Your message dated Sun, 30 Sep 2018 14:44:11 +0000 with message-id <e1g6cx9-000h7u...@fasolo.debian.org> and subject line Bug#904905: fixed in libextractor 1:1.7-1 has caused the Debian Bug report #904905, regarding libextractor: CVE-2018-14347: Infinite loop in extract to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 904905: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904905 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libextractor Version: 1:1.6-2 Severity: important Tags: security upstream patch Forwarded: https://gnunet.org/bugs/view.php?id=5399 Hi, The following vulnerability was published for libextractor. CVE-2018-14347[0]: | GNU Libextractor before 1.7 contains an infinite loop vulnerability in | EXTRACTOR_mpeg_extract_method (mpeg_extractor.c). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-14347 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14347 [1] https://gnunet.org/bugs/view.php?id=5399 [2] https://gnunet.org/git/libextractor.git/commit/?id=f033468cd36e2b8bf92d747fbd683b2ace8da394 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libextractor Source-Version: 1:1.7-1 We believe that the bug you reported is fixed in the latest version of libextractor, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 904...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bertrand Marc <bm...@debian.org> (supplier of updated libextractor package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 09 Sep 2018 07:15:53 +0200 Source: libextractor Binary: libextractor3 libextractor-dev extract Architecture: source amd64 Version: 1:1.7-1 Distribution: unstable Urgency: medium Maintainer: Bertrand Marc <bm...@debian.org> Changed-By: Bertrand Marc <bm...@debian.org> Description: extract - displays meta-data from files of arbitrary type libextractor-dev - extracts meta-data from files of arbitrary type (development) libextractor3 - extracts meta-data from files of arbitrary type (library) Closes: 888373 904903 904905 907987 Changes: libextractor (1:1.7-1) unstable; urgency=medium . * New upstream version 1.7: + fix stack-buffer-underflow (Closes: #904903, CVE-2018-14346). + fix infinite loop in extract (Closes: #904905, CVE-2018-14347). + fix build with FFmpeg 4.0 (Closes: #888373). * Move the package to salsa and update Vcs-browser and Vcs-git accordingly. * Remove build-dependency on mp4v2, as the plugin is not working anyway. * Remove CVE-2017-15922.patch and CVE-2017-17440.patch, included upstream. * Add a patch to fix missing 0-terminator on corrupted ZIP files (Closes: #907987, CVE-2018-16430). * Standards-version: 4.2.1. Checksums-Sha1: 6e1f98225c1bc2b678004a3c6b2a370568352f37 2435 libextractor_1.7-1.dsc d1c4e870cc327aa6527621c3ef497968471e2f05 8075299 libextractor_1.7.orig.tar.gz 95ab74a8a2626b14c74a21b354470d50ad54b401 17220 libextractor_1.7-1.debian.tar.xz b0b2d539563dc36cfd2e2cad39b9c9cc6f96f287 26680 extract-dbgsym_1.7-1_amd64.deb 37fe87111211ac222adcb3e74975eba8bbaf00b6 111816 extract_1.7-1_amd64.deb 1892e4e1dcc1c4b5ad85cfdefa0b4e6840a3d381 27240 libextractor-dev_1.7-1_amd64.deb 4e918ce8c45c8f9bf0b08528459a3faf8e6a9b9f 603740 libextractor3-dbgsym_1.7-1_amd64.deb 9bf838c32a7f7cceb398c1759a16e697bffda4a2 112904 libextractor3_1.7-1_amd64.deb 98cacb0fba7c277104b0b84ee4afdb41099611c3 18663 libextractor_1.7-1_amd64.buildinfo Checksums-Sha256: fc3aae0f1919741d28ec2352ba4d54b7a9905df927e83677feaf1e035bbe35f1 2435 libextractor_1.7-1.dsc e0a6fde824cf2212c4f217a5e0fc03391251cfb46ca000117f66cf7ae4368e8f 8075299 libextractor_1.7.orig.tar.gz c0c4e7980b97643d69ff03031ada4814c9d57b9fcb47f8c32377f7426fa8bb25 17220 libextractor_1.7-1.debian.tar.xz dad6bb165d0053b8c04a6501650129498e67642fa9b2467e7a6f11d3121aca32 26680 extract-dbgsym_1.7-1_amd64.deb 54be9c8093b490e6cc28370b429f53fc009ac5d1cd9254186f2a0ea55582d7e1 111816 extract_1.7-1_amd64.deb 34238cb24e03aea02989aa925a551abb74e01e816b407f7dbc0093ea0b57943a 27240 libextractor-dev_1.7-1_amd64.deb c623564ab808c5003384da03bbad7d3a0bb92534eb2442aef1a40a0947ddc5cc 603740 libextractor3-dbgsym_1.7-1_amd64.deb bf5edf01960b54f1fa5d17131ca6d27d26d46e5c4bf5b3493f8a2695d19ede14 112904 libextractor3_1.7-1_amd64.deb 60da98c95c6d2ec653074dc3ff1b1ec94f57a7dc05d18ec10e3d94ac05ad0f4c 18663 libextractor_1.7-1_amd64.buildinfo Files: a9a862ed791a5af84d67241227a70e5e 2435 libs optional libextractor_1.7-1.dsc bbc301fd71a8ee2889d3c69988910faf 8075299 libs optional libextractor_1.7.orig.tar.gz 6dd062a5c77e63b59bad223a5652746c 17220 libs optional libextractor_1.7-1.debian.tar.xz c470046fc276aaaddb51e5aadf115994 26680 debug optional extract-dbgsym_1.7-1_amd64.deb 968558fc2ec59fb234706ede8d951140 111816 utils optional extract_1.7-1_amd64.deb 19c3241e4116a0cc03f44eb59f74f895 27240 libdevel optional libextractor-dev_1.7-1_amd64.deb fa619eb4c64a339a27e434b2ba498e6a 603740 debug optional libextractor3-dbgsym_1.7-1_amd64.deb 30f9b0dd4745d97293d3f95c1ee647c0 112904 libs optional libextractor3_1.7-1_amd64.deb f07d35904b2a8e034e78ad1d849ee76c 18663 libs optional libextractor_1.7-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEEKUUr1GPOZwMj0JuIoEqzutviY+4FAluUrmARHGJtYXJjQGRl Ymlhbi5vcmcACgkQoEqzutviY+5Kyw//YyaYNPikzVbGDI3+4BrQ8/yN2qd1hSvg INnkpROYweBautZ7yIcmBjE9oP0UlvQyAV6kIpwqncsuQyPsWMnEEU4y3RuGhZt0 V6ChtFWCY+7CyjodGETsNHTQKjJ+EKjiEtn4Wy0LyKwaMbH9V1b94nw/hcisByRb aRMb/Ce3yrXTX0sYm3RSopSKRtKZrFch2eV3SLeh6OjuUkjT6wS0S5mGkKFUHLBE wwXezpuxVG3X78RmM+y92NyEheZg2IPm07pqcoLbfLc55FyLX+tVkxG2LqcE/V+L Yh/IF8QRCweWF4hbrlsClF3QqYP81hmMyDbDDKzE6TKD+Q5irSYCyF0X5jmgyZfy 1UIMpGJHFLSbhkr33Vh4o0Mj19ahn5FkuBQQ//hf4t/eL47OI1N/6yZvfV3rRVKa 5/3/kv0wv/aMDAnWyHZeYaNsGkEFyGxyAD6KQIXNFUTFnY5N88Jsns9YV9O9BU+a 1hcGd6tT1D2hc0n7ZwI1gS3BUU7ANXbBzyhklN/vscV8N2AAVlue0PWrudCV705g hWMqiv/Gu+G4K7Rl0G43nAqcMNZ16ZdINjmMTqBxjP8fFFkl/z+Tv2Y5Lu7Xe9gF fcEoJ9LRiibL0Pytomuum1d7A04eQFqTxnugIht+b8Yon5ccqu8tRrbekOY9Awcc gRj4c0R9A3w= =BB8p -----END PGP SIGNATURE-----
--- End Message ---
