Your message dated Fri, 20 Apr 2018 00:51:53 +0000 with message-id <e1f9khj-000dcs...@fasolo.debian.org> and subject line Bug#896021: fixed in mruby 1.4.0+20180418+git54905e98-1 has caused the Debian Bug report #896021, regarding mruby: CVE-2018-10199: Use after free in File#initilialize_copy to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 896021: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896021 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mruby Version: 1.4.0-1 Severity: grave Tags: patch security upstream Forwarded: https://github.com/mruby/mruby/issues/4001 Hi, The following vulnerability was published for mruby. CVE-2018-10199[0]: | In versions of mruby up to and including 1.4.0, a use-after-free | vulnerability exists in src/io.c::File#initilialize_copy(). An attacker | that can cause Ruby code to be run can possibly use this to execute | arbitrary code. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-10199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10199 [1] https://github.com/mruby/mruby/issues/4001 [2] https://github.com/mruby/mruby/commit/b51b21fc63c9805862322551387d9036f2b63433 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mruby Source-Version: 1.4.0+20180418+git54905e98-1 We believe that the bug you reported is fixed in the latest version of mruby, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 896...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nobuhiro Iwamatsu <iwama...@debian.org> (supplier of updated mruby package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 20 Apr 2018 08:29:33 +0900 Source: mruby Binary: mruby libmruby-dev Architecture: source amd64 Version: 1.4.0+20180418+git54905e98-1 Distribution: unstable Urgency: medium Maintainer: Nobuhiro Iwamatsu <iwama...@debian.org> Changed-By: Nobuhiro Iwamatsu <iwama...@debian.org> Description: libmruby-dev - lightweight implementation of the Ruby language (development file mruby - lightweight implementation of the Ruby language Closes: 896020 896021 Changes: mruby (1.4.0+20180418+git54905e98-1) unstable; urgency=medium . * Update from stable branch(20180418). - Fix CVE-2018-10191 (Closes: #896020) Use after free caused by integer overflow in environment stack - Fix CVE-2018-10199.(Closes: #896021) Use after free in File#initilialize_copy * Bump Standards-Version to 4.1.4. Checksums-Sha1: 86d7808163c6348e1c54e7cc134076617de1a05e 2033 mruby_1.4.0+20180418+git54905e98-1.dsc 31f9107cd4a27dd9a07366a665b52c4bc0ea50ed 497055 mruby_1.4.0+20180418+git54905e98.orig.tar.gz 3c4e82b48d0c740fbf0136be6de5f78e3362659c 4700 mruby_1.4.0+20180418+git54905e98-1.debian.tar.xz 564bf64bcdd2d474896f8d4159d1c685e1d74298 314024 libmruby-dev_1.4.0+20180418+git54905e98-1_amd64.deb bea324a6a3233d63a066d753b3beb74f9586dccc 2247236 mruby-dbgsym_1.4.0+20180418+git54905e98-1_amd64.deb dc2040b75b2cbad70744cf4990625132af6c750a 6611 mruby_1.4.0+20180418+git54905e98-1_amd64.buildinfo 5e7221faab4238e5bda2e2e142a16e01dc1074dd 334144 mruby_1.4.0+20180418+git54905e98-1_amd64.deb Checksums-Sha256: db4b3897dd49f7cd5434ca9d8d2cd982addb96d75dacf2d2fdd948c7005e6ccc 2033 mruby_1.4.0+20180418+git54905e98-1.dsc 6bbb49bd4c01b62f892d2e7a9892eab218734dceda9f60d0a4740de5585a6768 497055 mruby_1.4.0+20180418+git54905e98.orig.tar.gz ac702fc447f63bee3b1f2f6fffa86a6d12d330533c75ee1efa18d2f5a64cded3 4700 mruby_1.4.0+20180418+git54905e98-1.debian.tar.xz 712b4c0352810667511a84244a9b43debbcafc131e45cf301ea601729048beb2 314024 libmruby-dev_1.4.0+20180418+git54905e98-1_amd64.deb 4fc4da5633a12e6114d27e9fdd50ce0bd0cb8566cc58da53171fab7db34bd4f9 2247236 mruby-dbgsym_1.4.0+20180418+git54905e98-1_amd64.deb 27250a089f12df6fee908a8c1f1e1691580c1eea0a0a92448fa083f5e227ea27 6611 mruby_1.4.0+20180418+git54905e98-1_amd64.buildinfo d0b3f72346a616285bd597869cf30f147c867d14b76eb06b8edddea58af1b474 334144 mruby_1.4.0+20180418+git54905e98-1_amd64.deb Files: 93a607b291f1e1eb628398d234212369 2033 ruby optional mruby_1.4.0+20180418+git54905e98-1.dsc 5a4b3fcc3d527879640cca14a49af094 497055 ruby optional mruby_1.4.0+20180418+git54905e98.orig.tar.gz e9eb3b58d249a5173a0a4059d3ecb410 4700 ruby optional mruby_1.4.0+20180418+git54905e98-1.debian.tar.xz cadd81bf081918fa564ebc155c4ad708 314024 libdevel optional libmruby-dev_1.4.0+20180418+git54905e98-1_amd64.deb 2a7d6359a6e86a2fc3deaa3d493ea888 2247236 debug optional mruby-dbgsym_1.4.0+20180418+git54905e98-1_amd64.deb 6998c63fd5af05871cd8b06f0825ef5f 6611 ruby optional mruby_1.4.0+20180418+git54905e98-1_amd64.buildinfo 35ff9a2b23fd2d7d22f4438c321279d8 334144 ruby optional mruby_1.4.0+20180418+git54905e98-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAlrZNSwACgkQMiR/u0Ct H6Y+Qg/5Ae7fjtQnzNT9Z7PCe6TMZdUMFpUthsT+Ue3G5JnMm4mckmUVsCWSB4Mb pfUcXyY4Cb4dhTBcxSMuScBWPkAuqEiIUZEf8KAGc7NzJHsmbLa0gDC0BzElmeX0 bXP4EhuPGD4DM6nwDZrnfvWQsUqo+TEV7l+tkDu6a4J+di6UZk42aJ/PpeXV2ifs cyaU33niXKXrpRyCK+9LwRmZYLiUz0sdsMmmmU2Z9VS7ZRjndU0OFauuozrq7i+u dA3ARvf0fBGHrb/k9gJwTIRj+nYFVeau+McAyQ8pPC8U9zhZccA7mHrGq8Wv3HTi A5YhXr5R1CV4rOdXZFeWqTdWOmac1jlZctCOg+uEYziMHNvSYHsHlT1dFaaDen9Q JMU3+TpG+IMXF+AmH5pnQjXwB3df0I2yoX6igTBSXu+kAXopv0W2NMM2CjiUr3K1 cGvP5NmLuzqt82tatD6NwjfvHhZKPXtl5nxGzRsIcO39GjSByXr7ccy1/L/CJU/7 sIyC74UpkuG1xB7MwLBG6XavwO0sbFccrQ3IZknSSoE4rpoXtyb8Vwnn7E7o9cjC pnmzkNi5xY+nFO+JjW2SBLpPM6UBH4rGZMUosuHhERCg90IXIAukCIUOaEcUn5eY +EToItA+DYg0GosIxbaGzoZZRjvDM9bk2fuBd2BoydtGghhWZ+Y= =InP5 -----END PGP SIGNATURE-----
--- End Message ---
