Your message dated Fri, 22 Nov 2019 17:04:56 +0000
with message-id <[email protected]>
and subject line Bug#944961: fixed in jhead 1:3.04-1
has caused the Debian Bug report #944961,
regarding jhead: CVE-2019-19035
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
944961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944961
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jhead
Version: 1:3.03-3
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for jhead. The Red Hat
bugzilla entry refers to the poc files from the reporter.
CVE-2019-19035[0]:
| jhead 3.03 is affected by: heap-based buffer over-read. The impact is:
| Denial of service. The component is: ReadJpegSections and process_SOFn
| in jpgfile.c. The attack vector is: Open a specially crafted JPEG
| file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19035
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1765647
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jhead
Source-Version: 1:3.04-1
We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Rousseau <[email protected]> (supplier of updated jhead package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Nov 2019 17:41:30 +0100
Source: jhead
Architecture: source
Version: 1:3.04-1
Distribution: unstable
Urgency: medium
Maintainer: Ludovic Rousseau <[email protected]>
Changed-By: Ludovic Rousseau <[email protected]>
Closes: 944961
Changes:
jhead (1:3.04-1) unstable; urgency=medium
.
* New upstream release
* Fix "CVE-2019-19035" in new upstream (Closes: #944961)
* d/p/30_spelling: removed, included upstream
* d/p/29_reproducible: removed, included upstream
* d/p/28_spelling: removed, included upstream
* d/p/26_makefile: removed, included upstream
* d/p/25_makefile: removed, included upstream
* d/p/27_documentation: removed, included upstream
* d/p/32_crash_in_gpsinfo: removed, included upstream
* d/p/33_fix_908176: removed, included upstream
* d/p/34_buffer_overflow: removed, included upstream
* d/p/35_fix_alloc_size: removed, fix included upstream
* d/p/36_CVE-2019-1010301rm: removed, included upstream
* d/p/37_CVE-2019-1010302rm: removed, included upstream
* d/control: Standards-Version: 4.2.1 -> 4.3.0. No change needed
Checksums-Sha1:
3a25684f86c63388fc817703e90508093c258a0c 1815 jhead_3.04-1.dsc
914ee3944d582bf3b3df8b208fffba6b8b07d2f3 67754 jhead_3.04.orig.tar.gz
08e2b85127197a5a7fd60a49e20637a184a31fe9 5636 jhead_3.04-1.debian.tar.xz
91d2a4ca847d1c2e4cbded0261878de373629f30 5520 jhead_3.04-1_amd64.buildinfo
Checksums-Sha256:
17237a39e3549e8e00a5a6fe87b8451175e5e330cec69f05e5018edf0a50d89c 1815
jhead_3.04-1.dsc
ef89bbcf4f6c25ed88088cf242a47a6aedfff4f08cc7dc205bf3e2c0f10a03c9 67754
jhead_3.04.orig.tar.gz
bc3bb0e205a549c7a288a7936ac0f18507e9e53a0fbd67b9262ff6ad934e236b 5636
jhead_3.04-1.debian.tar.xz
80d7e6259a52ee5b75389163797ff35ead55ef51d83f37753a0dd7ef4835b1cc 5520
jhead_3.04-1_amd64.buildinfo
Files:
6e1f6da13eb992e7f0cff9baac13ac27 1815 graphics optional jhead_3.04-1.dsc
9c046e75a07c6e6e94945e8455c503c2 67754 graphics optional jhead_3.04.orig.tar.gz
7c43c56b65a158f0b57acefc5f8ab10b 5636 graphics optional
jhead_3.04-1.debian.tar.xz
8da853b24d1254e5ffa1677e798e4cac 5520 graphics optional
jhead_3.04-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEE9eEbn/6REUb0HZU9eKG03+j5xX4FAl3YEfwUHHJvdXNzZWF1
QGRlYmlhbi5vcmcACgkQeKG03+j5xX57xQ//d5tzECXJFqomd48TN1ovWOygzrQh
h3qVys69FHciLL8ObJBRKfqm3kks3GLvUW0TWbXW5mzHMBmsuFkOTDiIkDZNTRBW
whrhxBLtUsOKiTyTI7sCO5yEFAfePPCxDauajplgUTLjrjsvLv8mntDg0AdT+SQg
iGVV5AgX8bH3w/Ki4aK4JoAxDQ7jNmRFJJnwaWYvjdwO2tuiNdnQ6ms9Y2hgeFg5
6vHsz+tfhl1Z60W1f6qyEzscZoCtHD7eugIVTI3CnEbYKBEPvghkQAPcT28Luiyh
LkMNQ67jPGMjNz1u4l3h+Ogro2wtqYYBJxfXgg8GqSLoyzD098PBWOpz4VNZzxDb
IASAWKI2FNQs+7NA9tP0T3BKnqIFTpOs+gsqJkD+2DPMNothd5jK+/Vxqdge8oVw
IkTZKnhvbSuC7ry8OD+M2KvVICAj4LsZatt7Ui704/7pmsEwc0wnf3mkw0C4q/VD
A3LrMOSDKn9KqQV0y3vxEZ7e6TqgAMBmVgyW2gHt9mNOEuHT4wTdMcmzYMZ0cRev
3FEbCb/rn2xF1ubFCWe9V8AalIbuhIKsAmW41231tzI7yeFDDfYtGXsvlo60RSCP
+fVHCQ9HTphysYtPphuLhx8WwaU5apy2uJ96bophL7U8bPEaYVKYa60soqGDAJ+S
qd1Yvmf/nD/II2M=
=RJBO
-----END PGP SIGNATURE-----
--- End Message ---
