Your message dated Thu, 07 Sep 2023 11:48:58 +0000 with message-id <e1qedvk-005rez...@fasolo.debian.org> and subject line Bug#1042887: fixed in procps 2:4.0.4-1 has caused the Debian Bug report #1042887, regarding procps: CVE-2023-4016 ps buffer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1042887: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042887 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: procps Version: 2:4.0.3-1 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> We have a very scant report of a ps buffer overflow security bug. Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap. We don't know the versions impacted, we don't know how to cause it. We have that single sentence. Once (any) details are given we will update this bug and the gitlab issue. I made the severity important because I'm not even sure its a real bug yet. References: https://nvd.nist.gov/vuln/detail/CVE-2023-4016 https://gitlab.com/procps-ng/procps/-/issues/297 -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-10-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages procps depends on: ii init-system-helpers 1.65.2 ii libc6 2.36-9+deb12u1 ii libncursesw6 6.4-4 ii libproc2-0 2:4.0.3-1 ii libtinfo6 6.4-4 Versions of packages procps recommends: ii psmisc 23.6-1 procps suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: procps Source-Version: 2:4.0.4-1 Done: Craig Small <csm...@debian.org> We believe that the bug you reported is fixed in the latest version of procps, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1042...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated procps package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 07 Sep 2023 21:31:09 +1000 Source: procps Architecture: source Version: 2:4.0.4-1 Distribution: unstable Urgency: medium Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Closes: 968711 1031765 1035649 1036631 1037450 1042887 Changes: procps (2:4.0.4-1) unstable; urgency=medium . * New upstream release - ps: Fix buffer overflow in -C option CVE-2023-4016 Closes: #1042887 - library: Refactor the escape code Closes: #1035649 - pgrep: Use only --signal option for signal Closes: #1031765 - pgrep: suppress >15 warning if using regex Closes: #1037450 - ps: fixed missing or corrupted fields with -m option Closes: #1036631 - free: New -L option for one line output - ps: New --signames options to show signal names * watch: Color support turned on by default use -C to turn off * Remove redundant lines from sysctl.conf Closes: #968711 Checksums-Sha1: cc87b0e1332dcb81a025cc11f2bf778d77410aa0 2136 procps_4.0.4-1.dsc 2b859acd7060e9898ac457dbd26dbebf563cc44b 1401540 procps_4.0.4.orig.tar.xz ee2e0b1fefeb88386b6927fdb9eb7500ed0fe29e 29836 procps_4.0.4-1.debian.tar.xz 439a65f0ee06eba91d61a3b30e1faccba3ed7a58 7512 procps_4.0.4-1_amd64.buildinfo Checksums-Sha256: 8bfa1364ab7018d4880452ff00e6c2a43c6ccb90fb773b5c35e03d5487427fbd 2136 procps_4.0.4-1.dsc 22870d6feb2478adb617ce4f09a787addaf2d260c5a8aa7b17d889a962c5e42e 1401540 procps_4.0.4.orig.tar.xz a04269ad8daf8dd2fac1c31ab50cc4f13d9b1adf6969b32985e00556f39264d8 29836 procps_4.0.4-1.debian.tar.xz c2626b37c0c4f9f821efe5b991dbbd7c23bc4340a5960a163f3b881e354f866d 7512 procps_4.0.4-1_amd64.buildinfo Files: 3304a991f09c0afcab36b29d7554e98c 2136 admin optional procps_4.0.4-1.dsc 2f747fc7df8ccf402d03e375c565cf96 1401540 admin optional procps_4.0.4.orig.tar.xz 112fe03e192a99a8452ae6ac5532a97a 29836 admin optional procps_4.0.4-1.debian.tar.xz 3bf396445c55f2b14363ff6b8badf7f2 7512 admin optional procps_4.0.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmT5tMsACgkQAiFmwP88 hONvng/7BySeRctsADPqln0Let4XgkzbWEy8h16EEw0dMaUxnOX+KXAyOGEuclzH 9jVLvd7uDp+T0nXMdbl7yiljtKVMRyQcbPtnbwFITFKjLhOjORMtnjvi6MGT7AUc jq7R8UDQgDk2T56nFlsEsmTMUCEoNPbCxtXKsAim/bO0yrRnyp6GfjtXFU2TBlTX 04ET+KFzY7FYHoesDjpi6Wl6LqZMzHNqqA0TRxASGwga4RZ/NG6M4+oqg4WzRKBL Sd4G3d10I1nYfy4UtfshefIhAzOElttxyw+YaLcU1RA4bFpMuQSIg4R0gbYgc7UJ kF0RRVi1Bfm3Kk1whSiX+FMUrOu6Uh43AFmY3oV2/hWodon4VN7te3lknHfTJOei GboS/Ul7CcN5wI8rUKsNLDIXgm6a4szR8jogVngDn7LRy6SvUH6/7WCcZD54TTNc Omng6Oq2P6uHeEtVGaHfr6WxM4846U/PpF87aKaOMVYGl0JnOpBhEtqsrnDAdyr6 n+W5Snpcb5QANPD8FdT2AOZfTftzSzef0ZVyDbioUFsXbg2hR/C20ujGjfQqM0Vp q/FNLSZeDv5edh2z6mCYwhWaaT9lIXZZQyBcH2ZGFD1JLSe3UKO2X5se5ETl2AWr YdezVkZf0sxSxfEXFfAPOkX9HaKZyeDq7LvrwSvYX0v082hzKHk= =yaz/ -----END PGP SIGNATURE-----
--- End Message ---
