Your message dated Wed, 05 Sep 2018 16:34:33 +0000 with message-id <e1fxalf-000hmy...@fasolo.debian.org> and subject line Bug#907983: fixed in lcms2 2.9-3 has caused the Debian Bug report #907983, regarding lcms2: CVE-2018-16435 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 907983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907983 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: lcms2 Version: 2.8-4 Severity: grave Tags: patch security upstream Forwarded: https://github.com/mm2/Little-CMS/issues/171 Control: fixed -1 2.8-4+deb9u1 Hi, The following vulnerability was published for lcms2. CVE-2018-16435[0]: | Little CMS (aka Little Color Management System) 2.9 has an integer | overflow in the AllocateDataSet function in cmscgats.c, leading to a | heap-based buffer overflow in the SetData function via a crafted file | in the second argument to cmsIT8LoadFromFile. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16435 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16435 [1] https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8 [2] https://github.com/mm2/Little-CMS/issues/171 Please adjust the affected versions in the BTS as needed, already added the fixed version for the pending DSA upload. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: lcms2 Source-Version: 2.9-3 We believe that the bug you reported is fixed in the latest version of lcms2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 907...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Weber <twe...@debian.org> (supplier of updated lcms2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 05 Sep 2018 17:59:06 +0200 Source: lcms2 Binary: liblcms2-dev liblcms2-2 liblcms2-utils Architecture: source amd64 Version: 2.9-3 Distribution: unstable Urgency: medium Maintainer: Thomas Weber <twe...@debian.org> Changed-By: Thomas Weber <twe...@debian.org> Description: liblcms2-2 - Little CMS 2 color management library liblcms2-dev - Little CMS 2 color management library development headers liblcms2-utils - Little CMS 2 color management library (utilities) Closes: 907983 Changes: lcms2 (2.9-3) unstable; urgency=medium . * Fix integer overflow in AllocateDataSet() (CVE-2018-16435) Thanks to Salvatore Bonaccorso <car...@debian.org> and Marti Maria <marti.ma...@littlecms.com> (Closes: #907983) Checksums-Sha1: f5343fc8f536e05b6131a184dbe682a618f36db8 1956 lcms2_2.9-3.dsc e637ae3166a8b7a74b5ffdbb49ae60e0cde07eb7 10580 lcms2_2.9-3.debian.tar.xz 55f22ce9c1c36812bada434a63440b152e35a42b 6969 lcms2_2.9-3_amd64.buildinfo 4bbc551ae618543d88c0ad47de92d236e23072a1 471740 liblcms2-2-dbgsym_2.9-3_amd64.deb 7706bca68b9df7f98e3f7d289de2d224b4eb7841 145288 liblcms2-2_2.9-3_amd64.deb 323e4bb17a4da7c3eb24e8e7210dba4c140955cf 9102356 liblcms2-dev_2.9-3_amd64.deb 9b6c7cfca1e824b300ad70f87fb3283eb3ab52e4 126396 liblcms2-utils-dbgsym_2.9-3_amd64.deb d2305eb2d87f118f1706cb3d78b6d7e801629ba4 47496 liblcms2-utils_2.9-3_amd64.deb Checksums-Sha256: 2529e211246393053d2f1567f067f9983facf086185b582a56d10ecf04f9ca80 1956 lcms2_2.9-3.dsc 5916773a94edbfac06c36c95d8c6b7e8dc304cecb91897f84575f51f22663744 10580 lcms2_2.9-3.debian.tar.xz d401f2aa6ffec5c46cc366ffd9f32152c09525fffa1b01b33f2bcc9acbebdc7b 6969 lcms2_2.9-3_amd64.buildinfo c8e5d0f8bced8e56352667186cca64e3a63f6b2d2696f61e40e48dee9ec937ed 471740 liblcms2-2-dbgsym_2.9-3_amd64.deb 6dd806a326519b98ed9e54b184b4da2d256c4d516e75d0a38f2f6059e14eb325 145288 liblcms2-2_2.9-3_amd64.deb a7951bd0991b89dfcac93a31da7eb95b34fab8d34dd70641b3027c59307e08ef 9102356 liblcms2-dev_2.9-3_amd64.deb 44a9bdad4a57d8db105f4dde464e6540ee78de0aee0501418cb950bd420ab20e 126396 liblcms2-utils-dbgsym_2.9-3_amd64.deb 36bdaf73fe21278a82fb78700cabb39a4c414967de1421f671601670bbf6cca4 47496 liblcms2-utils_2.9-3_amd64.deb Files: aa4ca28c2d6783095ff730743b5706c7 1956 libs optional lcms2_2.9-3.dsc f2f8522136d35109a61296b03e230811 10580 libs optional lcms2_2.9-3.debian.tar.xz cdfc9b929591b978212552e7a70db98f 6969 libs optional lcms2_2.9-3_amd64.buildinfo 01df1b670531b9dcb9e3da01584bb43a 471740 debug optional liblcms2-2-dbgsym_2.9-3_amd64.deb 34a14897805c74d40117eb0d41e6e758 145288 libs optional liblcms2-2_2.9-3_amd64.deb a6be7d05403a25d5112ff95af4f8afad 9102356 libdevel optional liblcms2-dev_2.9-3_amd64.deb f36404435ca2894960f0a83ff99f5495 126396 debug optional liblcms2-utils-dbgsym_2.9-3_amd64.deb c3e82b229147c5fc54e8b7fee247d29b 47496 utils optional liblcms2-utils_2.9-3_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXcRrV8dHdlRr8Kg5x/+TixwaPkkFAluQAQQACgkQx/+Tixwa PknYXRAAnhl8dA0dxg3nouLzC0qqZgu3wYAvKVjOnlqqcaVLrYuGp95KDJF4EKDW uHY6kdKYXbP6+vauS/Fhql7nWmX/ejoPSnK1Lln3SaST4EA9SGOv5iFIurYruRvx E0iSya2naUODvbWf0/W5GDTA3USf1wcE/PJn23Hmk4Ch5cSGxZHjcNPYxLOJ5yoF v4+8g++gKAN+pDdrJnzMghG13HLScTSNfz+KuM3ahGnnAvqoxtFw2JtFmcojtQ3Q FRq7bwgyNUyiUWpoIMvulevabKrKDjI2YmoTz136bs1rfPp9SmY+2qyNQvGwTkRN fUXHzholyVMZq5UUNHadU7lNYDB42pmspc71NZ1MMw0lEFadfdnfyl1hlp1D1+K2 M/ndKo5OpLmcnLOQag/oBAFsBpO9vqjQl15VwQxpyv4EgHXMWsQ2vL+fEI/AIfsO HJo/IQae/hYiuWZTErnxlNCalkBQ/w+ISOcJIgnpWgiwIUb9hqO5hqtVYaTxLkMu G3znbjOAnLIrIVROoG/JItHxC5OBKb+EHqmKbk/ND6SHz90AIJM6JYgRaosYFPHO waiwdy9O3ggnyjE63Zh7SfwCz/uTenfd8wQjilOdQRkqH9fA2KcVHEgg3Eemee9v xPALV600333woCRgW7HvhEXlHPPL5KagAfYoSENVK8emqCZgEVs= =U+bP -----END PGP SIGNATURE-----
--- End Message ---
