Your message dated Sun, 29 May 2022 09:29:01 +0200 with message-id <ypmgvstdlt8jj...@eldamar.lan> and subject line ftpmas...@ftp-master.debian.org: Accepted libmobi 0.11+dfsg-1 (source) into unstable has caused the Debian Bug report #1011971, regarding libmobi: CVE-2022-1533 CVE-2022-1534 CVE-2022-1907 CVE-2022-1908 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1011971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libmobi Version: 0.10+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for libmobi. CVE-2022-1533[0]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. This vulnerability is capable of arbitrary code execution. CVE-2022-1534[1]: | Buffer Over-read at parse_rawml.c:1416 in GitHub repository | bfabiszewski/libmobi prior to 0.11. The bug causes the program reads | data past the end of the intented buffer. Typically, this can allow | attackers to read sensitive information from other memory locations or | cause a crash. CVE-2022-1907[2]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. CVE-2022-1908[3]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. We can probably wait until upstream releases 0.11, but the RC severity makes sure we do not go unfixed in bookworm. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1533 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1533 [1] https://security-tracker.debian.org/tracker/CVE-2022-1534 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1534 [2] https://security-tracker.debian.org/tracker/CVE-2022-1907 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1907 [3] https://security-tracker.debian.org/tracker/CVE-2022-1908 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1908 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libmobi Source-Version: 0.11+dfsg-1 ----- Forwarded message from Debian FTP Masters <ftpmas...@ftp-master.debian.org> ----- From: Debian FTP Masters <ftpmas...@ftp-master.debian.org> Resent-From: debian-devel-chan...@lists.debian.org Reply-To: debian-de...@lists.debian.org Date: Sat, 28 May 2022 23:05:07 +0000 To: debian-devel-chan...@lists.debian.org Subject: Accepted libmobi 0.11+dfsg-1 (source) into unstable Message-Id: <e1nv5uz-000gyf...@fasolo.debian.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 28 May 2022 15:38:22 +0000 Source: libmobi Architecture: source Version: 0.11+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Bartek Fabiszewski <deb...@fabiszewski.net> Changed-By: Bartek Fabiszewski <deb...@fabiszewski.net> Changes: libmobi (0.11+dfsg-1) unstable; urgency=medium . * New upstream release. . * fixed multiple buffer over-reads and null pointer dereferences that can be triggered with crafted input. The security impact of these bugs is low, they can cause crashes. These bugs were identified by extensive fuzzing by various researchers: jimoyong, dupingxin (NSFOCUS Tianji Lab), jieyongma (TDHX ICS Security), cnitlrt, beidasoft-cobot-oss-fuzz, han0nly. Some of these vulnerabilities has been assigned CVEs: CVE-2022-1533, CVE-2022-1534, CVE-2022-1907, CVE-2022-1908. * fixed potential leak in dictionary parsing on corrupt data * improved portability of encryption key generation * updated Xcode and MSVC projects Checksums-Sha1: 930fa7696a7e83be1327dab2dcf16e2505f5688e 1847 libmobi_0.11+dfsg-1.dsc f2bf33d7885a25d99611b4abeb5d778d0b7a2da8 1369040 libmobi_0.11+dfsg.orig.tar.xz ead1238c70000f79d2974e34eede44d6c88d3710 8148 libmobi_0.11+dfsg-1.debian.tar.xz 9cef077796ca5049515d00e148f0a10aec310587 5395 libmobi_0.11+dfsg-1_source.buildinfo Checksums-Sha256: 4f2d772a3e6bbd8d2a8902a060a6cda799c0c2b81d286e88db792810f1b61d2e 1847 libmobi_0.11+dfsg-1.dsc 1c5c3d780c69b0c143444ad91ca31d4eeac69d0b65e1c5f36c65b4c380236894 1369040 libmobi_0.11+dfsg.orig.tar.xz 6dff3c107e0532e932182cedae99f8ca1db4a3ad83266316719688dfca476de8 8148 libmobi_0.11+dfsg-1.debian.tar.xz 93629109b14b04239570ec4ada8ae31cd93bf89c5020965c1db26c7ef3407b34 5395 libmobi_0.11+dfsg-1_source.buildinfo Files: e088af38f0be425c2572694d11d7de02 1847 libs optional libmobi_0.11+dfsg-1.dsc 76c77a60dfdd5ba518a99cbb9abe781b 1369040 libs optional libmobi_0.11+dfsg.orig.tar.xz 7fc2b3d9bc71977c69b59d0acda66bd4 8148 libs optional libmobi_0.11+dfsg-1.debian.tar.xz 1b6f3127f48936fe8e8adba6476901b5 5395 libs optional libmobi_0.11+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmKSoEsQHGJhZ2VAZGVi aWFuLm9yZwAKCRAfXHqLRVZDFAGRC/9lvb4E7XcbUfelcXD/sKwZEesCiDSuOfSg tFuSRx4vAgJJnJUb7vU44P96qPeUyMGn775HUnlHfkzK3iELZA2RsBalvwfFda4O FI2l9hrNUBHtz2fzKv2PF7UAMg0RUtXT7fs15QqR7IIR2sr0d3UXQwEKmvWfWURy aakV/2xbc8vajv6AGPh0Gi3RpbIwXx69lu0ZXTgrAOfzWvSoMp0Eid1Q0GUw/TIM nskyrAkViSwfWS60RUXm+tHNA0dWTmKpqzDNRpTKI0hCVaj9D5hD18FQpimuzde5 7e3kvosIFx5RCSdg7nRk0u/xfUttWCppCWys3ChAO1yeV+D42teDqKUlhkqXVUuO SpG0HssDoEvFsViguWEMNFUlHmdxZ8T6WPEQqQkuxQUKuXYZ6RTIejzyGBCE0sSB gOUnyWjQVqOgm23uFuUWU3B1jrb38C4oleaG+nzP915eoExkcfd9eUoMc7QzGfqS xH4sBZvTaoucQzZDkJiIL+vsouyrO5A= =UPvg -----END PGP SIGNATURE----- ----- End forwarded message -----
--- End Message ---
