Your message dated Thu, 26 May 2022 20:32:12 +0000 with message-id <e1nuk9u-000bwp...@fasolo.debian.org> and subject line Bug#1010526: fixed in libxml2 2.9.10+dfsg-6.7+deb11u2 has caused the Debian Bug report #1010526, regarding libxml2: CVE-2022-29824: integer overflows in xmlBuf and xmlBuffer to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010526: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010526 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxml2 Version: 2.9.13+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libxml2. CVE-2022-29824[0]: | In libxml2 before 2.9.14, several buffer handling functions in buf.c | (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. | This can result in out-of-bounds memory writes. Exploitation requires | a victim to open a crafted, multi-gigabyte XML file. Other software | using libxml2's buffer functions, for example libxslt through 1.1.35, | is affected as well. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29824 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824 [1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxml2 Source-Version: 2.9.10+dfsg-6.7+deb11u2 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 15 May 2022 15:58:46 +0200 Source: libxml2 Architecture: source Version: 2.9.10+dfsg-6.7+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1010526 Changes: libxml2 (2.9.10+dfsg-6.7+deb11u2) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix integer overflow in xmlBufferResize * Fix integer overflows in xmlBuf and xmlBuffer (CVE-2022-29824) (Closes: #1010526) Checksums-Sha1: 40219fa9419ee3943645f9fc5bfefb81e1e37fbe 2859 libxml2_2.9.10+dfsg-6.7+deb11u2.dsc 2578c0817feae47d78c4f987c7a2a32f87d89517 2503560 libxml2_2.9.10+dfsg.orig.tar.xz 3c302997948f3789fc90f82a75404fa229eebbf9 36368 libxml2_2.9.10+dfsg-6.7+deb11u2.debian.tar.xz Checksums-Sha256: f80a2929c91dc06cfa84e7e555d5d76c9b9df848d9b3e561e59f1338417feba3 2859 libxml2_2.9.10+dfsg-6.7+deb11u2.dsc 65ee7a2f5e100c64ddf7beb92297c9b2a30b994a76cd1fab67470cf22db6b7d0 2503560 libxml2_2.9.10+dfsg.orig.tar.xz 76bb4df309fbb02b26a6d5ab1bc32e158c709f0e7fb255ec734be5efe3cb78d5 36368 libxml2_2.9.10+dfsg-6.7+deb11u2.debian.tar.xz Files: 4b0bca460d95dc492e8d5a47f1fadf7f 2859 libs optional libxml2_2.9.10+dfsg-6.7+deb11u2.dsc 4fb60521425df67f453b3c1ff0efbc1c 2503560 libs optional libxml2_2.9.10+dfsg.orig.tar.xz 0a80fb4f837efc502ccae0024b3b3338 36368 libs optional libxml2_2.9.10+dfsg-6.7+deb11u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKBCChfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EeSsP/j1A3BTBAp1Q6DMpx5uyq2I9cwx2WGE8 GH3x6lCpKaVdlsj17nIlk5plNqlbLzfNaXGqyxk5U66E8dU0oF+zopqH5hI/sfZh hOw/y9CW7eck8edgd6WH69HoG3a9o8taohKojjkrdCQHd+IHd4Fiat9ztDDjFnCE Fk2IEgMV7y2LHUcbrJXXwAPD8NZJl7XdiV2UwUMkfNiAnLQkpJq91YHHhsot3Zh5 QwcVqNcZJiDtyGbn50hYRiSXdAPtrTtbpSmjbv+gFjM5o5RRWcNG0DPvnGLGq4vH 03ceb4vcLDe5thFSAmgVKOu7P6UoGnBaeWlz29IaMRUt5zTarR8eBCmdYkSr8Elw +NYX8XopcnPkmoUPHseX9LSjx1O2TJY9W3vV8VqaXiyA0cTV4Wkq0p+GZVfXVqIj RLiOMFQcaxYlHPiJZovh+AoVpnYopMeC6chPrbVrjj9DJFFGwXVYgZGNYpxbq8oj 8wIruJra1Fzdvz7EneBchj22OJV7V48XIqQiryj9u3aM8tAz97K91xCnOVqX6SNL DYYzk0WkQEPEF9RfFBBHnaXxYFIHaGbUChxpkmlNsqW54UOJUBgzcX6+DYCmLUeh /haVxJ6d0RjeB2praBv32PVSTPzgvJIli8PmyyLcnP0Cjx5ubeBMeCwY3FVNFlhg 4aKx/uhqPfJB =WiTA -----END PGP SIGNATURE-----
--- End Message ---
