Your message dated Thu, 26 May 2022 20:33:08 +0000 with message-id <e1nukao-000bog...@fasolo.debian.org> and subject line Bug#1010526: fixed in libxml2 2.9.4+dfsg1-7+deb10u4 has caused the Debian Bug report #1010526, regarding libxml2: CVE-2022-29824: integer overflows in xmlBuf and xmlBuffer to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010526: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010526 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxml2 Version: 2.9.13+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libxml2. CVE-2022-29824[0]: | In libxml2 before 2.9.14, several buffer handling functions in buf.c | (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. | This can result in out-of-bounds memory writes. Exploitation requires | a victim to open a crafted, multi-gigabyte XML file. Other software | using libxml2's buffer functions, for example libxslt through 1.1.35, | is affected as well. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29824 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824 [1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxml2 Source-Version: 2.9.4+dfsg1-7+deb10u4 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 15 May 2022 16:13:21 +0200 Source: libxml2 Architecture: source Version: 2.9.4+dfsg1-7+deb10u4 Distribution: buster-security Urgency: high Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1010526 Changes: libxml2 (2.9.4+dfsg1-7+deb10u4) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix integer overflow in xmlBufferResize * Fix integer overflows in xmlBuf and xmlBuffer (CVE-2022-29824) (Closes: #1010526) Checksums-Sha1: 4d87fc4fc52c540714d5e7754ed604e9c51cc7c9 3163 libxml2_2.9.4+dfsg1-7+deb10u4.dsc ca9a4f7f1eab2b69ead6174885a5e6b1629ec956 2446412 libxml2_2.9.4+dfsg1.orig.tar.xz bdb8be2b5f6bddf8d392252f1cdd676d659a41a0 44728 libxml2_2.9.4+dfsg1-7+deb10u4.debian.tar.xz Checksums-Sha256: 76c5b2edeb11a39e261de86603c43ea0adc65948f04f54fbd7be39bc726655a6 3163 libxml2_2.9.4+dfsg1-7+deb10u4.dsc a74ad55e346aa0b2b41903e66d21f8f3d2a736b3f41e32496376861ab484184e 2446412 libxml2_2.9.4+dfsg1.orig.tar.xz 68f97766c8c8b161bd99f372a4056fd8bcdabd6e54ed496409cf33d6b3a87d11 44728 libxml2_2.9.4+dfsg1-7+deb10u4.debian.tar.xz Files: 68375e62008b8e8ddd51b1e69ad2f495 3163 libs optional libxml2_2.9.4+dfsg1-7+deb10u4.dsc 3ced197721416e7e2f13b0f4e0f1185b 2446412 libs optional libxml2_2.9.4+dfsg1.orig.tar.xz 37aad19f71b4c7b8a64ba24f4d59f7c6 44728 libs optional libxml2_2.9.4+dfsg1-7+deb10u4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKBC15fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4LcQAJaL/MdkQTdQIMyIeQZBkGkDWhS3Y7Pe ar6lBYA96QFhWA+ucMzHCX+54XcZQv3l0sysnXMu/YQU1qM43X0RCO35X2jitpxx yHGdIpyh6sAiefLpZzWjDEzIUFi/6/0l/PRSY8AsolO8My4jWSjrvS4yJ9CaTmUE CtRYo1doyOzllvePc2icmZVJSDhfTW9F5kOsFOQ0v+Q88w5fDbBp7f+HsnLb74pk s/oJT0//klpD2j+jNGZqRvcCOYpZg+G5DgklE1hEhiBZ6Yj45ur9cCMPuXf39Rfg wQLem199MRT1+KQMyFPwY2C29VeHPfKDF67Ug/wIKEO1JnKvDC2pEBsGBQwwNGtG SPRYJM4FPiKNei3g9bLCgmQC+ZtG54PNJzB5jM2n7LmwF0RmqficMzU3XGJlZrtp sZ3TJq3o3pnJYqEyy9cpM2+TjIrJpSUdfNBn/Txmhl9JsfLyhE2cdlWodUP9CONK LaEWp5dfsN9O4S65a+2t3oSl0qU+QiWVGUXo/3loR1V9Tjn7mpijx1WIhCd/oZOa sCX+GbhuBmMwAhDcCM2GNKP6pzBW71rBqUUeoMhmtXbHDA+/nqKxVYTwtcImMvCD GkFZhMXGv86lv28xZRob17pf+OfKVwgvLUjzIUQFByDBkS4OKghuWHG8FRUl8uFJ HMQVlGxT9zB7 =woq5 -----END PGP SIGNATURE-----
--- End Message ---
