Your message dated Thu, 12 Oct 2017 17:33:51 +0000 with message-id <e1e2hml-0009s3...@fasolo.debian.org> and subject line Bug#878264: fixed in libsdl2 2.0.6+dfsg1-3 has caused the Debian Bug report #878264, regarding libsdl2: CVE-2017-2888: Integer overflow while creating a new RGB surface to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878264: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878264 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libsdl2 Version: 2.0.6+dfsg1-2 Severity: grave Tags: patch security upstream Hi, the following vulnerability was published for libsdl2. CVE-2017-2888[0]: | An exploitable integer overflow vulnerability exists when creating a | new RGB Surface in SDL 2.0.5. A specially crafted file can cause an | integer overflow resulting in too little memory being allocated which | can lead to a buffer overflow and potential code execution. An | attacker can provide a specially crafted image file to trigger this | vulnerability. Upstream patch seem to be [1], but please note that this might not be enough, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 . If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-2888 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2888 [1] http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libsdl2 Source-Version: 2.0.6+dfsg1-3 We believe that the bug you reported is fixed in the latest version of libsdl2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 878...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Geyer <fge...@debian.org> (supplier of updated libsdl2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 12 Oct 2017 18:33:41 +0200 Source: libsdl2 Binary: libsdl2-2.0-0 libsdl2-dev libsdl2-doc Architecture: source Version: 2.0.6+dfsg1-3 Distribution: unstable Urgency: high Maintainer: Debian SDL packages maintainers <pkg-sdl-maintain...@lists.alioth.debian.org> Changed-By: Felix Geyer <fge...@debian.org> Description: libsdl2-2.0-0 - Simple DirectMedia Layer libsdl2-dev - Simple DirectMedia Layer development files libsdl2-doc - Reference manual for libsdl2 Closes: 878264 Changes: libsdl2 (2.0.6+dfsg1-3) unstable; urgency=high . [ Gianfranco Costamagna ] * debian/patches/dc7245e3d1f2.patch: - backport upstream fix for dbus error. LP: #1721907 thanks LGB [Gábor Lénárt] (lgb) for the report! . [ Felix Geyer ] * Fix CVE-2017-2888: Integer overflow while creating a new RGB surface. - Add d/patches/CVE-2017-2888.patch - Closes: #878264 * Enable verbose build logs. Checksums-Sha1: d423d36348331f8e1e07fd75fd2b5b4effba6f3b 2704 libsdl2_2.0.6+dfsg1-3.dsc 69f253f92a449e70d746b93203cb71a32a46912b 15844 libsdl2_2.0.6+dfsg1-3.debian.tar.xz Checksums-Sha256: f61f057fef67a71d0ec116a1d242f7f7aa1f3284e50bb4e9a6b652be7eca251f 2704 libsdl2_2.0.6+dfsg1-3.dsc 30a90ea01bd39ad2178f2455f72d9be8c564d362b1eaa3a9b14d2cef9aa3f3f0 15844 libsdl2_2.0.6+dfsg1-3.debian.tar.xz Files: 84352054b265da667eb5685ab9a26a36 2704 libs optional libsdl2_2.0.6+dfsg1-3.dsc 61ad65f248d4b39954a951c70033bf60 15844 libs optional libsdl2_2.0.6+dfsg1-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlnfpi4ACgkQ/iLG/YMT XUURZQ/+Nib/8NDfiYvTTR9YnUJqhGSHXwvDbTSRbHAzAoJa49ON4lGGxZ7k9Y+y FMZc5GPH1K6f5Fu84ALFgcCraBncaOaeGOVjKL3hofgjcJ9BGFgCKyRNNKDOzU+y yCxbKu+zuNnSVvDeI0ZdNDzc2I1d12ZwFVXQtYFxAMJUz06MXp9gU1pajgDgQqXi XJq396RZvubYrf/2BLsQBbREv8bKqIGrDUd+zm7z0c7Eu3oGjpZjh1T0iKhosr56 gJISSzTHc8m38BUHwmnS2SCheA6cLsNtMtS9u1MTe4U6zDWxfl4Gx7lppia+Qo9z 6PZM5EbHV+PpyEq8DyR/OhCtdGhlhpwqL7xXuVxB13Sni3sRtnlzpJqD1n+Vp9mx cK3rDjAtJYtfvhTZl13AFNv1ciVosPYpEdB2xhEAShe1bCc2JgreVripuCsBzKSt N3bTyXXiQtDMG25kgCZss5jN3VfTfa2W/Qq777zPKly6ODWsBm152uh1br/mLK8q EgpQGSpTwg40DnLfr6Qc0sOi2YNrH8DyiWty54xywjxZSkiPDefKxKy3g69xHm+7 bQ/4QE4LO8Nt5oLAP845zlZKJooU29XOUcrtUu9CuskF0/dmFdwyGAFmRCmhOB2T FxyZm5cpHPU3g2JpWd/fhpnkZfMyjm+Dt0LT9Xos7S18SYILKKQ= =Dmbb -----END PGP SIGNATURE-----
--- End Message ---
