Your message dated Mon, 07 Oct 2024 13:56:51 +0000
with message-id <e1sxoef-00gzww...@fasolo.debian.org>
and subject line Bug#1084056: fixed in libgsf 1.14.52-1.1
has caused the Debian Bug report #1084056,
regarding libgsf: CVE-2024-36474 CVE-2024-42415
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1084056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084056
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libgsf
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for libgsf.
CVE-2024-36474[0]:
| An integer overflow vulnerability exists in the Compound Document
| Binary File format parser of the GNOME Project G Structured File
| Library (libgsf) version v1.14.52. A specially crafted file can
| result in an integer overflow when processing the directory from the
| file that allows for an out-of-bounds index to be used when reading
| and writing to an array. This can lead to arbitrary code execution.
| An attacker can provide a malicious file to trigger this
| vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2068
CVE-2024-42415[1]:
| An integer overflow vulnerability exists in the Compound Document
| Binary File format parser of v1.14.52 of the GNOME Project G
| Structured File Library (libgsf). A specially crafted file can
| result in an integer overflow that allows for a heap-based buffer
| overflow when processing the sector allocation table. This can lead
| to arbitrary code execution. An attacker can provide a malicious
| file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2069
Both are tracked/fixed upstream via:
https://gitlab.gnome.org/GNOME/libgsf/-/issues/34
https://gitlab.gnome.org/GNOME/libgsf/-/commit/06d0cb92a4c02e7126ef2ff6f5e29fd74b4be9e0
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-36474
https://www.cve.org/CVERecord?id=CVE-2024-36474
[1] https://security-tracker.debian.org/tracker/CVE-2024-42415
https://www.cve.org/CVERecord?id=CVE-2024-42415
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libgsf
Source-Version: 1.14.52-1.1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libgsf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1084...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libgsf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Oct 2024 15:02:44 +0200
Source: libgsf
Architecture: source
Version: 1.14.52-1.1
Distribution: unstable
Urgency: medium
Maintainer: Dmitry Smirnov <only...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1084056
Changes:
libgsf (1.14.52-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* OLE2: Fix allocation problems (CVE-2024-42415, CVE-2024-36474)
(Closes: #1084056)
Checksums-Sha1:
a24c086999ff7036ce9881bb77d663016e919260 2439 libgsf_1.14.52-1.1.dsc
1d2be725a46588802ff0f1e480c19c8c1dc1ccce 15632 libgsf_1.14.52-1.1.debian.tar.xz
65bb74913b1816cf623c6c70ddcccb41bc3ea835 7213
libgsf_1.14.52-1.1_source.buildinfo
Checksums-Sha256:
d22412a6bd6b3e9b51b663c338a632693a3e9d031dd4c98a2aed2b140e6855a6 2439
libgsf_1.14.52-1.1.dsc
fca18fe22fc1cac1f6a685992e4aa3b4d35b4709e5efbdd04e3d9a0e212dd408 15632
libgsf_1.14.52-1.1.debian.tar.xz
c408508addc0ea2df9c66aba6209a92ff560c20459034df3b76e9ffca686c04e 7213
libgsf_1.14.52-1.1_source.buildinfo
Files:
4b505f2f662c7f79d88f29e627bc9f5a 2439 libs optional libgsf_1.14.52-1.1.dsc
d28afd038d2a98411f5ab0ccf92be7af 15632 libs optional
libgsf_1.14.52-1.1.debian.tar.xz
fae9d1a26f1e27ffb739ceaf0ad3bdac 7213 libs optional
libgsf_1.14.52-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcBOVdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAPAP/3LXuz/oM+eLkHFr90BVKFR5zRkb8AbJ
S1T+O+9vUG6on9zAMj2ucixAyA2WIVmZixJ0zq4KJGrY+GQvnabWXdm1b1NPkkqU
VZwkIlMhgYDW/QVYiw0yV40wh0dmoR9Z/Nj5LMPv3oKOhk4rjulxz07RB/2HvM1w
OFG2kzsTq1Hy2KZo9btHAtb0wUdCc8opti7TwvwgYHBxzi5FGl5Sj/N7Ru1k9scj
T4MAo/lmFX4fCNHGeh/n9QWOseEJ2VBBUFs63ZwvYlteSQUDAIsZgE+XwBUsrspv
eliVbLYCUPe6YUN/Z4qK9HXm13dVOAEq8Z6UNl1sGOKpcheRmRW+F5SpOlBVRjeR
1S/s+GHeHWbiXcsxjz3F/kYhdpyt0shpQSXF4Lb9sFBuGha3eixu+duM4EO+MYb2
xsljPEpvMGua7hQE2NOi8yMP4Gwc5hhjoPCiJH5JS/qDr8CXgXLMbVBoAMg2OKbS
cTh6XOO2qZLc0PTf28kZwDQwucXNcTeci0Nf94WMAh5qdjJuXpBrCPgvxU41Zsxn
YMwaZ7bFO0nv1R2AsijtF+azh8uxpb1wj8KrMl4yFFQmjhX1hj8ueCGPPTUzJaqY
4N1ky+FxsafXV4byqttCMQ8J3yvnZbY7bPVlc0nevrS1S6Tl4uV+2iHM+HW7N17/
/ljgwnyv3MBJ
=bdDO
-----END PGP SIGNATURE-----
pgpjSDqrApSJ1.pgp
Description: PGP signature
--- End Message ---
