Your message dated Sun, 05 May 2019 18:47:43 +0000 with message-id <e1hnmap-00020i...@fasolo.debian.org> and subject line Bug#921355: fixed in libpng1.6 1.6.28-1+deb9u1 has caused the Debian Bug report #921355, regarding libpng1.6: CVE-2019-7317: use-after-free in png_image_free in png.c to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 921355: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921355 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libpng1.6 Version: 1.6.36-3 Severity: grave Tags: security upstream Forwarded: https://github.com/glennrp/libpng/issues/275 Control: found -1 1.6.28-1 Control: found -1 1.6.36-2 Hi, The following vulnerability was published for libpng1.6. CVE-2019-7317[0]: | png_image_free in png.c in libpng 1.6.36 has a use-after-free because | png_image_free_function is called under png_safe_execute. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-7317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317 [1] https://github.com/glennrp/libpng/issues/275 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libpng1.6 Source-Version: 1.6.28-1+deb9u1 We believe that the bug you reported is fixed in the latest version of libpng1.6, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 921...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libpng1.6 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Apr 2019 22:12:35 +0200 Source: libpng1.6 Architecture: source Version: 1.6.28-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Anibal Monsalve Salazar <ani...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 921355 Changes: libpng1.6 (1.6.28-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Call png_image_free_function without guarding it with png_safe_execute (CVE-2019-7317) (Closes: #921355) Checksums-Sha1: 8d4f4d28d498bb28a015abc2efc4faa6093d3457 2403 libpng1.6_1.6.28-1+deb9u1.dsc ff4dceadb15e2c929ad26283118d56f66f4a6cff 984536 libpng1.6_1.6.28.orig.tar.xz e7a0aa21b188e30c3bf9718cac54b511774e66bd 22844 libpng1.6_1.6.28-1+deb9u1.debian.tar.xz Checksums-Sha256: e33f21a69c0406eaee4ca7157c7234c3a078bab83f57c399cd2ddc8d7c868ddf 2403 libpng1.6_1.6.28-1+deb9u1.dsc d8d3ec9de6b5db740fefac702c37ffcf96ae46cb17c18c1544635a3852f78f7a 984536 libpng1.6_1.6.28.orig.tar.xz c082fb471028f37bfb9510057f7d4854e1200b5115d2c308da9c2837375585e9 22844 libpng1.6_1.6.28-1+deb9u1.debian.tar.xz Files: eeba1b6579f93b8aa41a3327609253e3 2403 libs optional libpng1.6_1.6.28-1+deb9u1.dsc 425354f86c392318d31aedca71019372 984536 libs optional libpng1.6_1.6.28.orig.tar.xz eca3b8effc6335ba72e35efe23194692 22844 libs optional libpng1.6_1.6.28-1+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAly42whfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EH04QAJhyUtrcml2BCE+7I5vfrxCzbnqqpKti /MvLQO5pVvQvaOrMshT0sAIAHYNTfc3wtOYsyqm/4ETZQe6YthY7HJMFVuMY0oaT clfTAygq3X/P8vHQO5ZCj1Vmcnr3mpgXhpVwpuzlIuhLHbDLINk+DMV2VvvHOsEb Xg4v1+n8bz1fAqv2tBGIhTubD8MjgxmMnMUnRkZegjHKjWBPxfSr+B4QgQ81+LWJ 2rMeunI9BislV4dJYRkQ6eECBShNou8D17v8L1EZ/wc0Hbx1pN9jXIpa0/CeEbHo RZXel0qkb3rLXQtSGxC05yr8x52+Fv9hgcvm0NeNlmdKB78QxFVWlwZau+qg2Mk4 qn4dwlae95M/hVXgXzQkbR7tJR8auZIEDtPkdYIvO8K8YDx/sXYU4ZSP2BWL/B0l 9cdxs1XMW8rsnR0j27/xcZx+bukY1N5U8g+/26VlKQCQag6Mr86JIz90nb+fOEqj L1wuA4hKOJtA2NXP8HM3r5iKNq4g2oJ8ScOPVhHc14orgZuDY3YhT/mRsMdyEPlC vcLZlj/Fr8OL4ZXn0i5xLrRDRDwKvfLAqabdA5tpZ3HjNCnYJpno1Hbl8JxDLEm8 ggZ/f6w9IJ+m8UO7mZgxoSx4xwJQi+DykeQtPoDSdcEyxl0EGi+En+ZAetJQ0yEH iThv0C0MIcm2 =Ce9j -----END PGP SIGNATURE-----
--- End Message ---
