Your message dated Mon, 05 Nov 2018 00:04:52 +0000 with message-id <e1gjsnw-0000by...@fasolo.debian.org> and subject line Bug#912617: fixed in libsdl2-image 2.0.3+dfsg1-3 has caused the Debian Bug report #912617, regarding libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 912617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912617 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libsdl2-image Version: 2.0.3+dfsg1-2 Severity: grave Tags: patch security upstream Justification: user security hole Control: found -1 2.0.1+dfsg-1 Control: found -1 2.0.1+dfsg-2+deb9u1 Control: clone -1 -2 Control: retitle -2 sdl-image1.2: CVE-2018-3977: do_layer_surface code execution vulnerability Control: reassign -2 src:sdl-image1.2 1.2.12-9 Control: found -2 1.2.12-5 Control: found -2 1.2.12-5+deb9u1 Hi, The following vulnerability was published for libsdl2-image. CVE-2018-3977[0]: | An exploitable code execution vulnerability exists in the XCF image | rendering functionality of SDL2_image-2.0.3. A specially crafted XCF | image can cause a heap overflow, resulting in code execution. An | attacker can display a specially crafted image to trigger this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-3977 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3977 [1] https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645 [2] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libsdl2-image Source-Version: 2.0.3+dfsg1-3 We believe that the bug you reported is fixed in the latest version of libsdl2-image, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 912...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated libsdl2-image package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 04 Nov 2018 23:34:39 +0000 Source: libsdl2-image Binary: libsdl2-image-2.0-0 libsdl2-image-dev Architecture: source amd64 Version: 2.0.3+dfsg1-3 Distribution: unstable Urgency: high Maintainer: Debian SDL packages maintainers <pkg-sdl-maintain...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: libsdl2-image-2.0-0 - Image loading library for Simple DirectMedia Layer 2, libraries libsdl2-image-dev - Image loading library for Simple DirectMedia Layer 2, development Closes: 912617 Changes: libsdl2-image (2.0.3+dfsg1-3) unstable; urgency=high . * Non-maintainer upload with permission of maintainers. * CVE-2018-3977: Prevent a potential buffer overflow on a corrupt or maliciously-crafted XCF file. (Closes: #912617) Checksums-Sha1: adcfc9edb0efb92bd0ecaa0b48b022e761dc4886 2241 libsdl2-image_2.0.3+dfsg1-3.dsc 47cdb38514bb6039c20c6e7f93444f1f326d560a 4992 libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz c69eb4ad648ed6bcae8ac1ea68805c1c004df4e0 193776 libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb 3d7cd8e7acfec5f5872371b4c3b66f01fc85045c 66236 libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb 2086ff3f43bc31d8aebc433441af2af764d2877f 73176 libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb 1cab23fc273437a90ff11cd400348f76f244371a 11392 libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo Checksums-Sha256: 231a5a5e9f5e74b74af92d0cdf5ee830f72ea3537d550b21e21f93cac7f19965 2241 libsdl2-image_2.0.3+dfsg1-3.dsc 23c511213707b03442139d19ce897bbec3a81032ee78ce7bd328fcd1390412be 4992 libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz 993f4719cf228f0d57aac0eaa1a8c94e7572e2cd18fdfe6703e594bcba25e6f0 193776 libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb e651fac15522108a6fa7f766bb327cc32d7b787c5629140ff9030165f995e5a8 66236 libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb 1dc77b96e213017de84fef56d5bb40c5f6c38cb0c64e547d0727c2dea4797bea 73176 libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb 5f76fe57429d8428fb92b7234c1b5b7879cff10dfaf8a2ab1a8065c09fd8e364 11392 libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo Files: 0e204da224460694c8462cc1a1046f33 2241 libs optional libsdl2-image_2.0.3+dfsg1-3.dsc 74a806cce442b1ec3ec46bf75dd2beb5 4992 libs optional libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz 5f14f8df2e608dfa30475051f176aa55 193776 debug optional libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb 7622aef5fcce76de7f7c52d67427c4d2 66236 libs optional libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb 4a2845ad3d9cc8795861b7e54bea478a 73176 libdevel optional libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb 429349a36db1fd38510dccbc422fd9f6 11392 libs optional libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlvfhZwACgkQHpU+J9Qx HlhIuA/+I2WyVltpzYMUuyryvZ/AL7YYu1QdK/vAQ3wDKnNMtJKLCzYNlu/uJ47X qLASH+B03L2qfJQgqeE+4B1gECkn/jgWb7+iUtetAVHnC5ItP4IgfwBCpirRdxKe keEsSl3ho0A/kyYGnxjQDPfYyc1Fv8ZHcvAPb4x9GW7b7TLiAxUsOG1ovfeGiIXc bbug9dsbQ1iNh/J31vmkraDYH8vsbOGpNS/yZRp2tTxhLNrxfLwQ0KoBKH0sQMJP eKpe2ROK04l+72HXjkoHivIQuGnsdwVTLUHBmKh5VqDLhzq6hbT7UqGF3PDRqNZF dwRPXgc6co7cM/uLYmh4Pd0HI7iaHt8lOT6r/ZYEjoYftqWVbo05NAwDa8BjIeWS UcirSLZwUTXHoxwpoTWOWuZKq8DJNZe9V8b5yr6qub54QNTPexjXBHBtwEg2jiWn rliRgQxXEPHkNWPxmvyfos/7Cgja6ztFJctdiWYKUM6zFQg25OwmopJ5goVvx3+a lxA734o6cfXCNwDW0SoRb1z12wUIOqJQdMs7pu1lcx9/xWPQMa3imauT7GusjQx3 dErSP332EZqIAtE3DfLQEZQxpdht1cZxdqP6gyro4A0nQTPtqf337Bn3ZqY0pv4c F/pYyugobzsySNz/9nUSq3iDt3TomFoO41zRVNxN1VE2Pd+XI+4= =0v6N -----END PGP SIGNATURE-----
--- End Message ---
