Your message dated Sat, 21 Dec 2019 19:02:32 +0000
with message-id <[email protected]>
and subject line Bug#946176: fixed in fig2dev 1:3.2.6a-2+deb9u3
has caused the Debian Bug report #946176,
regarding fig2dev: CVE-2019-19555
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946176
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fig2dev
Version: 1:3.2.7b-1
Severity: normal
Tags: security upstream
Forwarded: https://sourceforge.net/p/mcj/tickets/55/
Hi,
The following vulnerability was published for fig2dev.
CVE-2019-19555[0]:
| read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based
| buffer overflow because of an incorrect sscanf.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19555
[1] https://sourceforge.net/p/mcj/tickets/55/
[2]
https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fig2dev
Source-Version: 1:3.2.6a-2+deb9u3
We believe that the bug you reported is fixed in the latest version of
fig2dev, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Rosenfeld <[email protected]> (supplier of updated fig2dev package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 04 Dec 2019 22:22:00 +0100
Source: fig2dev
Architecture: source
Version: 1:3.2.6a-2+deb9u3
Distribution: stretch
Urgency: medium
Maintainer: Roland Rosenfeld <[email protected]>
Changed-By: Roland Rosenfeld <[email protected]>
Closes: 946176
Changes:
fig2dev (1:3.2.6a-2+deb9u3) stretch; urgency=medium
.
* 41_CVE-2019-19555: Allow Fig v2 text strings ending with multiple ^A.
This fixes CVE-2019-19555 (Closes: #946176).
Checksums-Sha1:
af37cb7df0d4960c8446f33e94209763bb831204 2076 fig2dev_3.2.6a-2+deb9u3.dsc
1c11c64b25666f134690bb1b4ede6f452b42297f 210768
fig2dev_3.2.6a-2+deb9u3.debian.tar.xz
907fba990092aeb9fba0fd74c9f3b4adc8b7b79b 8950
fig2dev_3.2.6a-2+deb9u3_source.buildinfo
Checksums-Sha256:
aac3ff8fb843a63576a93dd223dab61873916a2d2d89ec7788a7df5f89f91902 2076
fig2dev_3.2.6a-2+deb9u3.dsc
2afbc1f3806e5cf232fff0fceb19d2a08998641147827a36f04cfed5c8383991 210768
fig2dev_3.2.6a-2+deb9u3.debian.tar.xz
dad0a99893273ba95f48128c318aa184192bb97c1104309e0f76d942c3349cdf 8950
fig2dev_3.2.6a-2+deb9u3_source.buildinfo
Files:
a21ab45e7c62e44b3538b91369cf1fb3 2076 graphics optional
fig2dev_3.2.6a-2+deb9u3.dsc
4c7c518ce8101afa7bd8d7564d9f819a 210768 graphics optional
fig2dev_3.2.6a-2+deb9u3.debian.tar.xz
02855f6832c0cba635f1b968ea231e81 8950 graphics optional
fig2dev_3.2.6a-2+deb9u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAl3t9PcACgkQAnE7z8pU
ELJtJg//U3aGJt9QVkMKT1O1+XH51u1zKMN2m+rP9OXmaDug+eTcEpDUOxq841up
6nInU5Wx4YrdOu+RRaP0kH94xjK5DWC3AISHeK1qYOaNAKX5qoZGqbkktlCWksol
0wL0RLrA6iarPQgYzmiWsgtCN/zDBwrrg1e8mnkxT9RRRXj2u4PX2KAMMW5P/RK5
9LarPSGreRFnX81187hsT0JG2Y8gyhHGalCRU732YiOyIpSY1XLFopmNksgsYNPU
AyCCDRrTrgRGrZoFnBw2m/SsUahmkopy+5cDJPsenozuuclEWeHU8fpT2OUfsH7M
EVQufSSxJcAzHha5OEVKyF8aegggdmAh059IiRrFvUUTuCLmE+bex5S0AsRk9h8u
sraZGG0Uk5g5xoFfQBNqqkm9RTLcEXbLE057PrjM54HIBOktbJ9iaA4EOJnmpNKS
2ojqqAjNMzBCbUm8Keimb1+ufRzGHPDvKvGpTFp9eCrOaw3+EX0ZCd38acPio66x
MV9szowJn5O/5wpWnTA54Fwx6a6+98qVdQwg451WvPlkw1fg6qWj0YvFm/Se9Bds
jzO4U71jAc5rpUf9Y2QOUhApZ2ZUb7Vur9l0p3okTICsYcAj3d3nU/3FX4z/NbST
C4MShHyxFokHPH76Rtqy1s6E5QD/WCqfOv4jaNz6+UVHAxSPw6w=
=Ueou
-----END PGP SIGNATURE-----
--- End Message ---
