://security-tracker.debian.org/tracker/CVE-2017-14636 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14636 [2] https://security-tracker.debian.org/tracker/CVE-2017-14628 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14628 [3] https://security-tracker.debian.org/tracker/CVE-2017-14629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14629 [4] https://security-tracker.debian.org/tracker/CVE-2017-14630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14630 [5] https://security-tracker.debian.org/tracker/CVE-2017-14631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14631 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: sam2p Source-Version: 0.49.2-3+deb8u1 We believe that the bug you reported is fixed in the latest version of sam2p, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 876...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated sam2p package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 22 Nov 2017 21:39:20 +0100 Source: sam2p Binary: sam2p Architecture: source amd64 Version: 0.49.2-3+deb8u1 Distribution: jessie Urgency: high Maintainer: Tanguy Ortolo <tanguy+deb...@ortolo.eu> Changed-By: Markus Koschany <a...@debian.org> Description: sam2p - convert raster images to EPS, PDF, and other formats Closes: 876744 Changes: sam2p (0.49.2-3+deb8u1) jessie; urgency=high . * Non-maintainer upload. * Fix CVE-2017-14628, CVE-2017-14629, CVE-2017-14630, CVE-2017-14631, CVE-2017-14636, CVE-2017-14637, CVE-2017-16663: Several integer overflow or heap-based buffer overflow issues were discovered in sam2p that may lead to an application crash or other unspecified impact. (Closes: #876744) Checksums-Sha1: e76c0a02856f102d9c14440e85d25c88e8d496aa 2038 sam2p_0.49.2-3+deb8u1.dsc c53f3a590262c240ff82d5e3495e21d627214c59 20048 sam2p_0.49.2-3+deb8u1.debian.tar.xz 08afac37cb210da8fa7a3ffb4bb06030e2e1de47 240012 sam2p_0.49.2-3+deb8u1_amd64.deb Checksums-Sha256: 8e60b3cd63cd1c48fbf88dd0c72833f2b39e9fa50491c6e529cf19e3c5b1642c 2038 sam2p_0.49.2-3+deb8u1.dsc 0ee832c03ed819e1bf4b3caa1ae5e08322f959fe5f96bb9e911302d4b6e17358 20048 sam2p_0.49.2-3+deb8u1.debian.tar.xz 6645310277fc42712f6a6c8b85cfd2e27ac754d10d582797f659b7eece3d21c2 240012 sam2p_0.49.2-3+deb8u1_amd64.deb Files: 81bbfbfacf432d59448476880834a196 2038 graphics optional sam2p_0.49.2-3+deb8u1.dsc 8d9d3d4b6c48588cd796eb4309110850 20048 graphics optional sam2p_0.49.2-3+deb8u1.debian.tar.xz 05f9e0d136bdccc79db7775ea66d537e 240012 graphics optional sam2p_0.49.2-3+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloi4qVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkeacP/0RVg8pBs9tlhhEVjK+A88LiCOSkG1jn0Afd B+FFectAccAWcCPm62TZr2du5Vr7mM9ZENTZHmhos47G/ZWl9KsF0yTl2I1hmzLo HKmdRdlAQZrxDRdhHkwY3YMhjJeWEUz8nRsHOhwm/EDl4qmZoT+uf0xj8mfDJgjs YmwUP+qzYFxnv0wSmATDXos/XEOCWeKt2qRCPBPwvileTuDJxEmM8XaiQTBIWcw1 B5MJK8+ZxXZaYhVoc1DoUn2kYrMRJTLRDKij0ycLcjf5kKVGiEvtFx9jBWrpx9Bg 3Y/4o0rUx9U0Zt3PYvHVzVI+uvjOlYrYRblvFR3mbssZqdCBtjbidwf9WCDtAmXj YZMD4NlbkquyQakNDgzwYOd0Bm8w9rwwZkXze5kh8ztf/i8qJEtRdreyJkn1Hun2 iKHdw6LWolpZfdgW4031NAYzOZVvlXPf6FS+1/YuMDrTJpVm2S5Eu0x5HmI3HLbr k3yBXthb2OLAis6+0ednUryvKvpNsK0gQ+6SSZvkB4TPG4pcZCwyUeQ+8fqJ0AT+ T1gPx01M1eGtvLJvYhAMntxTnHWCu9ueehNy6UuUrkgrrPtOKqhAKWFkDqTTAbmx nHfnPIYT6FStbuBtnOYCthhAuvwNWdjgORXSgUmyk6MVbzekXro4bWnQ9spwxGqz awYTvy8D =Vh7n -----END PGP SIGNATURE-----
--- End Message ---
