Bug#1069191: marked as done (glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence)

[Debian Bug Tracking System]

Your message dated Tue, 23 Apr 2024 16:47:08 +0000
with message-id <e1rzjis-00a6ao...@fasolo.debian.org>
and subject line Bug#1069191: fixed in glibc 2.36-9+deb12u6
has caused the Debian Bug report #1069191,
regarding glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix 
out-of-bound writes when writing escape sequence
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1069191: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: glibc
Version: 2.37-17
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 2.37-15
Control: found -1 2.36-9+deb12u5
Control: found -1 2.36-9+deb12u4
Control: found -1 2.36-9
Control: found -1 2.31-13+deb11u8
Control: found -1 2.31-13

Hi,

The following vulnerability was published for glibc.

CVE-2024-2961[0]:
| The iconv() function in the GNU C Library versions 2.39 and older
| may overflow the output buffer passed to it by up to 4 bytes when
| converting strings to the ISO-2022-CN-EXT character set, which may
| be used to crash an application or overwrite a neighbouring
| variable.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-2961
    https://www.cve.org/CVERecord?id=CVE-2024-2961
[1] https://www.openwall.com/lists/oss-security/2024/04/17/9

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: glibc
Source-Version: 2.36-9+deb12u6
Done: Aurelien Jarno <aure...@debian.org>

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1069...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aure...@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Apr 2024 18:34:04 +0200
Source: glibc
Architecture: source
Version: 2.36-9+deb12u6
Distribution: bookworm-security
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aure...@debian.org>
Closes: 1069191
Changes:
 glibc (2.36-9+deb12u6) bookworm-security; urgency=medium
 .
   * debian/patches/any/local-CVE-2024-2961-iso-2022-cn-ext.diff: Fix
     out-of-bound writes when writing escape sequence in iconv ISO-2022-CN-EXT
     module (CVE-2024-2961).  Closes: #1069191.
Checksums-Sha1:
 89201c9a3dc4b12a21085158cc671e65ef2cd2d2 9761 glibc_2.36-9+deb12u6.dsc
 ce2b34137062a0ddba922d5b34a80770737bb59c 858672 
glibc_2.36-9+deb12u6.debian.tar.xz
 a44d3239eba25b6c7f4ce2756457d71ae0b857ac 9744 
glibc_2.36-9+deb12u6_source.buildinfo
Checksums-Sha256:
 fbd6a3b34c8019bc677c1aa3c55a7cdd2fac0f5226151d408cbf107e89002c10 9761 
glibc_2.36-9+deb12u6.dsc
 dab8173d6a6393b50ed0737bd32ff993a3fa7bf4a837573eab8c67f1391ecb12 858672 
glibc_2.36-9+deb12u6.debian.tar.xz
 7ee850a9b13f43b44460b82fd59ca548b22123dd500bf942c3af4acbbb957bf6 9744 
glibc_2.36-9+deb12u6_source.buildinfo
Files:
 d98990edb6c22014e5b8c48aa43152c9 9761 libs required glibc_2.36-9+deb12u6.dsc
 65d05b6e083f7e0d364a30fa0349efd9 858672 libs required 
glibc_2.36-9+deb12u6.debian.tar.xz
 1cdb197b7714c8fd5c6e9ca7d19aa569 9744 libs required 
glibc_2.36-9+deb12u6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmYirqMACgkQE4jA+Jno
M2sPNQ/+LTclWWW5JsLlpFpI1n0eCno6yzVxuU7nW31IffIRQ/eNYPqKa2iM+Wi+
q41DfI/0KV8yLdVkGiTofVK4RnFAAwN7FIzX0NBazCNlhr3cgBOR33YS8ep0bOfN
EjXAS0PYsUwCB1Rf5ozKja6j0Lt8oWoodhRYayL29/WA8yf7oJru/Xaho0bVj68B
lP29vRFEtNeBcG+s9iR617jlnUrbyY+1qCP5CwtRH6cBTKM6RozK8hCcNiw/BSwx
S9wK+62oMNOpUJaOJLfuIygJH0nwaHzKQU+MQkQhI97ROeJJkGOhzBjAZK44CjkZ
HYsizViEUO2Qjq5stTuExD6uYeLK9lcmlhwRgQVqqyQTRKoUOssQDeiNY/SyYscH
3f/HbUJ4QYQ5mlnpYrP3i7EQ2qHbzHEy6qgnmhhnoiPBr7vFQ7/CijIzt7RF78E8
B3XWTiWFuy5SCouXtEoJHhWrE2XNU/w5Ucpe+e2R23mnu5362ECGGvT+WHU2maaD
TBdCwNYqw1oA5iy5XwF/FdlRqSEQk88vohl73EFPHl9HTyYiKcxlocQgRFRumv7x
NFPHMxk27kGm7kXJb0FtBT7XOX+XUOjbCYRiNqWMlT/mH8bFg/Ey5KXI9TKXUjHB
+fQKMYdXSn9O1waG9XFkDmz5TmrbP2+4vv9iahgXoanYnezUKCY=
=p/cK
-----END PGP SIGNATURE-----

pgpJxbA8Mzw_d.pgp
Description: PGP signature

--- End Message ---