Your message dated Sat, 06 May 2023 16:03:51 +0000 with message-id <e1pvknz-001dm1...@fasolo.debian.org> and subject line Bug#1034177: fixed in bzip3 1.2.2-2 has caused the Debian Bug report #1034177, regarding bzip3: CVE-2023-29415 CVE-2023-29416 CVE-2023-29418 CVE-2023-29419 CVE-2023-29420 CVE-2023-29421 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034177: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034177 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bzip2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for bzip2. CVE-2023-29415[0]: | An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A denial | of service (process hang) can occur with a crafted archive because | bzip3 does not follow the required procedure for interacting with | libsais. https://github.com/kspalaiologos/bzip3/issues/95 https://github.com/kspalaiologos/bzip3/commit/56c24ca1f8f25e648d42154369b6962600f76465 CVE-2023-29416[1]: | An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A | bz3_decode_block out-of-bounds write can occur with a crafted archive | because bzip3 does not follow the required procedure for interacting | with libsais. https://github.com/kspalaiologos/bzip3/commit/bfa5bf82b53715dfedf048e5859a46cf248668ff (1.3.0) https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29418[2]: | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is | an xwrite out-of-bounds read. https://github.com/kspalaiologos/bzip3/commit/aae16d107f804f69000c09cd92027a140968cc9d (1.2.3) https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29419[3]: | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is | a bz3_decode_block out-of-bounds read. https://github.com/kspalaiologos/bzip3/commit/8ec8ce7d3d58bf42dabc47e4cc53aa27051bd602 (1.2.3) https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29420[4]: | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is | a crash caused by an invalid memmove in bz3_decode_block. https://github.com/kspalaiologos/bzip3/commit/bb06deb85f1c249838eb938e0dab271d4194f8fa (1.2.3) https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29421[5]: | An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is | an out-of-bounds write in bz3_decode_block. https://github.com/kspalaiologos/bzip3/issues/94 https://github.com/kspalaiologos/bzip3/commit/33b1951f153c3c5dc8ed736b9110437e1a619b7d (1.2.3) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-29415 https://www.cve.org/CVERecord?id=CVE-2023-29415 [1] https://security-tracker.debian.org/tracker/CVE-2023-29416 https://www.cve.org/CVERecord?id=CVE-2023-29416 [2] https://security-tracker.debian.org/tracker/CVE-2023-29418 https://www.cve.org/CVERecord?id=CVE-2023-29418 [3] https://security-tracker.debian.org/tracker/CVE-2023-29419 https://www.cve.org/CVERecord?id=CVE-2023-29419 [4] https://security-tracker.debian.org/tracker/CVE-2023-29420 https://www.cve.org/CVERecord?id=CVE-2023-29420 [5] https://security-tracker.debian.org/tracker/CVE-2023-29421 https://www.cve.org/CVERecord?id=CVE-2023-29421 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: bzip3 Source-Version: 1.2.2-2 Done: Nobuhiro Iwamatsu <iwama...@debian.org> We believe that the bug you reported is fixed in the latest version of bzip3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1034...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nobuhiro Iwamatsu <iwama...@debian.org> (supplier of updated bzip3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 06 May 2023 23:59:33 +0900 Source: bzip3 Architecture: source Version: 1.2.2-2 Distribution: unstable Urgency: medium Maintainer: Nobuhiro Iwamatsu <iwama...@debian.org> Changed-By: Nobuhiro Iwamatsu <iwama...@debian.org> Closes: 1034177 Changes: bzip3 (1.2.2-2) unstable; urgency=medium . * Add d/patches/CVE-2023-29415.patch. Fix CVE-2023-29415. (Closes: #1034177) * https://github.com/kspalaiologos/bzip3/commit/56c24ca1f8f25e648d42154369b6962600f76465 * https://github.com/kspalaiologos/bzip3/issues/95 * Add d/patches/CVE-2023-29416.patch. Fix CVE-2023-29416. (Closes: #1034177) * https://github.com/kspalaiologos/bzip3/commit/bfa5bf82b53715dfedf048e5859a46cf248668ff * https://github.com/kspalaiologos/bzip3/issues/92 * Add d/patches/CVE-2023-29418.patch. Fix CVE-2023-29418. (Closes: #1034177) * https://github.com/kspalaiologos/bzip3/commit/aae16d107f804f69000c09cd92027a140968cc9d * https://github.com/kspalaiologos/bzip3/issues/92 * Add d/patches/CVE-2023-29419.patch. Fix CVE-2023-29419. (Closes: #1034177) * https://github.com/kspalaiologos/bzip3/commit/8ec8ce7d3d58bf42dabc47e4cc53aa27051bd602 * https://github.com/kspalaiologos/bzip3/issues/92 * Add d/patches/CVE-2023-29420.patch. Fix CVE-2023-29420. (Closes: #1034177) * https://github.com/kspalaiologos/bzip3/commit/bb06deb85f1c249838eb938e0dab271d4194f8fa * https://github.com/kspalaiologos/bzip3/issues/92 * Add d/patches/CVE-2023-29421.patch. Fix CVE-2023-29421. (Closes: #1034177) * https://github.com/kspalaiologos/bzip3/commit/33b1951f153c3c5dc8ed736b9110437e1a619b7d * https://github.com/kspalaiologos/bzip3/issues/94 Checksums-Sha1: cb710a380965f7bde8145bd5c31386107b912d9c 1934 bzip3_1.2.2-2.dsc 533c84d961892a4cf41bba3d1eff1972868e6608 7300 bzip3_1.2.2-2.debian.tar.xz 83c9d6c957c5d754576be909662ea4af1d46a528 7411 bzip3_1.2.2-2_amd64.buildinfo Checksums-Sha256: 8e4fa3b4cb2814f063fc3ffecaa20fc4ecb21618d75f4f23f77e228fbed92a78 1934 bzip3_1.2.2-2.dsc 5b87502805bf78daa48dead7c197e3b08d2d649e273fc25f6fbd33e3dd2748aa 7300 bzip3_1.2.2-2.debian.tar.xz c55639ca157be3768eb1788ac1affaffd7b4f188eaddb64afbe062fb96778f84 7411 bzip3_1.2.2-2_amd64.buildinfo Files: b72d0ca7ecee66433823a6d732267810 1934 devel optional bzip3_1.2.2-2.dsc edcc6cf1b91157cf0f37d0ab88ad43fb 7300 devel optional bzip3_1.2.2-2.debian.tar.xz 34856204a5d9a8e489cd5af65b922096 7411 devel optional bzip3_1.2.2-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAmRWc5wACgkQMiR/u0Ct H6bQYQ//UQW7qPlpKCkFrgonmUiMDAjGOAyIq+MOwJcUY5xfWFAxFhhyzxqK2mqf PynmijDiSdI8OSQCcop1uIrlFxqC5+3TdJ4Is8comB0vY3sK23pXt3xZka4r7uQa AZYBERKgstg2VRhxSnOhUwfYfiQLqK1Vw4TXZHWcHI8bGt8p2rEaum4BVT8bMfLD /90Z6xU13RypQJsOJRBX1ETpZQFidgYrfQaekIZ8FKKlTxH4YeGqcz2C4LIVHR4A jObM6BATsMXtkNJ+NAxG+ip6PkMLsDyop/Dg1mLUTBEmmDywzpW05qrpXiB5NwIa jlCMS6IoJGuNJQaJsp5aMQRmKjEZzZZwRX77XNPjMgbHIXRj3PQpd116Cc2CBWpE r87VnXb5/X4KCah53IOTdH/UcOLB7BxnHlLCQWpb1tgUZr61AcHie5Iwgz1zFr0H i4tvYHHBoJ+8twh2k0Qm0AY3RR1vYHjfvcDXPdNzEoEhi47Lq9leHcxCcYDUQxjj BgygQGGZqeCPcL75orfCMIEY3EQ73XjV19AQaI0jgNZh5+QeVS5FX3QbzT25hbdW 3KhZ5/vWe1nlMGVhGQW7iPlDdbq88XRYOu8Ld5RxQrYAgM388Hnb/vB0WdzDewhJ mDR0U8gl8pT4CZLDFOrT7H39Y9PwtaBGHD11vCS79asZacOhPms= =kD0Y -----END PGP SIGNATURE-----
--- End Message ---
