clone 917807 -1 retitle -1 Orphan libcaca severity -1 normal thanks
Hi Sam, I'm planning on fixing those security issues for Buster. Given that you last touched the package in 2014, and didn't address this critical bug within 3 months, may I go ahead and orphan the package while I'm at it? I will do so in the absence of an answer, but I shall make sure that my upload is delayed until at least next Monday (2019-03-18), so you have time to intercept it. Best, nicoo On Sun, Dec 30, 2018 at 04:42:04PM +0100, Salvatore Bonaccorso wrote: > Source: libcaca > Version: 0.99.beta19-2 > Severity: important > Tags: security upstream fixed-upstream > > Hi, > > The following vulnerabilities were published for libcaca. > > CVE-2018-20544[0]: > | There is floating point exception at caca/dither.c (function > | caca_dither_bitmap) in libcaca 0.99.beta19. > > CVE-2018-20545[1]: > | There is an illegal WRITE memory access at common-image.c (function > | load_image) in libcaca 0.99.beta19 for 4bpp data. > > CVE-2018-20546[2]: > | There is an illegal READ memory access at caca/dither.c (function > | get_rgba_default) in libcaca 0.99.beta19 for the default bpp case. > > CVE-2018-20547[3]: > | There is an illegal READ memory access at caca/dither.c (function > | get_rgba_default) in libcaca 0.99.beta19 for 24bpp data. > > CVE-2018-20548[4]: > | There is an illegal WRITE memory access at common-image.c (function > | load_image) in libcaca 0.99.beta19 for 1bpp data. > > CVE-2018-20549[5]: > | There is an illegal WRITE memory access at caca/file.c (function > | caca_file_read) in libcaca 0.99.beta19. > > Note: obviously I realize given you are both upstream am Debian > maintainer you have already fixed this upstream with the reports > submitted and two of those issues are actually unimportant as the > Debian build does not use the fallback. > > Reporting these issues still in the BTS for tracking purpose. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-20544 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20544 > [1] https://security-tracker.debian.org/tracker/CVE-2018-20545 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545 > [2] https://security-tracker.debian.org/tracker/CVE-2018-20546 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546 > [3] https://security-tracker.debian.org/tracker/CVE-2018-20547 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20547 > [4] https://security-tracker.debian.org/tracker/CVE-2018-20548 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20548 > [5] https://security-tracker.debian.org/tracker/CVE-2018-20549 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20549 > > Regards, > Salvatore >
signature.asc
Description: PGP signature