Hi Hubert, On Mon, Jun 01, 2015 at 01:20:08PM -0400, Hubert Chathi wrote: > On Mon, 25 May 2015 16:40:00 +0200, Salvatore Bonaccorso <car...@debian.org> > said: > > > the following vulnerability was published for ufraw. > > > CVE-2015-3885[0]: | Integer overflow in the ljpeg_start function in > > dcraw 7.00 and earlier | allows remote attackers to cause a denial of > > service (crash) via a | crafted image, which triggers a buffer > > overflow, related to the len | variable. > > I have built new packages to fix the above vulnerability in jessie and > sid. The .diff, .dscs, and signed* .changes files are available at: > https://debian.uhoreg.ca/security/jessie/ufraw_0.20-2%2bdeb8u1.diff.gz > https://debian.uhoreg.ca/security/jessie/ufraw_0.20-2%2bdeb8u1.dsc > https://debian.uhoreg.ca/security/jessie/ufraw_0.20-2%2bdeb8u1_amd64.changes > https://debian.uhoreg.ca/security/sid/ufraw_0.20-3.diff.gz > https://debian.uhoreg.ca/security/sid/ufraw_0.20-3.dsc > https://debian.uhoreg.ca/security/sid/ufraw_0.20-3_amd64.changes > (other files from the build are available in those directories as well) > > * the .changes files are signed by my old 1024D key, and my replacement > key is not connected enough to be in the Debian keyring > > Unfortunately, since I do not have a valid key in the Debian keyring, I > am unable to upload a fixed package to sid, so if the security team > could upload the package for me, that would be greatly appreciated. > Otherwise, I will have to try to find someone else to sponsor the > upload.
I'm building now ufraw for sid and will upload it. For jessie: We have marked it no-dsa meaning no DSA is planned but could be ideally fixed via a jessie-pu and wheezy-pu. Can you contact the stable release managers for an acknowledgement of it? If so I can as well the upload that one. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
