Your message dated Wed, 18 Oct 2017 21:09:25 +0000 with message-id <e1e4vaf-000hlz...@fasolo.debian.org> and subject line Bug#878264: fixed in libsdl2 2.0.6+dfsg1-4 has caused the Debian Bug report #878264, regarding libsdl2: CVE-2017-2888: Integer overflow while creating a new RGB surface to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878264: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878264 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libsdl2 Version: 2.0.6+dfsg1-2 Severity: grave Tags: patch security upstream Hi, the following vulnerability was published for libsdl2. CVE-2017-2888[0]: | An exploitable integer overflow vulnerability exists when creating a | new RGB Surface in SDL 2.0.5. A specially crafted file can cause an | integer overflow resulting in too little memory being allocated which | can lead to a buffer overflow and potential code execution. An | attacker can provide a specially crafted image file to trigger this | vulnerability. Upstream patch seem to be [1], but please note that this might not be enough, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 . If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-2888 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2888 [1] http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libsdl2 Source-Version: 2.0.6+dfsg1-4 We believe that the bug you reported is fixed in the latest version of libsdl2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 878...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Geyer <fge...@debian.org> (supplier of updated libsdl2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Oct 2017 21:36:23 +0200 Source: libsdl2 Binary: libsdl2-2.0-0 libsdl2-dev libsdl2-doc Architecture: source Version: 2.0.6+dfsg1-4 Distribution: unstable Urgency: high Maintainer: Debian SDL packages maintainers <pkg-sdl-maintain...@lists.alioth.debian.org> Changed-By: Felix Geyer <fge...@debian.org> Description: libsdl2-2.0-0 - Simple DirectMedia Layer libsdl2-dev - Simple DirectMedia Layer development files libsdl2-doc - Reference manual for libsdl2 Closes: 878264 Changes: libsdl2 (2.0.6+dfsg1-4) unstable; urgency=high . * Import further upstream patches for CVE-2017-2888. The initial fix was incomplete. (Closes: #878264) - d/patches/CVE-2017-2888-1.patch - d/patches/CVE-2017-2888-2.patch - d/patches/CVE-2017-2888-3.patch Checksums-Sha1: abc8dff8b3eb8a17a7207d7b9970583b25066d10 2704 libsdl2_2.0.6+dfsg1-4.dsc 83b7cd915888dcdd78294de40f8b0dc146fa385c 17208 libsdl2_2.0.6+dfsg1-4.debian.tar.xz Checksums-Sha256: 2235c5b3d41ed91fc00c672efc943bcc368f0f948be85b2e2dfb63f7be99bee0 2704 libsdl2_2.0.6+dfsg1-4.dsc ea496af5d01fb39857468eac23ba2fc23389b6bd3400e363933a8af4cc405507 17208 libsdl2_2.0.6+dfsg1-4.debian.tar.xz Files: 5e9acab97d7e2942f6f1852614e3ae65 2704 libs optional libsdl2_2.0.6+dfsg1-4.dsc cdd872476779759cecc3755f17700aee 17208 libs optional libsdl2_2.0.6+dfsg1-4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlnnsBYACgkQ/iLG/YMT XUVy5Q//Xr7+AkC+kY4z8pVoj+d+WGbQWMI7zxXA8eV3hgBsqdIDcmPujj10T+Gj P2lFozBIAyeUTLNWJHQxE0hQeFFJpCprCDD7LfF6NIofGZGr+CG7LdDtWNApuRJw tBBOMd3RWnW5ecv9gOdYFkp7eeZqqJ0vT311dXkQfcyJ/wAspI/e1lLaghDrjUx1 VoBA8r3RAXVReU/N2Vt8lvPdarYzwlJOKTVt1+/MWyUCew4TzmSDr3uOWS3X6E09 gxtp/RazjmS2pG1YAzIZ/CQXxcxDGP+ayVSP8/Jbz6PNzJeCeDO4Eqg+fpHWQpK0 kyNoKX5StdxFWIe1G1yyf0UtbFL2tw7BImqG1kDyOGx7eg/Ex/O6lmV9Pq0ssKFL +PvjF9vsz8BDMqTdpBUo5Nj3nTqkQBbwJH+7g73FOiLVfXaZhYq3i/rqHxy5UkVS 4wFb9ixZKaard6ftjZZ5cQ81vi90U5U8h7DLrGWHNfU99VSC2FSnSvh2Xvu200gZ zmf2jv2UO3e8vlOJEKydj7nGLZAkygfr6n+M4KBrzrI76O7u5Eidu8QBjv098vk6 2qVIUyBAS1Xkia2tcehJ+UG0Fc89xCX7uuLmUswvCc4lfJoUCfaMIh/Eoq7dD9H6 ZTxO4sGnbDleOZctkfobqIdFCTFV+r5g9lZtRj+Ao/MepACIkzM= =IcvU -----END PGP SIGNATURE-----
--- End Message ---
