Your message dated Tue, 22 Aug 2017 21:48:34 +0000
with message-id <e1dkh2i-0004in...@fasolo.debian.org>
and subject line Bug#868956: fixed in libmspack 0.5-1+deb8u1
has caused the Debian Bug report #868956,
regarding libmspack: CVE-2017-11423
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
868956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868956
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libmspack
Version: 0.5-1
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=11873
Hi,
the following vulnerability was published for libmspack.
CVE-2017-11423[0]:
| The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha,
| as used in ClamAV 0.99.2 and other products, allows remote attackers to
| cause a denial of service (stack-based buffer over-read and application
| crash) via a crafted CAB file.
Unfortunately the upstream bug [1] is locked-down.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11423
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11423
[1] https://bugzilla.clamav.net/show_bug.cgi?id=11873
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libmspack
Source-Version: 0.5-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated
libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Aug 2017 21:42:50 +0200
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.5-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Marc Dequènes (Duck) <d...@duckcorp.org>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Description:
libmspack-dbg - library for Microsoft compression formats (debugging symbols)
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 868956 871263
Changes:
libmspack (0.5-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload.
* Correct rejection of empty strings.
* Fix mis-handling of sys->read() errors in cabd_read_string()
(CVE-2017-11423) (Closes: #868956).
* Reject negative output length in SpanInfo (CVE-2017-6419)
(Closes: #871263).
Checksums-Sha1:
0f0eeda3692a12a2ba912733b96c72c6e190295a 2106 libmspack_0.5-1+deb8u1.dsc
42df94afb1e167e1334b92cded4e86c0b6568823 5148
libmspack_0.5-1+deb8u1.debian.tar.xz
5d53a8c460e28223ad680154451f21794e5811a5 47170
libmspack0_0.5-1+deb8u1_amd64.deb
ff8fe69a3e7ac2e1a67e3be3583b5002757158b7 65516
libmspack-dev_0.5-1+deb8u1_amd64.deb
66cd4083789e01458c19f928c5576995dfe07aab 84436
libmspack-dbg_0.5-1+deb8u1_amd64.deb
4aae4ac61a56bfc7d30e9195d13bd19f5b290712 100766
libmspack-doc_0.5-1+deb8u1_all.deb
Checksums-Sha256:
4c0d570bee1de45c801dd2fc745c4fa56131a206ab1edab49e7407942f7d8387 2106
libmspack_0.5-1+deb8u1.dsc
c7ad3df9c6401cbc075acba4519a5fb312183c83154834d52408ce8455e76db8 5148
libmspack_0.5-1+deb8u1.debian.tar.xz
c5efdde1b92633dc3c6b65bbe197bd9cdf5c1748b98f465a29c582602fd3cff4 47170
libmspack0_0.5-1+deb8u1_amd64.deb
0578c9ff8f5f6ff6732769a588595c82850ae83a8379ba3e92df3514d7bd8fd3 65516
libmspack-dev_0.5-1+deb8u1_amd64.deb
7597553486ec11b6fc583468bc85b822ab538a3eb3e14a6193aab36793f13542 84436
libmspack-dbg_0.5-1+deb8u1_amd64.deb
8e04f2a37878279060657d4af01ddb4b8a27b30e2656e408e57eecefd80bac29 100766
libmspack-doc_0.5-1+deb8u1_all.deb
Files:
b5bcf260629f0c2c6884d8b1b1877f55 2106 libs optional libmspack_0.5-1+deb8u1.dsc
be04a3ce310a729c35f5fdb666655373 5148 libs optional
libmspack_0.5-1+deb8u1.debian.tar.xz
86d7f1928a14eca61d5619eb42a17ff1 47170 libs optional
libmspack0_0.5-1+deb8u1_amd64.deb
b1677eff105b2c8238f7d119d16f4a1e 65516 libdevel optional
libmspack-dev_0.5-1+deb8u1_amd64.deb
54826f304dd902d6e78909f39994bd05 84436 debug extra
libmspack-dbg_0.5-1+deb8u1_amd64.deb
66e14a51927a4c22a8d2f3b01ad53123 100766 doc optional
libmspack-doc_0.5-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlmV7uAACgkQT+XjJihy
5My7oA/+JNfHZouLWnAcOQKvyF2s4RiEADz4mx5Lb/s5vtnfUJMwzhS1nK7sPViu
amy2SlSBlCkkscKKVdpCilcTJJeNNHMwXuaLXJDrohA0T3gz6TbG2QlnwiS0BU5x
KOXqYy1OCMuPPH3kG/715u4aod6cJLWUPjD+/uNd16PQjhQ+Z/3321iYfo1er/q3
xFwfom3ZmcdXxGl+dQ4cdKNBxhpWUP19Tt19Gwg/tojnfEnm1sNtgrwP9E/nAfMn
5UKO7oNzBpQAl1MZzA6TcfWqf+YAFl8ciNlCYqYxDb7qiFyEPtTWWtxlwDDE7DNa
DHc9vSd9psinIUzKNabkIdwYWRK4SOqNESRxDVn1Imdjqj5tuvVRsMS3qWL7HjFS
z/9EIYxpUG2b1IsUP1xXF5SKNtMFzNwhC2YU/STXHWgZb4rwig3tg19XBGKVi2Ei
fRPJd2+ixeSOXVnn2yHuNRCjEfjDaAC7BwTbteOaeKtLWtGgyvjkfCg0qmxcyrrn
xDuU0TIhdLaSayL5vsnf7lCv88FB82t7jhHs5hBaWHAmRjmP+aCT2/PQn0ZbVcAu
jyj7BYdLc+0XU8M/fzF949il04BCjOVuPlyCzCSp1hoHFQwovnnN/MIpmXLdFfHa
X5DFUlhsb3DxBiWrED4NL++C9v1LeXgOwlpB6Qk/yTmVy1Wki00=
=HQH1
-----END PGP SIGNATURE-----
--- End Message ---