Bug#797165: marked as done (CVE-2015-0852: integer overflow in PluginPCX.cpp)

[Debian Bug Tracking System]

Your message dated Thu, 05 Nov 2015 15:47:06 +0000
with message-id <e1zumkk-0003cc...@franck.debian.org>
and subject line Bug#797165: fixed in freeimage 3.15.4-4.2
has caused the Debian Bug report #797165,
regarding CVE-2015-0852: integer overflow in PluginPCX.cpp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
797165: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797165
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: freeimage
Version: 3.10.0-4
Severity: serious
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for freeimage.

CVE-2015-0852[0]:
Integer overflow in PluginPCX.cpp

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-0852
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0852
    https://marc.info/?l=oss-security&m=144073280200732&w=2
    Please adjust the affected versions in the BTS as needed.

BTW upstream patches are available but they are not minimal patches:
http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.17&r2=1.18&pathrev=MAIN
http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.18&r2=1.19&pathrev=MAIN

Hopefully one the of the people who will discover this RC bug (because
their package depends on freeimage or whatever) can be convinced to take
over this package... it has been orphaned for way too long.

Note that the package has another pending security issue (#786790).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

--- End Message ---

--- Begin Message ---

Source: freeimage
Source-Version: 3.15.4-4.2

We believe that the bug you reported is fixed in the latest version of
freeimage, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gl...@debian.org> (supplier of updated freeimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Oct 2015 19:06:00 +0100
Source: freeimage
Binary: libfreeimage-dev libfreeimage3 libfreeimage3-dbg
Architecture: source amd64
Version: 3.15.4-4.2
Distribution: jessie-security
Urgency: high
Maintainer: Debian QA Group <packa...@qa.debian.org>
Changed-By: Anton Gladky <gl...@debian.org>
Description:
 libfreeimage-dev - Support library for graphics image formats (development 
files)
 libfreeimage3 - Support library for graphics image formats (library)
 libfreeimage3-dbg - Support library for graphics image formats (debugging 
symbols)
Closes: 797165
Changes:
 freeimage (3.15.4-4.2) jessie-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix integer overflow CVE-2015-0852. (Closes: #797165)
Checksums-Sha1:
 225e05320a094e6dbafbf42b06511ad8e71be13a 2148 freeimage_3.15.4-4.2.dsc
 0a33537e32ad9bd4cf7b151a32de96905da27d3e 5768019 freeimage_3.15.4.orig.tar.gz
 2cea5d75edc83d45b5a5fc02d1f55d73f625e5c6 33180 
freeimage_3.15.4-4.2.debian.tar.xz
 31dda33dc10d70c699ac75d37e4353291d7f5990 1221574 
libfreeimage-dev_3.15.4-4.2_amd64.deb
 5319c82552ca7218ae7091a426a1f1cd3e815c4e 331912 
libfreeimage3_3.15.4-4.2_amd64.deb
 bbdcd888c157ec11c0dc69ba2a6e2470749a45b7 1197708 
libfreeimage3-dbg_3.15.4-4.2_amd64.deb
Checksums-Sha256:
 b876349b674acf74690be2efeaa8ba3ce033e4d134f02f127a658473c3cce205 2148 
freeimage_3.15.4-4.2.dsc
 f85b43e8bffda2b26b15a2d09242a77dd08ba17d7207ec2f18278163a29565d9 5768019 
freeimage_3.15.4.orig.tar.gz
 d17b6f1608669d60524e09bda31c57ef280601587f4406739b002613698487d5 33180 
freeimage_3.15.4-4.2.debian.tar.xz
 1b62ca0d74177937a9b6cb5ad184f694c6200bce6241881bbefd8d92f90fe03a 1221574 
libfreeimage-dev_3.15.4-4.2_amd64.deb
 522d47bfc66bbf8d79d027dcc74b86f6a78ccfd81c380b35fb1ee7a97799140b 331912 
libfreeimage3_3.15.4-4.2_amd64.deb
 870b2436906b1cc464c133a9a630798f865e7d4d7aeeb479f28272e23471b08b 1197708 
libfreeimage3-dbg_3.15.4-4.2_amd64.deb
Files:
 d7f4b7d708f223696ed947fa11d579c5 2148 libs optional freeimage_3.15.4-4.2.dsc
 a1164eb85ab51bda023328ec740a5679 5768019 libs optional 
freeimage_3.15.4.orig.tar.gz
 a326c3ce39d51fd0b244188a7f038a02 33180 libs optional 
freeimage_3.15.4-4.2.debian.tar.xz
 107cd51e606f3c6a600777b1c0a1b991 1221574 libdevel optional 
libfreeimage-dev_3.15.4-4.2_amd64.deb
 2fbc252cd6482eb7456604aba8382e81 331912 libs optional 
libfreeimage3_3.15.4-4.2_amd64.deb
 d8a9d8bc42eb6684bc83c635e39a2d84 1197708 debug extra 
libfreeimage3-dbg_3.15.4-4.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWMo0zAAoJENPhc4PPp/8Gh4oP/3XQHQHGYhfQPN/uFaM11Hzo
6yrBC8YmkSs8js9RMRCUJIV0gbQ+rhr0tC8RriHcSTLYyF2TmJhjAa+NoklU2YPJ
zrL9iBTh1Ch/neksJGO3uoA7XS4L0E/btVbRbhOd3XD5T2AXB24EuisoEDEikG7A
kHlEQZgpPE/+Ex72dUTHQG6wYwB/ByrTm/6X4JiF/6IFJhP9eU49sSxfe1SIvzye
SM9FQV4F8hXAzTwgYpsi1i3GAbd2fcGZv5LsXZ6+uiI/51oGvAsYJP6dA+FTM8h4
MLXH+ZrOAjTJIC3tepdGT7KNT7eqPAFMkJPd1SCbxWfuVhYBs5tx9HPdwOEpyvB/
IVAprpco5L3Y4MDwjgtVPxhZ/ogSaFoCeF63ZRL2Chq00aQmUu0sekukaqZRtPgG
g4rZOWwIWxXrv2VPAaOdZX2bUAxcR1pdLP0EKXJ7Xs97QyxjSOU7la7K2gfvAn6a
HLQk9zuqDjJpLXwApxbSuyc4mveDeujtCX0PHxunlp2Bkf8VjSjrbsyI3I87nJKr
SjX6icE7E48dQPlY0rdKADWMZiXvCZbjVz1bqOhAfcvLYwlYahXaxEqOBcpxu4ID
Kj2XGMAJuaezFPxI+RPT2OfL/VFLooV1mgFr/EHbSSAh2JRwSFZVXR41ReH9y/Kj
Nv8vttnNg6/chZ8DsdVm
=1LZU
-----END PGP SIGNATURE-----

--- End Message ---

-- 
debian-science-maintainers mailing list
debian-science-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers