Your message dated Tue, 24 Oct 2023 07:36:35 +0000 with message-id <e1qvbxr-00eeui...@fasolo.debian.org> and subject line Bug#1054163: fixed in fastdds 2.11.2+ds-6 has caused the Debian Bug report #1054163, regarding fastdds: CVE-2023-42459 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054163 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: fastdds X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for fastdds. CVE-2023-42459[0]: | Fast DDS is a C++ implementation of the DDS (Data Distribution | Service) standard of the OMG (Object Management Group). In affected | versions specific DATA submessages can be sent to a discovery | locator which may trigger a free error. This can remotely crash any | Fast-DDS process. The call to free() could potentially leave the | pointer in the attackers control which could lead to a double free. | This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, | and 2.6.7. Users are advised to upgrade. There are no known | workarounds for this vulnerability. https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm https://github.com/eProsima/Fast-DDS/issues/3207 https://github.com/eProsima/Fast-DDS/pull/3824 https://github.com/eProsima/Fast-DDS/commit/1e978c6f3d0ca1df6b323b37fd4902b0762ececb If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-42459 https://www.cve.org/CVERecord?id=CVE-2023-42459 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: fastdds Source-Version: 2.11.2+ds-6 Done: Timo Röhling <roehl...@debian.org> We believe that the bug you reported is fixed in the latest version of fastdds, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Röhling <roehl...@debian.org> (supplier of updated fastdds package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 24 Oct 2023 09:18:49 +0200 Source: fastdds Architecture: source Version: 2.11.2+ds-6 Distribution: unstable Urgency: medium Maintainer: Debian Robotics Team <team+robot...@tracker.debian.org> Changed-By: Timo Röhling <roehl...@debian.org> Closes: 1052742 1054163 Changes: fastdds (2.11.2+ds-6) unstable; urgency=medium . * Disable tests as hotfix for GTest issue (Closes: #1052742) * Fix CVE-2023-42459: bad-free when receiving malformed DATA submessage (Closes: #1054163) Checksums-Sha1: 35eee05d16d525859920a1467279b04e4bd463fe 3115 fastdds_2.11.2+ds-6.dsc 7ec91f3f2c6db16981858ae2982064ceb54bb336 21392 fastdds_2.11.2+ds-6.debian.tar.xz dac99ff6eb45d7cb877909829027f8b6182096a0 11070 fastdds_2.11.2+ds-6_amd64.buildinfo Checksums-Sha256: 229759dc9940e6aa343c28535dc0dee74d8e6dab358149af2e54b6eda9c736d1 3115 fastdds_2.11.2+ds-6.dsc aa29733e9ca624f98e44544864413831972981e042a088a979901e207032c0f6 21392 fastdds_2.11.2+ds-6.debian.tar.xz 92bb8dead97293f69f87e79c2c2fd21c5321374a53099804d140784acbdbdbc9 11070 fastdds_2.11.2+ds-6_amd64.buildinfo Files: b1d3a32c6e561b9ab3b1b48b3f0943a6 3115 libs optional fastdds_2.11.2+ds-6.dsc c8f6e67a7a25b3f35ad95775440f9bc7 21392 libs optional fastdds_2.11.2+ds-6.debian.tar.xz 1cde954fbfe06caca9663774a3437190 11070 libs optional fastdds_2.11.2+ds-6_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQHIBAEBCgAyFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmU3cJ8UHHJvZWhsaW5n QGRlYmlhbi5vcmcACgkQ+C8H+466LVmDnwwA2bBohiBr2pQgeqHXj8CdN7WhXazT hLe0Y4xqvq5o5pCU883v3DdZg8/zMZCY5kpS2ClMeEWtnDOVhyizfqqA7CJ1IvOj eXjoxN0E7z1mq2JUpk9wyernraDJvzpwzJVIcEVO3j8yNv6KmqOUQGyC9B/aoTSL 9CfkRWIQ2prS2rAHij6+cX2oz8jIw3yCM4J/lr05Gxe07Jztecy/hiquGe6fokk6 VyhvcK+f1kdNqx1ps8SpNWpGQzCA8ukKuMMCllg455nVAkpkcFYbY9mMPWY+Dyvz kTY0fAMK7E8CaKFdTaTNxu6FCROmUtrmrFrgxFvQr8leNFE6BQX+I0+kICuQLjRb h1Ev38JpwuAaCutlRxOeTOBCNBo1TvSYHG7G+e2CqhYapXoyhuq3mUJYSLe3JdCG EyQP0QqCohYQ/pZzvvwwwyU+5brtohL90Om2G/9FD98nST8isgZ7K7SzZNKrghih knGQp5078DSyjEJs2DEGBtPBMPNQMkbTUcdX =bMVi -----END PGP SIGNATURE-----
--- End Message ---
