Your message dated Thu, 22 Dec 2022 10:00:12 +0000
with message-id <[email protected]>
and subject line Bug#977192: fixed in libappimage 1.0.4-1
has caused the Debian Bug report #977192,
regarding libappimage: CVE-2020-25265
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
977192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977192
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libappimage
Version: 0.1.9+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/AppImage/libappimage/pull/146
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libappimage.
CVE-2020-25265[0]:
| AppImage libappimage before 1.0.3 allows attackers to trigger an
| overwrite of a system-installed .desktop file by providing a .desktop
| file that contains Name= with path components.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-25265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25265
[1] https://github.com/AppImage/libappimage/pull/146
[2] https://github.com/refi64/CVE-2020-25265-25266
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libappimage
Source-Version: 1.0.4-1
Done: Scarlett Moore <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libappimage, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scarlett Moore <[email protected]> (supplier of updated libappimage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Dec 2022 08:12:12 -0700
Source: libappimage
Binary: libappimage-dev libappimage0 libappimage1.0abi1
libappimage1.0abi1-dbgsym
Architecture: source amd64
Version: 1.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <[email protected]>
Changed-By: Scarlett Moore <[email protected]>
Description:
libappimage-dev - Development files for libappimage
libappimage0 - Core library for appimage - transitional
libappimage1.0abi1 - Core library for appimage
Closes: 977192
Changes:
libappimage (1.0.4-1) unstable; urgency=medium
.
[ Harald Sitter ]
* New upstream release.
.
[ Scarlett Moore ]
* Update dependencies as per cmake and configure cmake flags to use
system libraries.
* Merge KDE Neon Packaging. Thanks!
* Switch to debhelper-compat.
* Update repo, moved to 3rdparty under kde umbrella.
* Update symbols file.
- Add symbolshelper-confirmed header to symbols file.
- Rename file to new 1.0 SO version.
- Update name in symbols file.
- update new symbols / remove missing ( new SO version ).
- Use ABI Manager to bump SO Version as there are
missing symbols and I can't seem to get an answer
from upstream whether they are internal or public.
- Fix package name in symbols file to match abi bump.
- Refresh symbols i386.
- Refresh symbols amd64.
- Fix X-Debian-Abi in control file.
- Fix versions in symbols file.
* Add rules-requires-root: no in d/control.
* Update d/upstream/metadata.
- Remove obsolete entries already defined in d/copyright.
- Add bug-database entry.
* Remove Priority extras ( lintian ).
* Remove --as-needed flag as it is now default.
* Bump Standards:
- 4.5.1; no changes.
- 4.6.1, no changes needed.
* Change to team maintainer.
* Add googletest test dependency.
* Add override to dh_clean to clean up test data.
* Refresh copyright.
- Add upstream-contact field.
- Update file.
- Update year in copyright file.
* Refresh patches:
- Add patch to fix linking issues with clients of this library.
- Fix spelling error in patch description found by lintian.
See patch for details, upstreamed.
- Remove reproducible builds patch applied upstream.
- Remove 0001-Make-string-sanitizer-strictly-C-11 patch
applied upstream.
* Remove unused rules overrides.
- dh_missing --fail-missing is now default.
- dh_clean test dir no longer necessary.
* Update Homepage to new repo address.
* Add upstream patch to fix spelling error found by lintian.
* Update my email address in uploaders.
* Add lintian overrides for source as these are test files.
- missing source in test/data as it is there so
it must be long-line false positive.
- Add the now triggered long line lintian.
- Add binary in source lintian.
- Fix lintian override catchalls.
* New release ( 1.0.4 ) Closes: #977192
* Release to unstable.
Checksums-Sha1:
d34e0578cfcb1744bef18e78fb351545aafe0621 2455 libappimage_1.0.4-1.dsc
75d9b760087ae785449be113d42528a0adbaa8a5 1317288 libappimage_1.0.4.orig.tar.xz
179fee841f8750246ab7bd2422d2fc3e3066d0b5 11828
libappimage_1.0.4-1.debian.tar.xz
796afe7f70054810d9fcb30698c060d7d3948602 21504
libappimage-dev_1.0.4-1_amd64.deb
594662bd068715f23090566b3428f671de933458 3956 libappimage0_1.0.4-1_amd64.deb
32646432a662808e35a1a416932f3bf0a2ba8ae5 1246628
libappimage1.0abi1-dbgsym_1.0.4-1_amd64.deb
9c98ceb09ab1d7735401d05a250b667043cf5ad5 77704
libappimage1.0abi1_1.0.4-1_amd64.deb
b4598da8c04f26b6ccf0e47636c40151d8244f1f 12571
libappimage_1.0.4-1_amd64.buildinfo
Checksums-Sha256:
1a5ae466d63652a55ba99374cd769b13add75427052ae42027e6482d82e04374 2455
libappimage_1.0.4-1.dsc
956a6c9628365ef5a8d841fb9a7ffca6cae2736f8a2500eb78505148bf4d2344 1317288
libappimage_1.0.4.orig.tar.xz
b56ccd52dab72e175d8280f8ff9e323242bf9f973b4fa395ab6c5aaad6221b57 11828
libappimage_1.0.4-1.debian.tar.xz
d3088d9d03a87f3eea14098d5659d2d8799aa63f05181a013ffcc95ba94b89d0 21504
libappimage-dev_1.0.4-1_amd64.deb
c9b546ceca0e2a9503dd4e5b86338c56043a5c7b7addd37250058659541d437b 3956
libappimage0_1.0.4-1_amd64.deb
54aed38b284b5aaf3eb1aa7051463bf7324c5f112a79760445d404b322734566 1246628
libappimage1.0abi1-dbgsym_1.0.4-1_amd64.deb
b21d04ecd4f98bbbad36736c0b2b0a313a8b1f29d6c3ea4271ad1f6bcd40d9a7 77704
libappimage1.0abi1_1.0.4-1_amd64.deb
9799347c8769d9afbe1d5bcd79e70d0552bdbb0b13ac09242acd1cdafe80e1a0 12571
libappimage_1.0.4-1_amd64.buildinfo
Files:
3f2c1ab8155d65c801dc4201bce113b7 2455 libs optional libappimage_1.0.4-1.dsc
df29b4a7e4dcd96bf99e29eabf5c69b2 1317288 libs optional
libappimage_1.0.4.orig.tar.xz
554d18a166c4cfd8d4b3543df8ca3d44 11828 libs optional
libappimage_1.0.4-1.debian.tar.xz
6c6da49e5d54936299c5c81d24de0c34 21504 libdevel optional
libappimage-dev_1.0.4-1_amd64.deb
413d6615254ea294dabc99be49d9e0c0 3956 oldlibs optional
libappimage0_1.0.4-1_amd64.deb
a37fd2683f47a9bd51a3e77c3232ec69 1246628 debug optional
libappimage1.0abi1-dbgsym_1.0.4-1_amd64.deb
de534b53fd9a49057468705604ed5eb8 77704 libs optional
libappimage1.0abi1_1.0.4-1_amd64.deb
3c811cceef41d1f2d62dc0b82f25404f 12571 libs optional
libappimage_1.0.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfDWSDxziiZ6OqarQLnwDZ7m/oIkFAmOjQoMACgkQLnwDZ7m/
oIksyhAAiHDX1FnshnHywrOCz7xDR1b6jvvUoFJkkTiL8IQnC0J2ieVqJyOL1UH/
Blfeyn+evYzJpQkp8gB1cWnfNaDARCIiH3VKp+nKpUrGCGTKdG7Uw65HrcMnlLlk
R8HXqenJe28AssBzpzKgZZR7TTst5fREM+VK4qBrac3bkeTcRk7rQJ+Q7kdd7uGa
zCgBeuVTo0H2TjcX0vw8CuXOBfPFF/y6xw/In0pKd7DlO0dgwVTHA0D9e5BQqEr4
PYjzNA8E5Y6RT4QqWmIgI1qE0h8O3TvkdGDn5czA254pDMHwJI3ToKvtxDl3XG8r
dUJVRN9SQaQCqR8JG217JUoxi9n4L6gVB7D6zQxvmFx7RV1Y6fJ4GBJEo6mmcrQ8
JD0RTmo+dyXZjdXaJ3qCvYLqB7cCJwS51+346SyXkDhKz8Qsd2TXebhpuLEZ6uVo
vMOSNEORRdX97PkS5H5HepFqN0BdUz8FOzg3AJH4Nhq6KWYwa3WhRDCgXHDmwpNW
EaytEH6fKq6wh/BiibcdhQXb5sNbJRXJ1vhMU4epaI1aSaSoQ6LArT96iK7hHmEw
gTisVi/gxJ8DMN44AIg+ogCscjFEbA1UZ2/vwNnQmFWCEIJvLNH+5ZZXIIxXlWLK
HJDSqcspvgf4gt9CHwlpdhTTGRVR58iigfdgPenmO5DJy3JSj6c=
=B9yY
-----END PGP SIGNATURE-----
--- End Message ---
