Your message dated Sun, 06 Oct 2024 16:32:49 +0000
with message-id <e1sxubd-00cpjq...@fasolo.debian.org>
and subject line Bug#1084056: fixed in libgsf 1.14.50-1+deb12u1
has caused the Debian Bug report #1084056,
regarding libgsf: CVE-2024-36474 CVE-2024-42415
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1084056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084056
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libgsf
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for libgsf.
CVE-2024-36474[0]:
| An integer overflow vulnerability exists in the Compound Document
| Binary File format parser of the GNOME Project G Structured File
| Library (libgsf) version v1.14.52. A specially crafted file can
| result in an integer overflow when processing the directory from the
| file that allows for an out-of-bounds index to be used when reading
| and writing to an array. This can lead to arbitrary code execution.
| An attacker can provide a malicious file to trigger this
| vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2068
CVE-2024-42415[1]:
| An integer overflow vulnerability exists in the Compound Document
| Binary File format parser of v1.14.52 of the GNOME Project G
| Structured File Library (libgsf). A specially crafted file can
| result in an integer overflow that allows for a heap-based buffer
| overflow when processing the sector allocation table. This can lead
| to arbitrary code execution. An attacker can provide a malicious
| file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2069
Both are tracked/fixed upstream via:
https://gitlab.gnome.org/GNOME/libgsf/-/issues/34
https://gitlab.gnome.org/GNOME/libgsf/-/commit/06d0cb92a4c02e7126ef2ff6f5e29fd74b4be9e0
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-36474
https://www.cve.org/CVERecord?id=CVE-2024-36474
[1] https://security-tracker.debian.org/tracker/CVE-2024-42415
https://www.cve.org/CVERecord?id=CVE-2024-42415
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libgsf
Source-Version: 1.14.50-1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libgsf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1084...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libgsf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Oct 2024 22:03:36 +0200
Source: libgsf
Architecture: source
Version: 1.14.50-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Dmitry Smirnov <only...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1084056
Changes:
libgsf (1.14.50-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* OLE2: Fix allocation problems (CVE-2024-42415, CVE-2024-36474)
(Closes: #1084056)
Checksums-Sha1:
86552482bb5576e29d566b63e4ae04a8db1afdbc 2455 libgsf_1.14.50-1+deb12u1.dsc
32d0daa2cb5fab646fbf0f8bce4a776f8dadf35d 702424 libgsf_1.14.50.orig.tar.xz
a1915b3880b7934fd21eedcb889072b6fe731d4f 15284
libgsf_1.14.50-1+deb12u1.debian.tar.xz
052a1d6b2ef825c005215b00d6edc177310d3a85 7237
libgsf_1.14.50-1+deb12u1_source.buildinfo
Checksums-Sha256:
16b564b039d46a6b7423aa2c97514d236e4dd0c6f07d43c5e8d512723f1c163c 2455
libgsf_1.14.50-1+deb12u1.dsc
6e6c20d0778339069d583c0d63759d297e817ea10d0d897ebbe965f16e2e8e52 702424
libgsf_1.14.50.orig.tar.xz
cce2b2a627d43c054c3125d739d902ae4fec7a49e6767ea0e0c78ff891c0ca1f 15284
libgsf_1.14.50-1+deb12u1.debian.tar.xz
46841a9bbc0f0e7b4e0a9a19ba63d17bc6b45368f00f47de8e377d43cbddc921 7237
libgsf_1.14.50-1+deb12u1_source.buildinfo
Files:
9406d7d98be91fd7846ad85ecb1d0af9 2455 libs optional
libgsf_1.14.50-1+deb12u1.dsc
1e9088c9c8869532945a10f12f1829c2 702424 libs optional
libgsf_1.14.50.orig.tar.xz
b3d0efef681b830a280ef2cb7288c1cd 15284 libs optional
libgsf_1.14.50-1+deb12u1.debian.tar.xz
9fc9b34f103b0c7166f4ea8001e9b8d6 7237 libs optional
libgsf_1.14.50-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcAUB1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EM6IP/3WHENIz5gWVkOWCoSbfGrBAUpz7ljE2
h7tfItCMQZLTRo6v4A7vc0iC06hm8Qq9Lquhf9kGGO3SbY/kFxglDlaYgSIEHUQl
jPORtnmLVE1m+LHdWAwHtJiMAiZwooAgwlszzJH1PgH/5JTc1/RclzI2SbsAz63I
XO2eTsLlZEVzp5a6cXroeK8tbYsgz6xNYlWdzSReJHfNrsLDNjixjun7kDz9ieBn
mcBQKyxf9WpzwGPZBAYvEkOe1Z9NYDbiwPn9x8J3S+oF6BWkgFijEWwamHYVJaHH
UfB+kJXrpYIIl6+EggxOvn4j6iw3WHC82dzehmgUzuwW+S9LkrVad9qVVTDAwNfl
RvRzb2+/HTlz2KBg+egkxIINt7l9Q6kC22k4Z+/Gp0tJiTz4GFjANBM/QybbzK9G
1pm/PZ1HvTRHhHG3Y54Gwwe9mX/LrdA8id0Rx8kdWw5EisHFjkWkNVxmvp5Y1FjK
RN2qMaauOwYTR2s7xi31QBAXCRMc57zJbILdoUBcCIf/5GJn++dp656fIEHpsVk+
K1K0HiNnaB1fj5tKEfxdJfWfOUFovutKEbjF37jt7UR4kOizTtOSGfSniUmS5FYZ
sLudf9znl0q607+2SoXJ9jMNY6ZysiKOo0L5bt1fNyhCLrkjFbfs3frUGJXC4s6+
Bb2U1uQ2rAfG
=AJuY
-----END PGP SIGNATURE-----
pgpQJy9S0M2Ii.pgp
Description: PGP signature
--- End Message ---
