Bug#988024: marked as done (hivex: CVE-2021-3504)

[Debian Bug Tracking System]

Your message dated Fri, 14 May 2021 07:47:08 +0000
with message-id <e1lhsxm-000ha9...@fasolo.debian.org>
and subject line Bug#988024: fixed in hivex 1.3.18-1+deb10u1
has caused the Debian Bug report #988024,
regarding hivex: CVE-2021-3504
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
988024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988024
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: hivex
Version: 1.3.19-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for hivex.

CVE-2021-3504[0]:
| Buffer overflow when provided invalid node key length

Making the severity RC as I think the fix needs to go into bullseye.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3504
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3504
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1949687
[2] https://listman.redhat.com/archives/libguestfs/2021-May/msg00013.html
[3] 
https://github.com/libguestfs/hivex/commit/8f1935733b10d974a1a4176d38dd151ed98cf381

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: hivex
Source-Version: 1.3.18-1+deb10u1
Done: Hilko Bengen <ben...@debian.org>

We believe that the bug you reported is fixed in the latest version of
hivex, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <ben...@debian.org> (supplier of updated hivex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Apr 2021 18:28:19 +0200
Source: hivex
Architecture: source
Version: 1.3.18-1+deb10u1
Distribution: buster-security
Urgency: medium
Maintainer: Debian Libvirt Maintainers 
<pkg-libvirt-maintain...@lists.alioth.debian.org>
Changed-By: Hilko Bengen <ben...@debian.org>
Closes: 988024
Changes:
 hivex (1.3.18-1+deb10u1) buster-security; urgency=medium
 .
   * Add upstream patch to fix CVE-2021-3504 (Closes: #988024)
Checksums-Sha1:
 e19675285522e4bf7c3af1204dfd1fa9881f68a9 2580 hivex_1.3.18-1+deb10u1.dsc
 d66131981d2c978ab9cfc7e28dd052e7e273ae18 1542133 hivex_1.3.18.orig.tar.gz
 8a4857db7d183722716fc2cde62a9f8ea226ef14 8016 
hivex_1.3.18-1+deb10u1.debian.tar.xz
 7e8028f39e5ddf7b80bd413cbbd25cc6e8b3e4ce 14173 
hivex_1.3.18-1+deb10u1_source.buildinfo
Checksums-Sha256:
 b562af8633ed16d2a99292ee3d9aeb09343f49d12d48129c44bc2966f813fff8 2580 
hivex_1.3.18-1+deb10u1.dsc
 8a1e788fd9ea9b6e8a99705ebd0ff8a65b1bdee28e319c89c4a965430d0a7445 1542133 
hivex_1.3.18.orig.tar.gz
 b05d28a52bfb55e7de042624bbf2edf4690f538cd2d3bcfc107f6586349f7f54 8016 
hivex_1.3.18-1+deb10u1.debian.tar.xz
 9fb1c065e0fcca6a3272b044027c04c1f92419114812ea65d39e34a9385ea4aa 14173 
hivex_1.3.18-1+deb10u1_source.buildinfo
Files:
 5b6b0bdb0360d1cf1fb910e56b7b385c 2580 libs optional hivex_1.3.18-1+deb10u1.dsc
 8468074cdc6e870e8f6a2c831ce22a0d 1542133 libs optional hivex_1.3.18.orig.tar.gz
 e36498d8c4f22b65b2e876e311c75b82 8016 libs optional 
hivex_1.3.18-1+deb10u1.debian.tar.xz
 1916d6f747ee4ec73fc095b2c954e9a1 14173 libs optional 
hivex_1.3.18-1+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAmCWxOAACgkQdbcQY1wh
On6dKQ/8DQp94tupJIMmTi3qJFzX56HPXoY71qcfU1e5E3PjPPGAOzyLx9gsNtl5
czP0Zv5OKilTbWUX8TMqLPA2P+4vfrDc4z7Ch5nqjUxifObtZNWe4Jrsgv7TgAB3
AdxwXE4FFRT/d1TcpfBZbcDq9FwUX25taW1Sf9ZrisM7icieCeIo7lAGSgZEMD7p
wVH7OLA22iOheeCIYMvHxQKNwB+JpfjJnpmy0ndZcKvxGFZ6jTdGcgC9RA6fpWnc
bo+zlsXlqtVYTr6+EYfz0SwaMQ3edG3KYTW0KAt4dv6mnjGXRYokgtOjmsCjyAUm
K1ziHncTapfGfRcWUzx9+d80MIfMkd2+K4TcaudnGwh7QbWwCqzHcZsh6WXItDAe
S5I2WpdRb4Zx2RLjGBbOZx9Fvy7Rf7y7dPMM1nrRsB724qgma2Qc+apeNE+KYtdU
isx7tt0oQEOQ0nTem0BAyAdhGYQ2QvoLhROfrAaPqNBQA9MOtEV+Bap/yMQchc0x
Z2V0AMLWayR3IbRX7Se3KGDQWnEdaASKzQglCjp+UqM4bkMeHbf/vh0Yvs5k/vST
at9eGJIC/SdJp/r1EVULtPKqPcLsBpyTrgSI4cNIprqcNcrHUIcvy9skgrirtCI1
PEt5AUgE9noATIaBnD454ojb3vOUfw7kpgJcX2E3/TfAt5hFMFs=
=3VnL
-----END PGP SIGNATURE-----

--- End Message ---