Your message dated Mon, 2 Mar 2020 14:42:38 +0100
with message-id <[email protected]>
and subject line [[email protected]: Re: CVE-2018-7587 and
CVE-2019-13568]
has caused the Debian Bug report #940952,
regarding cimg: CVE-2019-13568
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
940952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940952
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cimg
Version: 2.4.5+dfsg-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
The following vulnerability was published for cimg.
CVE-2019-13568[0]:
| CImg through 2.6.7 has a heap-based buffer overflow in _load_bmp in
| CImg.h because of erroneous memory allocation for a malformed BMP
| image.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13568
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13568
[1]
https://github.com/dtschump/CImg/commit/ac8003393569aba51048c9d67e1491559877b1d1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
----- Forwarded message from Tschumperle David <[email protected]>
-----
Date: Mon, 2 Mar 2020 13:18:11 +0100 (CET)
From: Tschumperle David <[email protected]>
To: Andreas Tille <[email protected]>
Subject: Re: CVE-2018-7587 and CVE-2019-13568
Hello Andreas,
I think I've fixed these bugs indeed, a few months ago.
Regards,
David.
PS : I'm sorry but I don't write Changelog for CImg anymore. Not that I don't
maintain it, but it write my changes directly in the Changelog of the G'MIC
project.
-----------------------------------------------------------------------------
David Tschumperlé
CNRS Researcher
GREYC (UMR-CNRS 6072) E-mail: [email protected]
6, Bd du Marechal Juin Tel: +33 (0)2-31-45-29-25
F-14050 CAEN Cedex Fax: +33 (0)2-31-45-26-98
France https://tschumperle.users.greyc.fr/
-----------------------------------------------------------------------------
----- Original Message -----
From: "Andreas Tille" <[email protected]>
To: [email protected], [email protected], "David Tschumperlé"
<[email protected]>
Sent: Monday, March 2, 2020 12:51:04 PM
Subject: CVE-2018-7587 and CVE-2019-13568
Control: tags -1 upstream
Control: forwarded -1 David Tschumperlé <[email protected]>
Hi David,
there are two bug reports about CVE related bugs against the Debian
package of an older version of cimg (which was not updated since some
time :-( - also shame on me but I have quite a number of packages in
Debian Med thus Debian Science has only lower preference).
Would you mind having a lock at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940951
and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940952
and confirm whether the current version has dealt with these bug
reports. If yes it would be helpful if you would mention these fixes in
some kind of changelog in cimg.
Kind regards
Andreas.
--
http://fam-tille.de
----- End forwarded message -----
--
http://fam-tille.de
--- End Message ---
