Your message dated Sat, 21 Dec 2019 18:32:09 +0000
with message-id <[email protected]>
and subject line Bug#946176: fixed in fig2dev 1:3.2.7a-5+deb10u2
has caused the Debian Bug report #946176,
regarding fig2dev: CVE-2019-19555
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946176
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fig2dev
Version: 1:3.2.7b-1
Severity: normal
Tags: security upstream
Forwarded: https://sourceforge.net/p/mcj/tickets/55/
Hi,
The following vulnerability was published for fig2dev.
CVE-2019-19555[0]:
| read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based
| buffer overflow because of an incorrect sscanf.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19555
[1] https://sourceforge.net/p/mcj/tickets/55/
[2]
https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fig2dev
Source-Version: 1:3.2.7a-5+deb10u2
We believe that the bug you reported is fixed in the latest version of
fig2dev, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Rosenfeld <[email protected]> (supplier of updated fig2dev package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 04 Dec 2019 22:12:49 +0100
Source: fig2dev
Architecture: source
Version: 1:3.2.7a-5+deb10u2
Distribution: buster
Urgency: medium
Maintainer: Roland Rosenfeld <[email protected]>
Changed-By: Roland Rosenfeld <[email protected]>
Closes: 946176
Changes:
fig2dev (1:3.2.7a-5+deb10u2) buster; urgency=medium
.
* 41_CVE-2019-19555: Allow Fig v2 text strings ending with multiple ^A.
This fixes CVE-2019-19555 (Closes: #946176).
Checksums-Sha1:
02c3750c7ad9f4ff3d4014b34253340b25582ccd 2264 fig2dev_3.2.7a-5+deb10u2.dsc
bfedbc72d72f01d03146f409d403b3fd9bebce06 219752
fig2dev_3.2.7a-5+deb10u2.debian.tar.xz
fbdfcefa6dbdcffbde1c4a69f4dde132771cdb69 9021
fig2dev_3.2.7a-5+deb10u2_source.buildinfo
Checksums-Sha256:
29b3edb455035749e10cf55ab70648bff0340ebdd0f9588c5150907e79ad26e4 2264
fig2dev_3.2.7a-5+deb10u2.dsc
0c86e98490d455d91b6a2ab5d5d1f6df50129c93ec717c539a101f790256d5b6 219752
fig2dev_3.2.7a-5+deb10u2.debian.tar.xz
ef8f27f9cb3d838f6be8bf1e516b95d6d7497ca052244780b858405896dc9aae 9021
fig2dev_3.2.7a-5+deb10u2_source.buildinfo
Files:
6d7dbb419bd9ce2be8f97d3b4ca7113a 2264 graphics optional
fig2dev_3.2.7a-5+deb10u2.dsc
48eff2977209340be3e6dbd182524294 219752 graphics optional
fig2dev_3.2.7a-5+deb10u2.debian.tar.xz
2b5c8e37f5e9d8fea86abfbd8c0f98e4 9021 graphics optional
fig2dev_3.2.7a-5+deb10u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAl3t9GcACgkQAnE7z8pU
ELITqxAAqTBlrrfmT0VYXOXSsHB/USziO2IGFaZ1OguxcbGiEpEDDX3sIZioW4+g
tmmk9TnwqZs9McujcaIfOyzvloZ7IIs/hIzu/CQf3asbMLk8ocqcMgG6s9YgDrrL
iyEpN7XRd8lasnYhUJwT3HHizhqaWaDLosKoNT+6zFi1pR3xdkiDuT6KcWJNTYAe
arlVhGJPI1gDN0POoIufqCpeNTf4S4YPrFTpJS6pg6Fqg1oAhMgxcnr4+E3R/++m
ZY/vKsHjOHwq7CtpqUcU+DavIHLUzy4b6aYCocto1AsEZ8bO6jDC2R/asCCjZ8Z9
dDT+yMaZq8UXFrPu/g2vSR4R1x6ExMtN9W3l4kzEKFkArT9IieWHRu+VWx0M/b9K
x62HSri5x1Iu/VsTw3UnM24/v1lHPAjbQ30K+JwJ+y2s5ErhEGvK0VGf1wHlVA/k
jV76RFB5oMjHp8+HO/kZzjGhDLhBl68YsUFRNouMBgzsOLxnxLYkE/azSiAkN9vR
bvKE5R4yteEyxsnICZHwHKYEDEgPOOKTOU2W5+UGZIwfGrnljmhxAJxGM6dIvPAK
nWjNnZiWlX8frqpbuEODd02XuCVCfsUeaxWy2qHQwNHaH/95MGmm5+1iV05YLVXZ
4YqgVf3UgambGb8lhhSEYM8WBT/wmbBEJ4o0qHns++eJvL9yUcY=
=Yeyv
-----END PGP SIGNATURE-----
--- End Message ---
