Your message dated Mon, 29 May 2023 19:32:23 +0000 with message-id <e1q3ibp-006osn...@fasolo.debian.org> and subject line Bug#1036281: fixed in libraw 0.20.2-1+deb11u1 has caused the Debian Bug report #1036281, regarding libraw: CVE-2023-1729 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036281: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036281 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libraw X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for libraw. CVE-2023-1729[0]: | A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() | caused by a maliciously crafted file may lead to an application crash. https://bugzilla.redhat.com/show_bug.cgi?id=2188240 https://github.com/LibRaw/LibRaw/issues/557 Fixed by: https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93 (master) Fixed by: https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828 (0.21-stable) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1729 https://www.cve.org/CVERecord?id=CVE-2023-1729 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: libraw Source-Version: 0.20.2-1+deb11u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of libraw, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libraw package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 27 May 2023 07:51:55 +0200 Source: libraw Architecture: source Version: 0.20.2-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian PhotoTools Maintainers <pkg-phototools-de...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1031790 1036281 Changes: libraw (0.20.2-1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * check for input buffer size on datastream::gets (CVE-2021-32142) (Closes: #1031790) * do not set shrink flag for 3/4 component images (CVE-2023-1729) (Closes: #1036281) Checksums-Sha1: c97542c8d3c1a032bee9a0ce50aab3dff2a3edab 2371 libraw_0.20.2-1+deb11u1.dsc 0b425d9a5ed873adeeb68ea1b4945745f3ec1507 512176 libraw_0.20.2.orig.tar.gz 5689b82f4d93fa85f715fb391ed878965482dac1 23208 libraw_0.20.2-1+deb11u1.debian.tar.xz Checksums-Sha256: b8ec7dc340f46a1925f717067efe905449628cb76581a75aa92ddd1d7e4f1b68 2371 libraw_0.20.2-1+deb11u1.dsc 02df7d403b34602b769bb38e5bf7d4258e075eeefbe980b6832e6e1491989d60 512176 libraw_0.20.2.orig.tar.gz bd16a68a2d776b77964e931d67cf08b342639540b11ba12bcfe305c36ae11772 23208 libraw_0.20.2-1+deb11u1.debian.tar.xz Files: 9405bdd1638d2e715351385b41bafb76 2371 libs optional libraw_0.20.2-1+deb11u1.dsc f92fd7c0f47b771e18607a2198618d15 512176 libs optional libraw_0.20.2.orig.tar.gz a00883b5ca1cdab77813f4048b8acf39 23208 libs optional libraw_0.20.2-1+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRxm1dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ec0AP/AqdVkUH6g7DFzxMrOeiLIFuqZ2rq9JA cTWYIYxm++3rppTJ2ZvNSZWGyh1C0N/x9I9qbMo6klHk6zaZhFqKOTYu0OA/A+sv WYcTIUduHRPSkt+ctfTYZYTVzMecrJamQHw5cHTEA9VJ0f/A6gdWp62n20GJ0LUM i34CxpTeY2JKNofTJzrYnyJZ1vSq82vGts0HIqI4VdsUq+aEeJHzoiX+ruZpY7FJ V6FuL4FI1v/CCDad7So6/DXMsfI0lKftHNul1DcauXjlMl4+BljNiMFEMl6Q80cr sSUhHYPJUdRfDCAFceU+2Q+Xl4YKsJK+C0l4J4I3jBvmKiXtq3XVpqfq41ohTFvl gU/+SGijyzkdW7nDKZpx5t6WHy6yzEFMoH5B/uDKgHoSuUpEh6iZXzat6Tpyrcr/ XHMxGyw+SFfLNdAkeJnxwX71bPfxtIydyuwaKl+1R/wnZw25m6sFmd1lXvaYhvuQ aQOvH1Qc0VQffFlEWRTGTxkzgsoVJDA2ZrxDHUbUCmSo56uAGdWrMnzp0DUlGdFn aU15Ia30goN+4ei9KxUjR2cGEuIvfzVwmDARVxr0DWY6Kvv3hFQQNTHK2H3Pr7C7 FFyStksGFNBtULfQtoMdqEItBmPm2zySIfNOsCFDxi5V2RwcAC5CtidGS83yAJbD jS2v2MbGyOj7 =Kff3 -----END PGP SIGNATURE-----
--- End Message ---
