Your message dated Mon, 16 Jun 2025 16:34:09 +0000
with message-id <e1urcmf-0086jt...@fasolo.debian.org>
and subject line Bug#1107168: fixed in catdoc 1:0.95-6
has caused the Debian Bug report #1107168,
regarding catdoc: CVE-2024-48877 CVE-2024-52035 CVE-2024-54028
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107168
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: catdoc
Version: 1:0.95-5
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1:0.95-4.1
Hi,
The following vulnerabilities were published for catdoc.
CVE-2024-48877[0]:
| A memory corruption vulnerability exists in the Shared String Table
| Record Parser implementation in xls2csv utility version 0.95. A
| specially crafted malformed file can lead to a heap buffer overflow.
| An attacker can provide a malicious file to trigger this
| vulnerability.
CVE-2024-52035[1]:
| An integer overflow vulnerability exists in the OLE Document File
| Allocation Table Parser functionality of catdoc 0.95. A specially
| crafted malformed file can lead to heap-based memory corruption. An
| attacker can provide a malicious file to trigger this vulnerability.
CVE-2024-54028[2]:
| An integer underflow vulnerability exists in the OLE Document DIFAT
| Parser functionality of catdoc 0.95. A specially crafted malformed
| file can lead to heap-based memory corruption. An attacker can
| provide a malicious file to trigger this vulnerability.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-48877
https://www.cve.org/CVERecord?id=CVE-2024-48877
[1] https://security-tracker.debian.org/tracker/CVE-2024-52035
https://www.cve.org/CVERecord?id=CVE-2024-52035
[2] https://security-tracker.debian.org/tracker/CVE-2024-54028
https://www.cve.org/CVERecord?id=CVE-2024-54028
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: catdoc
Source-Version: 1:0.95-6
Done: Martina Ferrari <t...@debian.org>
We believe that the bug you reported is fixed in the latest version of
catdoc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martina Ferrari <t...@debian.org> (supplier of updated catdoc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Jun 2025 16:10:01 +0000
Source: catdoc
Architecture: source
Version: 1:0.95-6
Distribution: unstable
Urgency: medium
Maintainer: Martina Ferrari <t...@debian.org>
Changed-By: Martina Ferrari <t...@debian.org>
Closes: 1107168
Changes:
catdoc (1:0.95-6) unstable; urgency=medium
.
* Add patches prepared by Cisco Talos team to address multiple security
vulnerabilities: CVE-2024-48877, CVE-2024-52035, and CVE-2024-54028.
Thanks to Ali Rizvi-Santiago from the Talos team who found and fixed the
vulnerabilities, and to Salvatore Bonaccorso from the Debian Security Team
for all his help and infinite patience.
Closes: #1107168
Checksums-Sha1:
5d918915881a15c6ca6efd32f2b4b7f2129234a3 1814 catdoc_0.95-6.dsc
e717829e052fdf603a9994418a11484b94b78dc6 16116 catdoc_0.95-6.debian.tar.xz
3eef8a452fb273838fb6698d7dc36d90fef8491f 6696 catdoc_0.95-6_amd64.buildinfo
Checksums-Sha256:
713c020e389021e3c2423c81397ee2807d9a57fd72d97d1ba6a42540e8d82684 1814
catdoc_0.95-6.dsc
943ec46b792d576c469212a75e4d702c672b664558176440f76ccbc03510dc70 16116
catdoc_0.95-6.debian.tar.xz
bb44194f4b86ce79abd0086459f34ee4e0dd09e9b6a3be43069014f7ee3a453e 6696
catdoc_0.95-6_amd64.buildinfo
Files:
e8c5a4485ec488356d61b4de376b4326 1814 text optional catdoc_0.95-6.dsc
39bb6a3aef988869582a4b4d247728d2 16116 text optional
catdoc_0.95-6.debian.tar.xz
3accff55d15e1e19970ec82b013216fb 6696 text optional
catdoc_0.95-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2qbv8cYn6hwmsaaSqiMPxF+MJ7EFAmhQQvMACgkQqiMPxF+M
J7G8Ag/+LnytbAXDr0Y5DizvUIwWcdvSs14JfzeYeB4V64OUXSToOXdO/azHbTvq
ow/bHr50tjvVoLKC8mIH0vm1XwaElFf+FTm+ZzPkVcL6wpH+Vy+L6j5xhBXAPkx8
OFl0ehSRG3ClUHtHn1M2YLMkWsauC1NJ29LfPnVxy1xNK/hmzaz/OYpBKJ8wFzZs
jtv77jkKrvnZpdZuC6hl7i9c5jInyR+kHJ8PxQZ6NsIOtrglIhV0mPhKN7m0ytcM
6dEQQo0Kj1Op2c9Z2cdmDmjSmPvJxA7UxfHy76B4PHvcGTaqnhI08hbFUC39tXaK
mmez+/uvaBlOBX1mPyH/2+FeMTw4evpnYQSiJ7f+IK6N2meVP98IJLwXE8vikV2C
6KPQrXPOZg0SuRD3cOpMiqkfvdZbJ/ngTG3HF9Eokk++GuindWDwhr61nXRooabK
7u8gzP85m8Eu0lfYGBSoiKTLMqGH5+SD5VcFGhq7LwjIvr7gay0bZDhmhR6ejnJx
WPmCqM15C2cpHn8e/TkbVAJ5OUzLfx/pRPMw44uiJ9cUfQrbbJct48rfp99QjQ/M
ULPd5NaFWoSUDW5ozV10wOUBw2jl/ocAdELb10h9PIATbvAcE2N3TLvjrDzJKp8c
Fr+BrtOJFaNNQ1H4PRBNgWnDwGUBA5+ggyGRtG/FHJhfGEHe/+s=
=5VdN
-----END PGP SIGNATURE-----
pgpFuKZdlONRC.pgp
Description: PGP signature
--- End Message ---
