Your message dated Sun, 21 May 2023 11:18:50 +0000 with message-id <e1q0h5o-00h1nz...@fasolo.debian.org> and subject line Bug#1036281: fixed in libraw 0.20.2-2.1 has caused the Debian Bug report #1036281, regarding libraw: CVE-2023-1729 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036281: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036281 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libraw X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for libraw. CVE-2023-1729[0]: | A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() | caused by a maliciously crafted file may lead to an application crash. https://bugzilla.redhat.com/show_bug.cgi?id=2188240 https://github.com/LibRaw/LibRaw/issues/557 Fixed by: https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93 (master) Fixed by: https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828 (0.21-stable) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1729 https://www.cve.org/CVERecord?id=CVE-2023-1729 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: libraw Source-Version: 0.20.2-2.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of libraw, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libraw package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 20 May 2023 21:44:42 +0200 Source: libraw Architecture: source Version: 0.20.2-2.1 Distribution: unstable Urgency: medium Maintainer: Debian PhotoTools Maintainers <pkg-phototools-de...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1031790 1036281 Changes: libraw (0.20.2-2.1) unstable; urgency=medium . * Non-maintainer upload. * check for input buffer size on datastream::gets (CVE-2021-32142) (Closes: #1031790) * do not set shrink flag for 3/4 component images (CVE-2023-1729) (Closes: #1036281) Checksums-Sha1: 9e3ae98263a4a329091917e10239f28f37041aaf 2347 libraw_0.20.2-2.1.dsc 55e9fce29edc1b5fde72b8ab0af09924e2a0319a 23428 libraw_0.20.2-2.1.debian.tar.xz Checksums-Sha256: 23c452187bec45ac4fe924673dc973078f44f6a8aed7c530b26e5fbe064bd743 2347 libraw_0.20.2-2.1.dsc 9ff6925ff13e6410ae75db011af33a657202bdbb373fa795ca4c3a57bbff38d8 23428 libraw_0.20.2-2.1.debian.tar.xz Files: 574ae45df05308d9f15349b1d89c6f60 2347 libs optional libraw_0.20.2-2.1.dsc 9ee86c5909246ffc5ac75686083e7261 23428 libs optional libraw_0.20.2-2.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRpJfdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E5f0P/izsXX1nxsJSeZK2JrE8DfeKCo11uFIF hbmJ1Cg3DRGRw0Arf/2nRCieUjS7hfIpMUKQdy9hkUbh5q4F6T5l4Rbmtag68HnW zzSgAtpuAshWWYhx5kFMhmn7ZjgPGHC0r4LZ8nY+qv1UoBqekWlJz9Seu+ipgL+i YAc0myFuFLM/mlRGOHlcFlpJS4W5MCITFs3vBV0t7xbL4jdNuQTudLNJFS67URn3 a7Vpt6zvpkcv2dqkcIbHGfHUVkGmKtgW4bv+E0o3+tJ3jFkGiZfM8tfBcEsuw5aa eC6EESH0iB+BZF2tb6GxKT1nLcC0gWZMEHz3s34y2pocdt2KzqOWTJ+4Oq1zj4fh BJRK2y1sBjjsXh3XfZg/Zz0GThttfpWxZMPEm8Vy7C5i1IzSWkxeuikFRh42iCy0 q2xBosRBFWTh+xz5MAvZvtigwUF/0F5x2uOX7wZH9XU2uWiOF7uqFltYCvGw8C9l j32ChDSDQpL2wBGYX6GpfVRyqtiYzNU3serCuC0/KZfPO+hVR8VhvmFFD622E/BP /oS3WtPOFlm4DuwkbtWVF3OF4t/4gQBaQDrafi9PHEINwA6Qb3cbAoi9tnLD/jQ5 PskVlaGAHIPvyUva0Xby7MD//a6xkVGQcnfi+CfW8aXrSnp9iScxLPdjKjp2fT6B CWnSf6ZDN8Sz =5yc1 -----END PGP SIGNATURE-----
--- End Message ---
