Your message dated Mon, 29 Jan 2018 22:20:40 +0000 with message-id <e1eghn6-000hxl...@fasolo.debian.org> and subject line Bug#888314: fixed in p7zip-rar 16.02-2 has caused the Debian Bug report #888314, regarding p7zip-rar: CVE-2018-5996: Memory Corruptions via RAR PPMd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888314 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: p7zip Version: 16.02+dfsg-4 Severity: grave Tags: upstream newcomer security Justification: user security hole Dear Maintainer, p7zip, p7zip-full and the non-free component p7zip-rar are affected by two vulnerabilities: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and- zip/?hn In particular, the RAR3 and LZW algorithm implementations are susceptible to memory corruption and may compromise a system through specially crafted archives. These issues have already been fixed upstream, and a new version of p7zip (18.0) is available. Please update all p7zip* packages to their latest versions as soon as possible. Thank you. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (900, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages p7zip depends on: ii libc6 2.26-2 ii libgcc1 1:7.2.0-19 ii libstdc++6 7.2.0-19 p7zip recommends no packages. Versions of packages p7zip suggests: ii p7zip-full 16.02+dfsg-4 -- no debconf information
--- End Message ---
--- Begin Message ---Source: p7zip-rar Source-Version: 16.02-2 We believe that the bug you reported is fixed in the latest version of p7zip-rar, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Robert Luberda <rob...@debian.org> (supplier of updated p7zip-rar package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 29 Jan 2018 22:50:53 +0100 Source: p7zip-rar Binary: p7zip-rar Architecture: source amd64 Version: 16.02-2 Distribution: unstable Urgency: medium Maintainer: Robert Luberda <rob...@debian.org> Changed-By: Robert Luberda <rob...@debian.org> Description: p7zip-rar - non-free rar module for p7zip Closes: 888314 Changes: p7zip-rar (16.02-2) unstable; urgency=medium . * Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by applying a few changes from 7Zip 18.00-beta (closes: #888314). * Bump debhelper's compat level to 11. * Remove `-pie' from hardening options (see: #859442). * Use 'https' URL in debian/watch (lintian). * Standards-Version: 4.1.3. Checksums-Sha1: 996a09bbae2e3a1bed7264b9ff03a41a2417f175 1909 p7zip-rar_16.02-2.dsc 47e330d9efa69f59d58c36053766c13d5b4ff8e8 8580 p7zip-rar_16.02-2.debian.tar.xz 0d94e9b3afb9dad3461621e10daae29a6985ee22 184396 p7zip-rar-dbgsym_16.02-2_amd64.deb 8e95ef6321b73cc6fd620e7f16f061df7ffd0bbb 5682 p7zip-rar_16.02-2_amd64.buildinfo 6e71c90853374e062a07c66a23ba97335eda0e3f 57124 p7zip-rar_16.02-2_amd64.deb Checksums-Sha256: 0e225ccdc5083b26fd0859fe9b4daadea2f0ddcaabce990280d674500a15edd7 1909 p7zip-rar_16.02-2.dsc d69173ba5425366b4e2aa38dd8476d99cce2e9c76da787c44cd350b138e1dd7e 8580 p7zip-rar_16.02-2.debian.tar.xz 59e8b5b917a4e51f7cc682a1d50f7d66cca4523ddd8c75392446c59867453a90 184396 p7zip-rar-dbgsym_16.02-2_amd64.deb 4a1a08c590015543cac5d7f53069204bb0daf8edf72baeea2bdb625f9c9a5a26 5682 p7zip-rar_16.02-2_amd64.buildinfo 98bc2b34f4dc886844001662317d28e8ab325ea029a79d723b577a080f95b916 57124 p7zip-rar_16.02-2_amd64.deb Files: ae59983ff155c12522c19d8b332a284c 1909 non-free/utils optional p7zip-rar_16.02-2.dsc 47feb5c5d3aff7bb7d266171d8ef4828 8580 non-free/utils optional p7zip-rar_16.02-2.debian.tar.xz b3e59931a516266ba1acf8c57e3932bf 184396 non-free/debug optional p7zip-rar-dbgsym_16.02-2_amd64.deb 7c5a9f36854b500e10079a04fa531597 5682 non-free/utils optional p7zip-rar_16.02-2_amd64.buildinfo e7f76efa8b1cf5af99bf98033cc768bf 57124 non-free/utils optional p7zip-rar_16.02-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENeh2+rTTcy6TtNI3Yx3nVTvor9QFAlpvmCMACgkQYx3nVTvo r9SefhAAjfcW/00Mn6sKZJ94Ue5ll5PVa7GHQaSeI6RwurV1YJd1Sfo9yfi8vcwU uWkKra23JuKo3uNo5wgLGRpxlSRivXmuDvwqb7zaOTB30sHbVQRcUBl584/B1fCS 0GGuq3WZy8YT4HJD7fsG096m7GxZ+I8NxQnsmW7cI+6Wuy678ecZcW4m4VRv2qvy CxLJOWR4+dFpiGck4GWxMv+gi89PzSlFa+78CdZwJcC/4uUsHT/nE9b/LwpPr76m lK4VOGht6E3aiB8yt1irnIJRtlT2JJwM6yCAkf7E/Y2jWh8WkSXPZtAcLPIYZzL4 Mg1ILbzdB7fkGRYYVm/H7NVT6Kp+oVgihHoU78gAmPK8gZ6/LXT7N5yLSchukyLV SU5hi73cfmjxWdmza+y3VvrM446EHaANLGBZxEdGd9QqUEqEqnTosVq2ZdUjaIXz gP6rR3b6lgeFceq367P/dbO46P5H3wYZOdPoO8r7u03oMEF2c9g+jXm4NxbsE75X 9rh6EmlcSv6qWocTnexBV2qPAbQxav7k9Zmy1vDAeqapZDzWaLhWaoJC9tYHG3M+ t5wf+oN8rzi50jmf+iWQOCTjHdoOfzBHWcolcKiHPqtdk80F/WiK9RK2mgpf80Io 9tfpjqbuNWz12QqpbfZIfPcm1jh9RVJg8OjX0oeG/dlJi7KMBDA= =J9SJ -----END PGP SIGNATURE-----
--- End Message ---
