Your message dated Thu, 19 Nov 2015 19:47:07 +0000 with message-id <e1zzvah-0006sf...@franck.debian.org> and subject line Bug#805113: fixed in libpng 1.2.50-2+deb8u1 has caused the Debian Bug report #805113, regarding CVE-2015-8126: buffer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 805113: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805113 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libpng12-0 Version: 1.2.50-2+b2 Severity: critical Tags: security upstream Quoting https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126 > Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE > functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and > 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote > attackers to cause a denial of service (application crash) or possibly have > unspecified other impact via a small bit-depth value in an IHDR (aka image > header) chunk in a PNG image. In particular, "1.1.x and 1.2.x before 1.2.54". -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.3.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpng12-0 depends on: ii libc6 2.19-22 ii multiarch-support 2.19-22 ii zlib1g 1:1.2.8.dfsg-2+b1 libpng12-0 recommends no packages. libpng12-0 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libpng Source-Version: 1.2.50-2+deb8u1 We believe that the bug you reported is fixed in the latest version of libpng, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 805...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libpng package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 17 Nov 2015 19:21:32 +0100 Source: libpng Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb Architecture: source Version: 1.2.50-2+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Anibal Monsalve Salazar <ani...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 803078 805113 Description: libpng12-0 - PNG library - runtime libpng12-0-udeb - PNG library - minimal runtime library (udeb) libpng12-dev - PNG library - development libpng3 - PNG library - runtime Changes: libpng (1.2.50-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7981.patch patch. CVE-2015-7981: Out-of-bounds read in png_convert_to_rfc1123. (Closes: #803078) * Add Prevent-writing-over-length-PLTE-chunk-Cosm.patch patch. CVE-2015-8126: Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions. (Closes: #805113) * Add Fixed-new-bug-with-CRC-error-after-reading-.patch patch. Fixed new bug with CRC error after reading an over-length palette. Checksums-Sha1: 024ae4301ae8a8112f9b4eaeae50a70d61c86da4 2036 libpng_1.2.50-2+deb8u1.dsc 3ac9c32fc08804d4a1858cb5d02c6d0fb55ede37 539152 libpng_1.2.50.orig.tar.xz a5e7117c34d7980c98a74c5251409a9380026765 20232 libpng_1.2.50-2+deb8u1.debian.tar.xz Checksums-Sha256: 8c7302111fb96198a7b3046fdf65697d00f87867b4baf1a1fd1b77ac4111b34d 2036 libpng_1.2.50-2+deb8u1.dsc 4724f81f8c92ac7f360ad1fbf173396ea7c535923424db9fbaff07bfd9d8e8e7 539152 libpng_1.2.50.orig.tar.xz 99cada9cd6af65321604f84821091b764fcd1661d4bd136e4893ebc5a9178206 20232 libpng_1.2.50-2+deb8u1.debian.tar.xz Files: 9df487847a931ba2862eafb3d812483d 2036 libs optional libpng_1.2.50-2+deb8u1.dsc a3e00fccbfe356174ab515b5c00641c7 539152 libs optional libpng_1.2.50.orig.tar.xz e91ab33a8ed0e80204f9fda77da4fc45 20232 libs optional libpng_1.2.50-2+deb8u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWTA8CAAoJEAVMuPMTQ89Evq8QAJ3E2TtZmniJdB998Ku2Ckzn rtmwyt++0ZZVPZWFTcZcm6PLEeSEITo/7DCHX9FI0vuPtNyoI0pMHgHbD1Aa9GMh +DwhDGXhuTYVvPCxZR4nMZN5n5gVqo6F02gzFcKy6KdS4qRZl/LLnHfXg504MoNf 46TIxhyTBqkMspshs8Zo1V/Yhp1YAaRf+9oWeev9uOTV+BEQnYlvyK7gtQZNkMco GEeUz7OJqy8TM6E8wmxbRjBwV3zeC3Cxt7BZKkAwQ25HZ6QYxb7e+wqSQLmYDhYU EnLGJzqesUUwupaEgor4yzEDTiHuNhQf2TswlPxZUq6Q/BODgM2P7X4TGcPY4OOT kKG9FTcGdRGw4AT6gNqxhFYztjTDEx+NagfhH9BS5mJKt3rEMRYPkGtOnir6pKeZ MmMAma9mqdut0LPK/MfLf9pD5m3KhhppoUVEfzu9xj9oJy1qtEtzpa6JOTXPIeqY /x1gRtQgHcOyCiKxtKRFc5OICf/L+ajnQnZeC42Q+sHakb22aKjojVuO0wzeQrbi /O0TdRTs/sl1L8T6NevsEVJg5wYLHqXqejjdBJpi0WRBCRR2U+eW+ya5U0YRYHQ6 /wlC7rOUEvxv5PJ98jT2Li+MfaUdqi0cGCRMBieyZf4nYKtzbpVZ6LxjR20opZ5K B+NFZ+cqJ5OpoPcz0FYk =SAWe -----END PGP SIGNATURE-----
--- End Message ---
