Your message dated Mon, 05 Aug 2019 23:19:12 +0000
with message-id <[email protected]>
and subject line Bug#933797: fixed in sigil 0.9.16+dfsg-1
has caused the Debian Bug report #933797,
regarding sigil: CVE-2019-14452
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
933797: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933797
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sigil
Version: 0.9.14+dfsg-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for sigil.
CVE-2019-14452[0]:
| Sigil before 0.9.16 is vulnerable to a directory traversal, allowing
| attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP
| archive entry that is mishandled during extraction.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14452
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sigil
Source-Version: 0.9.16+dfsg-1
We believe that the bug you reported is fixed in the latest version of
sigil, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <[email protected]> (supplier of updated sigil package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 05 Aug 2019 14:02:35 +0200
Source: sigil
Architecture: source
Version: 0.9.16+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <[email protected]>
Changed-By: Mattia Rizzolo <[email protected]>
Closes: 933797
Changes:
sigil (0.9.16+dfsg-1) unstable; urgency=medium
.
* New upstream version 0.9.16+dfsg.
+ Fix a Zip directory traversal vulnerability.
Closes: #933797; CVE-2019-14452
* d/control: Bump Standards-Version to 4.4.0, no changes needed.
* Upload to unstable.
Checksums-Sha1:
49e024993c3104594b95893d2997d49192f0a0b1 2224 sigil_0.9.16+dfsg-1.dsc
ee75afa7d0ca10d7af033f77969c618c7579417b 13114044 sigil_0.9.16+dfsg.orig.tar.xz
ff260edb22d5ebf7c9eef78be4101ec4f3afcefe 15172
sigil_0.9.16+dfsg-1.debian.tar.xz
da6da2383e78fc4bee6a3651be9d864abd4203b2 15348
sigil_0.9.16+dfsg-1_amd64.buildinfo
Checksums-Sha256:
fdd1282f2147b0803cb1476155c985af02846c022864ebcba1f7ec1f846f2315 2224
sigil_0.9.16+dfsg-1.dsc
a6fe09dc9690f7a03e651723282f0598d177a476946409c20df327158115709e 13114044
sigil_0.9.16+dfsg.orig.tar.xz
365475312412c8afcf23b51d4d4d7fd7540c53a96b800ac3dfd6befd961a6db4 15172
sigil_0.9.16+dfsg-1.debian.tar.xz
5530cbaa23dbd5a2a1807f8d6735bddfb394d9871b53a69d2832285820ea5996 15348
sigil_0.9.16+dfsg-1_amd64.buildinfo
Files:
26afc851e36e3dfdfefcc76251e1dbe0 2224 editors optional sigil_0.9.16+dfsg-1.dsc
67c2d096a0522bb57c521286a91b19ed 13114044 editors optional
sigil_0.9.16+dfsg.orig.tar.xz
77ef167ae2260bc86c41fc956278cfdd 15172 editors optional
sigil_0.9.16+dfsg-1.debian.tar.xz
c1bd3ddb014bb802ea54fc395ea0557d 15348 editors optional
sigil_0.9.16+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAl1IHUcACgkQCBa54Yx2
K61vQw//U1Q9RzhVhJu+K10DJ42oGBvK2dmZUbeLB/epp673DXUVxCWIqeOnp64L
TrFnyi0Q7itKmF5EMUBvfN2vQnxaFZ7f7q/bceZ+wQsw9jchKRysWZvrZMOfLlZc
kKkKNEM+SfihRsvFxOsBqslbKEFTTM9tTkU/hjv7YRVGWbYJRMNGKRhJT/a9zCC2
lUSC1X+k/iLnt4U7uZHcP/uMurLgILR83qe1WmA7Oj5KlWQJXxyfP9/8eS2odCSw
6hkUWsnL4wn++g+MsO85RmuAb0OqNI7nOPZaAY1hT/om3FKD9x68QVpjqdYxdB6+
rb6nov5XR8Ewk2j+xP20Yt88xPmOwNHYoeI0C6ULKyB27tD/VM1NJxjkwShEZVC0
2XW6IVopgOuTO+4l7uHfWQbI6Uylzt/W1BGYF9lYSglN3H3NWRfOePtlsBbncuj9
D5ZuQtBp9XzMDPMmz3YEseRFQL/H5WSkmsEkR1+dnEln0xmRrG19YiJqISqycjTe
E2avlet/Bt4LnrOWWX5LJqsOTqsp0yI93hzYAOYZeUN9fHbEg3DcwgsysQpcoSeI
fAujlEoT7vAi5fD5dkbQj2rTL2vFaIxAGsFzt8Udw7S26IJDUCiymFN0AbP8nCqa
Wb9eWJakB3u30/2Acj7WhEgyx9DE6Obgtta+cFLHPRTkG3YD6Cs=
=POmB
-----END PGP SIGNATURE-----
--- End Message ---
