Your message dated Wed, 18 Oct 2017 21:14:11 +0000 with message-id <e1e4vfh-000ie7...@fasolo.debian.org> and subject line Bug#878267: fixed in sdl-image1.2 1.2.12-7 has caused the Debian Bug report #878267, regarding sdl-image1.2: CVE-2017-2887: Incorrect XCF property handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878267 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libsdl2-image Version: 2.0.1+dfsg-1 Severity: grave Tags: patch security upstream Control: clone -1 -2 Control: reassign -2 src:sdl-image1.2 Control: found -2 1.2.12-1 Control: retitle -2 sdl-image1.2: CVE-2017-2887: Incorrect XCF property handling Hi, the following vulnerability was published for libsdl2-image. CVE-2017-2887[0]: | An exploitable buffer overflow vulnerability exists in the XCF | property handling functionality of SDL_image 2.0.1. A specially | crafted xcf file can cause a stack-based buffer overflow resulting in | potential code execution. An attacker can provide a specially crafted | XCF file to trigger this vulnerability. The same is found in sdl-image1.2 afaics, but please double check. I'm cloning this bug for the second source package. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-2887 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2887 [1] https://hg.libsdl.org/SDL_image/rev/318484db0705 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: sdl-image1.2 Source-Version: 1.2.12-7 We believe that the bug you reported is fixed in the latest version of sdl-image1.2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 878...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Geyer <fge...@debian.org> (supplier of updated sdl-image1.2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Oct 2017 22:15:49 +0200 Source: sdl-image1.2 Binary: libsdl-image1.2 libsdl-image1.2-dev Architecture: source Version: 1.2.12-7 Distribution: unstable Urgency: medium Maintainer: Debian SDL packages maintainers <pkg-sdl-maintain...@lists.alioth.debian.org> Changed-By: Felix Geyer <fge...@debian.org> Description: libsdl-image1.2 - Image loading library for Simple DirectMedia Layer 1.2, libraries libsdl-image1.2-dev - Image loading library for Simple DirectMedia Layer 1.2, developme Closes: 878267 Changes: sdl-image1.2 (1.2.12-7) unstable; urgency=medium . * Fix CVE-2017-2887: buffer overflow in the XCF property handling. (Closes: #878267) Checksums-Sha1: 07ed939d5b78a2b6328b0b8d7d864c6500d6660e 2230 sdl-image1.2_1.2.12-7.dsc 953c0b0aae21972006f8c4ad4f06a0527f622c64 7352 sdl-image1.2_1.2.12-7.debian.tar.xz Checksums-Sha256: a2cb9a661237c627e570e78048f851d353e55f8fbbe9b826bd8c0e30eae7db5a 2230 sdl-image1.2_1.2.12-7.dsc b3b22c1895c14bc2332f3c960a1715c5b37d9482b66dfe766f7a8847f61ade19 7352 sdl-image1.2_1.2.12-7.debian.tar.xz Files: f562e1574d2bbf998df6f315adafc0bb 2230 libs optional sdl-image1.2_1.2.12-7.dsc a0384544cd63db0c7f2053c0d9e79941 7352 libs optional sdl-image1.2_1.2.12-7.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlnntxcACgkQ/iLG/YMT XUXQaA/8DMxkX7rWr9spA+VWoxk3jEHRb9Dt9Sg53HFnEGIVT8nFb6fmYdAoFxlC K/AU5SySd6+fpjzXaEvM2Inzg3tP9eSiaivcvJyWIXguBKnHu6pBwVWMIusz6Y14 Q5iCEK/4Hi5qqlcVR8CLVMFFFzDOX3OajuNoY7VhaoDmKWQ2YXfAfKw0iqoNofpt 4igsgw/whokwbLu43BYjCQVL5aKDQ+EUfuv4U4/HybEABT0n1zm1bdqmRXYv/SIL qXUfxfPy8UrwL/ol2m5WXF5b5WuPIGjiREdslEbXDM1wbAtnQjsyeMN+qCB6DNWo xgC7iwxZnFI8wG3CVr7L3MRbeANYsGFz9lcVdShZXMxdelmO49KRfT4YjIO6G6+4 wo0HZIrqBh7hw0idPVgPGVcH/hU5tv33qYo5p7/+JsTFKADYIfJrcvUsojkzSWZ/ W+7WsVF64MnOTzHpknL8P04dRaBLao8U2STdc9nQVFQqUOdxnhJldaPYdjRlGrml Y1v51g8Yrd2dx/jrMBvXKdaCvPmZCWNLc7zwWv5QtQDL6qfo7cSfsiQ9WpON5s09 kwhaz3hE1LlvDVdEeEoTPgj+Ct42u7324rFwvNkKc18tedye5H6H7O+hBzTjcN6r ssXVrO8WcZpKjRZgXvw7eOSzArNNAtf0Qv32qsKiZLC6AW1++7U= =NyRz -----END PGP SIGNATURE-----
--- End Message ---
