Your message dated Sun, 14 Mar 2021 16:26:13 +0100
with message-id <[email protected]>
and subject line Accepted libjpeg-turbo 1:2.0.6-4 (source) into unstable
has caused the Debian Bug report #985082,
regarding libjpeg-turbo: CVE-2021-0384
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985082
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libjpeg-turbo
Version: 1:2.0.6-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/470
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libjpeg-turbo.
CVE-2021-0384[0]:
| In read_and_discard_scanlines of jdapistd.c, there is a possible null
| pointer exception due to a missing NULL check. This could lead to
| remote denial of service with no additional execution privileges
| needed. User interaction is needed for exploitation.Product:
| AndroidVersions: Android-11Android ID: A-173702583
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-0384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0384
[1] https://github.com/libjpeg-turbo/libjpeg-turbo/issues/470
[2]
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/6d2e8837b440ce4d8befd805a5abc0d351028d70
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libjpeg-turbo
Source-Version: 1:2.0.6-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 14 Mar 2021 15:45:05 +0100
Source: libjpeg-turbo
Architecture: source
Version: 1:2.0.6-4
Distribution: unstable
Urgency: medium
Maintainer: Ondřej Surý <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Changes:
libjpeg-turbo (1:2.0.6-4) unstable; urgency=medium
.
[ Adrian Bunk ]
* debian/patches:
+ Add 0001-cmake-MATCHES-uses-regex-not-globs.patch. Fix for cmake MATCHES
to fix sparc64 FTBFS.
.
[ Mike Gabriel ]
* debian/patches:
+ Add 1002_jpeg-skip-scanlines-avoid-NULL+0-UBSan-error.patch.
jpeg_skip_scanlines(): Avoid NULL + 0 UBSan error. (CVE-2021-0384).
Checksums-Sha1:
56b47c06af8ed36c212b1cecdbb64fd90e7e04af 2580 libjpeg-turbo_2.0.6-4.dsc
0a5f032d1687495698f72581002eacda923f9135 100860
libjpeg-turbo_2.0.6-4.debian.tar.xz
9cc6709777b296f62983e42d521726f99f8f4e82 6236
libjpeg-turbo_2.0.6-4_source.buildinfo
Checksums-Sha256:
fd357f8d1469236ad1f630c185a8af0f76f68c99cd082360148597a479148866 2580
libjpeg-turbo_2.0.6-4.dsc
31765ab6f069c8e1f11c0e43fd984dd903506b8eef8b810c06c3f80c796a144c 100860
libjpeg-turbo_2.0.6-4.debian.tar.xz
73a71a50c014c7c2dcb2dc6cc59d68849dccd74c7d2b25780bd827ef123111d4 6236
libjpeg-turbo_2.0.6-4_source.buildinfo
Files:
302b0a95435d47594f59afa3063b00c2 2580 graphics optional
libjpeg-turbo_2.0.6-4.dsc
77c54ed19346dac5a9224eda6ea17926 100860 graphics optional
libjpeg-turbo_2.0.6-4.debian.tar.xz
4c9830e63d3c6b06f24c72a367753255 6236 graphics optional
libjpeg-turbo_2.0.6-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmBOI0gVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxKVMP/1MI0oG9Odpqq+KGo+sWNgqa2Y6a
4WV2W0UtyHtHrBy1TRJifRTHzYlu/VqpLuDGl7jorJBZMd5IpMsGGO2PRKEhG4Fe
OL5YvIincGR4lbROTLklF0paRIRGKppsK9DvnaeWgFLwxxeXXOovhVxNzbFBefr7
Hw5BvSouG79zZmMAsdwil2IIMJMFfj7JPst8eTkpogdnxlQEYekm7YuIoWreqkYq
8G2Fz7CYjzY2mjRON/ls50rB+g4DKtV4W25hHStH0xpNmwNvPz0LT4N/mGzqoZ/A
1OQZJx6bkJCbZDqyz1R7YmqTnDiYSWA2C993NlILoSsPe7Vc1gLdp6QUd3Ce57IG
T5V8aTmaYkA0IareIeM2CHyNACvpfXUa7Q9KjPr8DuVU4l4rFbvtNLHveP4bB/Yv
rgyIH78UHJB7gMSKOfzu818UyC84I8Pn05eRAEYFNkwXam8UM+uw4Vq6Rg6Mo7nO
tUbgflxMSG8TtS79B16M0zuXEo7tWXBMc+8f9+i2Lf1uAVbtBrJOzKe5vRKhRJ+A
JY66lNBwHtUe33ntPCzf76CaLyDO6zrkv3kgO4vREVJu9Rumv1ERLRqN7Tq2x3NN
vDdS5UA5MqfTE49asSTxGWCHWzW9FqM8mXOKoxvnYYi+R6RcNpM+0o+XYxCtnYsC
kCDvUethZAi5GYj9
=eNGX
-----END PGP SIGNATURE-----
--- End Message ---
