Your message dated Mon, 30 Jun 2025 19:02:24 +0000
with message-id <e1uwjlo-004uvc...@fasolo.debian.org>
and subject line Bug#1107168: fixed in catdoc 1:0.95-6~deb12u1
has caused the Debian Bug report #1107168,
regarding catdoc: CVE-2024-48877 CVE-2024-52035 CVE-2024-54028
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107168
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: catdoc
Version: 1:0.95-5
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1:0.95-4.1
Hi,
The following vulnerabilities were published for catdoc.
CVE-2024-48877[0]:
| A memory corruption vulnerability exists in the Shared String Table
| Record Parser implementation in xls2csv utility version 0.95. A
| specially crafted malformed file can lead to a heap buffer overflow.
| An attacker can provide a malicious file to trigger this
| vulnerability.
CVE-2024-52035[1]:
| An integer overflow vulnerability exists in the OLE Document File
| Allocation Table Parser functionality of catdoc 0.95. A specially
| crafted malformed file can lead to heap-based memory corruption. An
| attacker can provide a malicious file to trigger this vulnerability.
CVE-2024-54028[2]:
| An integer underflow vulnerability exists in the OLE Document DIFAT
| Parser functionality of catdoc 0.95. A specially crafted malformed
| file can lead to heap-based memory corruption. An attacker can
| provide a malicious file to trigger this vulnerability.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-48877
https://www.cve.org/CVERecord?id=CVE-2024-48877
[1] https://security-tracker.debian.org/tracker/CVE-2024-52035
https://www.cve.org/CVERecord?id=CVE-2024-52035
[2] https://security-tracker.debian.org/tracker/CVE-2024-54028
https://www.cve.org/CVERecord?id=CVE-2024-54028
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: catdoc
Source-Version: 1:0.95-6~deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
catdoc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated catdoc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Jun 2025 00:03:19 +0200
Source: catdoc
Architecture: source
Version: 1:0.95-6~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Martina Ferrari <t...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1107168
Changes:
catdoc (1:0.95-6~deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Rebuild for bookworm-security
.
catdoc (1:0.95-6) unstable; urgency=medium
.
* Add patches prepared by Cisco Talos team to address multiple security
vulnerabilities: CVE-2024-48877, CVE-2024-52035, and CVE-2024-54028.
Thanks to Ali Rizvi-Santiago from the Talos team who found and fixed the
vulnerabilities, and to Salvatore Bonaccorso from the Debian Security Team
for all his help and infinite patience.
Closes: #1107168
Checksums-Sha1:
66f57fba38ab77eb071f22ffcec79fd8e185a5a9 2001 catdoc_0.95-6~deb12u1.dsc
0da301e347e36fdf1f3fd3bf0bd4bf2626cb6263 169084 catdoc_0.95.orig.tar.gz
e796cdfcd5ef18eac099e8f76f0d27e8528d3602 16156
catdoc_0.95-6~deb12u1.debian.tar.xz
Checksums-Sha256:
09e13ca6919ce88248ecadc7be6b202f1f078052f5dae2032e8886cd238e379f 2001
catdoc_0.95-6~deb12u1.dsc
0d6ef66ff18d93915e62d77845194ba92bf49b60305c51f866a6f55421e37a79 169084
catdoc_0.95.orig.tar.gz
ae5c18a3be904ab23d5e7b30344d675b8a67ee5bba7223038cdd6f6ca4d9e226 16156
catdoc_0.95-6~deb12u1.debian.tar.xz
Files:
9056f31a02a504f5f1a80b50c4a862b0 2001 text optional catdoc_0.95-6~deb12u1.dsc
f047aff8913d36aada5ab98d3621fb82 169084 text optional catdoc_0.95.orig.tar.gz
c052355913e2c87b5347f1842ddb6c0b 16156 text optional
catdoc_0.95-6~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhdxM9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EwXUP/i3yxnP65TcXpng710dOs4NN9SRZPDtN
17Fmxe0T2DNxXKZUHioOZOlKXPU1q1NvRgvr5MDi9uMzc7WbvR9GMvlMBQUdIvcZ
Dqjfi9z0JrWE/q7stGn08pOC6KcnZ1zOXS/S+aGaucAL27aeeVpLz70BP/zScpRe
v0ZoFQBEWHx0PP41ZQof+5ras0jp0dmvNTG0LtWH8nBla/xhf2xVUujBNOgkwcgb
E0nH8TBDy767mQ0JZRd437vaOr2vTleOOxHM0Gn+oBSMDMU3BjQtC/IMkKFp8cDX
+sDbd+D8oi58c8tSUrSqRPa5zgl2AfSTfRAbnG7F6BvVxmaAgYmYR38TVUT0rN89
qTbvh14X1gLMFcz84QBu6acTOMJ/NG+N7plp4eMbndd+KefZZfHmzz6Kpxpmun04
RRuag/9OB2VU3M1Vi2vShMZXUJFluo734h0y+fBbnzGfmn1NzwZYZEKPCYVFV5Kq
OXjTJSDMNHKv2F7t1VWiMyGmPJfQdF16q9aLKc9n7zjieLMO2zNRCyldgI6SSs2v
4gIkJpJUsVFdlv7EkiuxHJB8UdrMSRLwm6rQToGAx0yt2hfqeduv0OlH3GMDWJ69
IiHSpbvSnTZFQIftS2Y5LM4lry803bLNcxq+Ym+gA1h6bJP7/Bdum1POikWAGMVj
qHP8/XyxeVaJ
=GxH9
-----END PGP SIGNATURE-----
pgpVJB6FNmaXk.pgp
Description: PGP signature
--- End Message ---
