Source: libmobi Version: 0.10+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for libmobi. CVE-2022-1533[0]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. This vulnerability is capable of arbitrary code execution. CVE-2022-1534[1]: | Buffer Over-read at parse_rawml.c:1416 in GitHub repository | bfabiszewski/libmobi prior to 0.11. The bug causes the program reads | data past the end of the intented buffer. Typically, this can allow | attackers to read sensitive information from other memory locations or | cause a crash. CVE-2022-1907[2]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. CVE-2022-1908[3]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. We can probably wait until upstream releases 0.11, but the RC severity makes sure we do not go unfixed in bookworm. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1533 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1533 [1] https://security-tracker.debian.org/tracker/CVE-2022-1534 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1534 [2] https://security-tracker.debian.org/tracker/CVE-2022-1907 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1907 [3] https://security-tracker.debian.org/tracker/CVE-2022-1908 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1908 Regards, Salvatore
