Your message dated Sat, 06 Nov 2021 19:17:31 +0000 with message-id <e1mjrbz-0002b9...@fasolo.debian.org> and subject line Bug#992973: fixed in plib 1.8.5-8+deb11u1 has caused the Debian Bug report #992973, regarding plib: CVE-2021-38714 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992973 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: plib Version: 1.8.5-8 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://sourceforge.net/p/plib/bugs/55/ X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for plib. CVE-2021-38714[0]: | In Plib through 1.85, there is an integer overflow vulnerability that | could result in arbitrary code execution. The vulnerability is found | in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file. The severity of the this bug is set op purpose higher as it is probably warranted. There is the following reason for that: plib is orphaned in Debian for a while, it is obsoleted and unmaintained upstream as well. Ideally it get's removed from Debian from the next release, but thee would be some revers dependencies issues to be solved, making it imposssible for now to remove the package: | Checking reverse dependencies... | # Broken Depends: | crrcsim: crrcsim [amd64 arm64 armhf i386 mips64el mipsel ppc64el s390x] | flightgear: flightgear | openuniverse: openuniverse | stormbaancoureur: stormbaancoureur | torcs: torcs | | # Broken Build-Depends: | crrcsim: libplib-dev | flightgear: libplib-dev | torcs: libplib-dev | | Dependency problem found. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-38714 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38714 [1] https://sourceforge.net/p/plib/bugs/55/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: plib Source-Version: 1.8.5-8+deb11u1 Done: Anton Gladky <gl...@debian.org> We believe that the bug you reported is fixed in the latest version of plib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 992...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Anton Gladky <gl...@debian.org> (supplier of updated plib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 17 Oct 2021 14:56:13 +0200 Source: plib Architecture: source Version: 1.8.5-8+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian QA Group <packa...@qa.debian.org> Changed-By: Anton Gladky <gl...@debian.org> Closes: 992973 Changes: plib (1.8.5-8+deb11u1) bullseye; urgency=medium . * Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 (Closes: #992973) Checksums-Sha1: 5ed00a405191a2f6f361c6032f3d12b71c8db5ad 2009 plib_1.8.5-8+deb11u1.dsc c2cf7e3e1e58f7b63dae4bb21e4fa82c3e4d4cfc 779133 plib_1.8.5.orig.tar.gz 2500862838fb7f619653084a1448fcca2b6be180 11396 plib_1.8.5-8+deb11u1.debian.tar.xz 5b110cd2674ae4b7fc06df4786bf6c79e1b8261e 8297 plib_1.8.5-8+deb11u1_source.buildinfo Checksums-Sha256: a006a9fb967b799e05191df106da8f816c8d150c6a46ffb7517be8680dabd173 2009 plib_1.8.5-8+deb11u1.dsc 485b22bf6fdc0da067e34ead5e26f002b76326f6371e2ae006415dea6a380a32 779133 plib_1.8.5.orig.tar.gz e50148877cebe2fcffb5f4fdf7e2b23b4447fe3e36b7aad74d1a219930b99baf 11396 plib_1.8.5-8+deb11u1.debian.tar.xz 3b607ac360ecf93df395d23cc6116789ce9c772fbbe8f63fd9ebd053cf55e593 8297 plib_1.8.5-8+deb11u1_source.buildinfo Files: 989268b6e57368ae4884265b6e2a5b7d 2009 devel extra plib_1.8.5-8+deb11u1.dsc 47a6fbf63668c1eed631024038b2ea90 779133 devel extra plib_1.8.5.orig.tar.gz 03e682e78e83da411ea0c8d04eeb4497 11396 devel extra plib_1.8.5-8+deb11u1.debian.tar.xz 108d2bb08c93ad5aa27ff09ce82f6acf 8297 devel extra plib_1.8.5-8+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFsIAUACgkQ0+Fzg8+n /warjw/+N1naIFcDrfNqR6XzT8GW9uR4FafTxlQSMgti3rzCCQe5ltyKY38bmHqJ ga49uABrOTWqj0uQ0XxZEXLGOxCzfs8RrXTuqXAdipm0g5J5VFBJ+jTm31F+Qsmi qs/jCZh47W/7EUvC+zy6TZ/TR5vF++68fPCPnYwng3rTXMiLSOsV5tPyov/eUpig X0WP5wjHDd3QnOYgtGcXhtu/bity7hYr8NOLv3Ql1IbxcDlaPCgoEgIVYXFaa4N3 3CIWoc/l1JnxOo4ddbQN5adoheVukk8FvmMAVNiShlxWMdk5rFHYEz98d7L6JwHU xRgW+LtVKttit4ufYq9VqRzv89/pRf1YO3/VWJsxh6phTm39Skcn7Y6aNv6bvh0a SufDQaNGmm3PrY3EqMpzkX5Z3yS2nOu4rckpBpjHv1zSSKSW3Rjm6f93SkMtozJx BlOagN94Aw6JQpOYLoZMymb9ZPM8xBinC6u+4UNtLDQupYx1ru4ql9e4rQ0iGU8o cTqbU4VTCB8KWrACyv9Xz1kDbLz+Bpm1LjUocmyCJ7bFtKdOHaMCFWAPI0SoMPwK U0nRCl333tBEX3P5j8vqkL3sPpMIBt1IKA/5ZRJJhIkbm6Xga/ED+i18iMSFHLoh 04Eb58J7dhx7y/0ppEoZ6/2Gbgx4uZuxSuAvj7EF6W5ltsYBarc= =ywnw -----END PGP SIGNATURE-----
--- End Message ---
