Your message dated Sun, 10 Apr 2022 03:03:48 +0000 with message-id <e1ndnrg-000iud...@fasolo.debian.org> and subject line Bug#1009168: fixed in gzip 1.12-1 has caused the Debian Bug report #1009168, regarding gzip: CVE-2022-1271: zgrep: arbitrary-file-write vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1009168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009168 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: xz-utils Version: 5.2.5-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: clone -1 -2 Control: retitle -2 gzip: CVE-2022-1271: zgrep: arbitrary-file-write vulnerability Control: reassign -2 src:gzip 1.10-4 Control: found -2 1.9-3 Hi, The following vulnerability was published for xz-utils and gzip, both have to date assigned the same CVE, and cloning this bug as well for one for gzip. CVE-2022-1271[0]: | zgrep, xzgrep: arbitrary-file-write vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271 [1] https://www.openwall.com/lists/oss-security/2022/04/07/8 [2] https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 [3] https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: gzip Source-Version: 1.12-1 Done: Milan Kupcevic <mi...@debian.org> We believe that the bug you reported is fixed in the latest version of gzip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1009...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Milan Kupcevic <mi...@debian.org> (supplier of updated gzip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 09 Apr 2022 22:22:26 -0400 Source: gzip Architecture: source Version: 1.12-1 Distribution: sid Urgency: high Maintainer: Milan Kupcevic <mi...@debian.org> Changed-By: Milan Kupcevic <mi...@debian.org> Closes: 149775 1009168 Changes: gzip (1.12-1) sid; urgency=high . * new upstream release - zgrep: fix arbitrary-file-write vulnerability address CVE-2022-1271 (closes: #1009168) - report correct length of 4 GiB and larger files (closes: #149775) - zgrep: fix "binary file matches" mislabeling; remove zgrep-syntax-error.diff patch - gzip: port to SIGPIPE-less platforms; remove sigpipe.diff patch - gzexe: fix count of lines to skip; remove corresponding patch * set standards version to 4.6.0 * update copyright notice Checksums-Sha1: 4db4932740e481782b9487f62059278872faac41 2009 gzip_1.12-1.dsc 318107297587818c8f1e1fbb55962f4b2897bc0b 825548 gzip_1.12.orig.tar.xz 981d0a887e94223ceb31930395b34af5e8e21270 833 gzip_1.12.orig.tar.xz.asc 7208c37128ef7dcd949913b49475ac7a09cfb60a 18736 gzip_1.12-1.debian.tar.xz f2836da5694551e14eb81c4ae108a2e6229f3521 7370 gzip_1.12-1_amd64.buildinfo Checksums-Sha256: 49a287787a0b4fc816eb576c011c472d1f630ec1778dfa120bd7fce4a844c253 2009 gzip_1.12-1.dsc ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956 825548 gzip_1.12.orig.tar.xz 3ed9ab54452576e0be0d477c772c9f47baa36415133fef7dd1fcf7b15480ba32 833 gzip_1.12.orig.tar.xz.asc fcf2317e8eeddd66766ec5f3853025b109bd13815ec86ed6563e1af68d17193a 18736 gzip_1.12-1.debian.tar.xz 54b6d99094516ce5ee993b5176c48753908f16628b944ea80975629aa8b3b091 7370 gzip_1.12-1_amd64.buildinfo Files: 7330ad11030af6a41177b5abbcd2aa90 2009 utils required gzip_1.12-1.dsc 9608e4ac5f061b2a6479dc44e917a5db 825548 utils required gzip_1.12.orig.tar.xz 431c7f48daf19af368c0bdc483f830a5 833 utils required gzip_1.12.orig.tar.xz.asc 6c75c37b14877fadf4733520164136a4 18736 utils required gzip_1.12-1.debian.tar.xz 3fcedc2f6569ee099684c3aa48ad0bd0 7370 utils required gzip_1.12-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQHFBAEBCgAvFiEEVkf/m69krCYf+z+G6e1ngbRVCQ4FAmJSRNsRHG1pbGFuQGRl Ymlhbi5vcmcACgkQ6e1ngbRVCQ6ujwwAvqbrGRMGRQCq54Tp9aMJNFz0W+CJ4woW q46Fp9UdY+gL3roOvKRGYK5blcMBjWkqGjXT1lqiK80UIevzIGwQ4/VZaO+fXjph PEXcMaaBUW7g3E8PPEdf06sa0W4eYRDQqR+5DFv6tCp/CQdyLz9ii1h8pOXT/mf/ J4DjYeqtyllMlSaYFMBH5I4mS+j/iTMgVGdWK4kcXv9pa3IuQDPfpV2bj5/oOohV 1NDCjjahjwWlj8WznxGhyKY3m1dyxT+lJiQpJZge2bsVN7Prv8Qez7ibgFuAow9u Ew5wkpaR455iFYO3LZwsZhxPnSFtqF80obh3LnF54WLWrIhNuUQQtXkFcXlZQdgy +sUWHiY/ayPij1u2wfEQZhAttavXFyTpGfG5fyK1KYomfrzYkzElyIkihBygSMOV BGCkBCUK/6xwLB5kJC2VpoLrMHDzOxuBbkeOjlLeAVLJ74vvUGo4+BbTtDx8icJl KZcIVUP4mAdN6pnYUaHuWRRf/Ugl4Zj1 =hX/a -----END PGP SIGNATURE-----
--- End Message ---
