Your message dated Wed, 17 Apr 2024 18:10:11 +0000
with message-id <e1rx9jx-00fovm...@fasolo.debian.org>
and subject line Bug#1067393: fixed in fastdds 2.14.0+ds-1
has caused the Debian Bug report #1067393,
regarding fastdds: CVE-2024-28231
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1067393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067393
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: fastdds
Version: 2.11.2+ds-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for fastdds.
CVE-2024-28231[0]:
| eprosima Fast DDS is a C++ implementation of the Data Distribution
| Service standard of the Object Management Group. Prior to versions
| 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8, manipulated DATA
| Submessage can cause a heap overflow error in the Fast-DDS process,
| causing the process to be terminated remotely. Additionally, the
| payload_size in the DATA Submessage packet is declared as uint32_t.
| When a negative number, such as -1, is input into this variable, it
| results in an Integer Overflow (for example, -1 gets converted to
| 0xFFFFFFFF). This eventually leads to a heap-buffer-overflow,
| causing the program to terminate. Versions 2.14.0, 2.13.4, 2.12.3,
| 2.10.4, and 2.6.8 contain a fix for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28231
https://www.cve.org/CVERecord?id=CVE-2024-28231
[1] https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fastdds
Source-Version: 2.14.0+ds-1
Done: Timo Röhling <roehl...@debian.org>
We believe that the bug you reported is fixed in the latest version of
fastdds, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1067...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Röhling <roehl...@debian.org> (supplier of updated fastdds package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Apr 2024 22:36:40 +0200
Source: fastdds
Binary: fastdds-tools fastdds-tools-dbgsym libfastrtps-dev libfastrtps-doc
libfastrtps2.14 libfastrtps2.14-dbgsym
Built-For-Profiles: nocheck
Architecture: source amd64 all
Version: 2.14.0+ds-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Robotics Team <team+robot...@tracker.debian.org>
Changed-By: Timo Röhling <roehl...@debian.org>
Description:
fastdds-tools - eProsima FastDDS Discovery Server and Tools
libfastrtps-dev - C++ library for the Real Time Publish Subscribe Protocol -
develo
libfastrtps-doc - C++ library for the Real Time Publish Subscribe Protocol -
docume
libfastrtps2.14 - C++ library for the Real Time Publish Subscribe Protocol
Closes: 1064515 1066119 1067180 1067393
Changes:
fastdds (2.14.0+ds-1) experimental; urgency=medium
.
* New upstream version 2.14.0+ds
- Fix CVE-2023-50257: Denial of service against subscribers
(Closes: #1064515)
- Fix CVE-2023-50716: Bad-free on invalid DATA_FRAG submessage
(Closes: #1066119)
- Fix CVE-2024-26369: SIGABRT on HistoryQosPolicy with depth 0
(Closes: #1067180)
- Fix CVE-2024-28231: Heap overflow on invalid DATA submessage
(Closes: #1067393)
* Update d/copyright
* Drop snakeoil cert generation
* Update d/rules
* Bump SONAME to 2.14
* Bump Standards-Version to 4.7.0
* Build-Depend on libfastcdr-dev >= 2.2
* Re-enable test suite
Checksums-Sha1:
764cd2ba995efb529ef9277b1d7f1d0ddd39439b 3254 fastdds_2.14.0+ds-1.dsc
b5b8842c740b78da0b125c14986398e696862562 3214940 fastdds_2.14.0+ds.orig.tar.xz
fbefd6720a995c25b5d44102687edcaa0c48a4fa 16772
fastdds_2.14.0+ds-1.debian.tar.xz
ccd6e59cdc8b51843bba4eeb82378e842d50f294 725660
fastdds-tools-dbgsym_2.14.0+ds-1_amd64.deb
76a3f53bdf22443ae799cbb5810673ed3566968e 63660
fastdds-tools_2.14.0+ds-1_amd64.deb
35f8affafbc84834058c0369f26e1ace6b771f75 11206
fastdds_2.14.0+ds-1_amd64.buildinfo
208d4857721fc58c03109ef2cebc2b84d9987d7e 297692
libfastrtps-dev_2.14.0+ds-1_amd64.deb
c36a2b24100ddbce283ac11ae373bc1ca43fc0f1 2347996
libfastrtps-doc_2.14.0+ds-1_all.deb
2d6602d24ee31a2b870398509319851d2f027897 61300256
libfastrtps2.14-dbgsym_2.14.0+ds-1_amd64.deb
27d3037a64ed8a4279aa6e18ef2b8e8838fee0d0 2460884
libfastrtps2.14_2.14.0+ds-1_amd64.deb
Checksums-Sha256:
e13ee1fa343fb892e920bc85484aaecb664de266a1f558355be42c08b7234cbf 3254
fastdds_2.14.0+ds-1.dsc
d06b4efc09088b26dec13ba8ff87501a045bd946a7f366057c43df5cf0c845b7 3214940
fastdds_2.14.0+ds.orig.tar.xz
8d4e605c7dbc8642b4bb8b8cc5c689801dcdb4b7eceb7e03c3595c9cad50e6bf 16772
fastdds_2.14.0+ds-1.debian.tar.xz
80226f657657d5b395a9cc56da2a2874fe1b9f954e2220d3185111c8bbc548c9 725660
fastdds-tools-dbgsym_2.14.0+ds-1_amd64.deb
d0fa3730e2c80e932fa4c3e327bd4572b235ffa273e0c1341d44e6fdffc64525 63660
fastdds-tools_2.14.0+ds-1_amd64.deb
736a1a6a95940f681842fb4d2cd7244ef6f93dd85a045a4360b1b3b898ff3b5e 11206
fastdds_2.14.0+ds-1_amd64.buildinfo
16e871d34190f2e401eb93b62e325cecfe6028b102551277236c420a30443cc6 297692
libfastrtps-dev_2.14.0+ds-1_amd64.deb
94ff3f994ae4818b40145309873a74dcd052a72e7fc2adf01a93744ef3d7680f 2347996
libfastrtps-doc_2.14.0+ds-1_all.deb
606f51446c94f079e3fb2e56dad1f655122963f71cab339a37a1aeb76521facd 61300256
libfastrtps2.14-dbgsym_2.14.0+ds-1_amd64.deb
b7e767a9b45942c29a54eb04f5b78093b508409f329c8076f41291790a3ed36f 2460884
libfastrtps2.14_2.14.0+ds-1_amd64.deb
Files:
1fccc69672c005ae1af626bdc7b10203 3254 libs optional fastdds_2.14.0+ds-1.dsc
a030ba4d9edcfb7760c60b87d38cb38d 3214940 libs optional
fastdds_2.14.0+ds.orig.tar.xz
0b4b4f9ee69919283f3869d9f0e3022b 16772 libs optional
fastdds_2.14.0+ds-1.debian.tar.xz
94d2b0ec1880e9ceddd7a86312a78f6a 725660 debug optional
fastdds-tools-dbgsym_2.14.0+ds-1_amd64.deb
58fa3825ee57b154056108baf7edea98 63660 net optional
fastdds-tools_2.14.0+ds-1_amd64.deb
a32781e915cce7625e955e21e6d02047 11206 libs optional
fastdds_2.14.0+ds-1_amd64.buildinfo
1995c63bd0834973f158697b6b339b35 297692 libdevel optional
libfastrtps-dev_2.14.0+ds-1_amd64.deb
a79b73a2f988ce0b3243e204ea19b1ec 2347996 doc optional
libfastrtps-doc_2.14.0+ds-1_all.deb
88903ff5f19cb95181c138db2de162f9 61300256 debug optional
libfastrtps2.14-dbgsym_2.14.0+ds-1_amd64.deb
d83d6bd3798f06a868fa9c12da2e197f 2460884 libs optional
libfastrtps2.14_2.14.0+ds-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEmwPruYMA35fCsSO/zIxr3RQD9MoFAmYe4uIUHHJvZWhsaW5n
QGRlYmlhbi5vcmcACgkQzIxr3RQD9MrhnBAAz7y0uwU97YzQXvjCR+RuQzSWj5Ll
0kh98srKc9eN2rCYARQjJhb6f+Npk6pgmhN5yg71pYUjlmcX4V4a+sPp2CC3TJdZ
4pV1W86UnMfjsn9FFfSSeTbA1fOJyAAXTN4WgMCAhckTj7hsV/QTLKp1UMWJzExG
9xsNDnmSfZEXDtprsgLTLOr2JreHUz7/Gdz8eWVZyFdZBDT5RYR1OD6owGPgs9dE
TNoINxBFLhgSf1Bv86TVtqLWe6NbybWB7zl61zRP1QHpEdGNZACJvjQTv/LGSulS
FQHGrUejRw0jz0g8avNFqwS6Ry86duSyDlpovLhbHdm5E57hjj5uayJNyiXAtcdi
NH9P2kRJBK6NgJV7RDRrm34PTiYQpZk1s2RnFKNKnsLPqBnSXGUGoGRzzdtla3TQ
BRp7G/IxJcpq+7hUTDK4Et7zUMRXZPfUsf8lyAkiGvQrWd9KVbxcFJ91zZA8zHQ1
jJGc3Z5HxomKWufQIuyfHQfBhNBqZ78nn+WFz5AH77BlEeXyURlDHaN3h5vkDI7h
0a4n7CEsqJHyko5bCIehBg57FQxYX5VE1rjJ5PUvk4FJUJUDnAks/4ECgVJaEEuj
oczEO7jyLG7CM/54SrP2VJZBnoGP+f5/0yWBcCEjvNjt7EXxiQYDdmfbWWVXw8pb
ihlk+EN/K5m5sKA=
=stSl
-----END PGP SIGNATURE-----
pgpdaLCu8jv8Z.pgp
Description: PGP signature
--- End Message ---
