Your message dated Wed, 18 Oct 2017 21:09:30 +0000 with message-id <e1e4vak-000hnk...@fasolo.debian.org> and subject line Bug#878266: fixed in libsdl2-image 2.0.1+dfsg-4 has caused the Debian Bug report #878266, regarding libsdl2-image: CVE-2017-2887: Incorrect XCF property handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878266: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878266 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libsdl2-image Version: 2.0.1+dfsg-1 Severity: grave Tags: patch security upstream Control: clone -1 -2 Control: reassign -2 src:sdl-image1.2 Control: found -2 1.2.12-1 Control: retitle -2 sdl-image1.2: CVE-2017-2887: Incorrect XCF property handling Hi, the following vulnerability was published for libsdl2-image. CVE-2017-2887[0]: | An exploitable buffer overflow vulnerability exists in the XCF | property handling functionality of SDL_image 2.0.1. A specially | crafted xcf file can cause a stack-based buffer overflow resulting in | potential code execution. An attacker can provide a specially crafted | XCF file to trigger this vulnerability. The same is found in sdl-image1.2 afaics, but please double check. I'm cloning this bug for the second source package. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-2887 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2887 [1] https://hg.libsdl.org/SDL_image/rev/318484db0705 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libsdl2-image Source-Version: 2.0.1+dfsg-4 We believe that the bug you reported is fixed in the latest version of libsdl2-image, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 878...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Geyer <fge...@debian.org> (supplier of updated libsdl2-image package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Oct 2017 22:09:02 +0200 Source: libsdl2-image Binary: libsdl2-image-2.0-0 libsdl2-image-dev Architecture: source Version: 2.0.1+dfsg-4 Distribution: unstable Urgency: medium Maintainer: Debian SDL packages maintainers <pkg-sdl-maintain...@lists.alioth.debian.org> Changed-By: Felix Geyer <fge...@debian.org> Description: libsdl2-image-2.0-0 - Image loading library for Simple DirectMedia Layer 2, libraries libsdl2-image-dev - Image loading library for Simple DirectMedia Layer 2, development Closes: 878266 Changes: libsdl2-image (2.0.1+dfsg-4) unstable; urgency=medium . [ Manuel A. Fernandez Montecelo ] * d/copyright: Fix missing "General" in LGPL license . [ Felix Geyer ] * Fix CVE-2017-2887: buffer overflow in the XCF property handling. (Closes: #878266) Checksums-Sha1: 20dcdae8513e395492d1a41a0c7cccd826706e7e 2265 libsdl2-image_2.0.1+dfsg-4.dsc bc91cc8c81f77a58d313bbcf7796a8f2fee01ef4 4656 libsdl2-image_2.0.1+dfsg-4.debian.tar.xz Checksums-Sha256: 2d9f917e45d93b87ebd8c8f9e26f152fd8a659f1dacd9234b5fa1262c864b2dc 2265 libsdl2-image_2.0.1+dfsg-4.dsc 7cea0c3d7541ec5195aafabd90deb918b93231dcc2bfb768b42272fe52a9b3b1 4656 libsdl2-image_2.0.1+dfsg-4.debian.tar.xz Files: b65038241d0e34d333efb318394ba790 2265 libs optional libsdl2-image_2.0.1+dfsg-4.dsc 0de7b4652f246d85e2a2435c685e6660 4656 libs optional libsdl2-image_2.0.1+dfsg-4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlnntSkACgkQ/iLG/YMT XUXaAg/9ET3uWHIjF2hmqmoqf2Rb21iPZF7moRnswWHQUg2GuKtIkCZxY05q6sbE lGO40kirzsTMh12G99Q2BSR5q0e0qCcM0jbwl/GmOPZAkmzq3dExsF7XXfhdZF43 GvXkpVaCshft8ULcr3g+HBJETPEpOz/32u3mufK6xYCO9TBZnSbJF+wi242rbBO7 NNSOxlf9Ub/JZVpH4KPV9GbUGskVwx9v3aMOORt2Mc8MrvuRnPH/dqDNxMU3UpAh J7CpXt+NcWsoele9S3MhuU5WnUJiqhVjz+vjg2iKKzmBec1zWJ7l9+TtPqdhq4Vq WlTsE1smESkJYicjlh9NgbiWESJ0kGNfP36+Hs2U8DumgGj4LpQqvkv7ZcSGLQOI ieDTHD0xzEH41rJDBYTsnkb22mDhYpKmx7BZeFjFLMQdHj3ylTMgcupXSesrnh+v 685HR4fxKupKiBqPOB7DRW0IA0sl/DFNovXhbNgnpn45JqOwEa9XiASThYUMyiIP F4ZMziAdo5M1qYwpdheD4Z2wfPlawOe+6/7xbF8/FKYWdZDt/ritN3tlJ6vewV5h bRxw79BxvJbMNeVFS0h2+TnMEta0GGyU8iPBov1V9dvC5vbH+pHwYMDAQvXfMcAn D+ShWyOQLvja4TPA67KU8OfTApHvBGC2+UNLDoI68B7XJspTMA0= =bOGm -----END PGP SIGNATURE-----
--- End Message ---
