Hi Antonio, On Sun, Apr 06, 2025 at 08:07:50PM +0200, Antonio Valentino wrote: > Dear Salvatore, > > On Sat, 05 Apr 2025 21:11:44 +0200 Salvatore Bonaccorso <car...@debian.org> > wrote: > > Source: c-blosc2 > > Version: 2.17.1+ds-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/Blosc/c-blosc2/issues/656 > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for c-blosc2. > > > > CVE-2025-29476[0]: > > | Buffer Overflow vulnerability in compress_chunk_fuzzer with oss-fuzz > > | on commit 16450518afddcb3139de627157208e49bfef6987 in c-blosc2 > > | v.2.17.0 and before. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-29476 > > https://www.cve.org/CVERecord?id=CVE-2025-29476 > > [1] https://github.com/Blosc/c-blosc2/issues/656 > > > > Regards, > > Salvatore > > > > According to the mentioned CVE record the issue affects c-blosc2 v2.17. > The fix has been merged in in c-blosc2 v2.17.1 which is the version > currently in testing. > > My conclusion is the the current version of c-blosc2 in debian is OK so I > will close this bug. > Please feel free to re-open if you do not agree.
No, no need to reopen, I think my triage and uncertainity about the fix overlapped with the acknowledgement in the upstream issue as https://github.com/Blosc/c-blosc2/issues/656#issuecomment-2780717832 . So it looks correct that this is fixed in v2.17.1 upstream. I agree with your conclusion. I tried to fix the meatadata of the bug and updated as well the security-tracker accordingly. Regards, Salvatore
