Bug#797165: marked as done (CVE-2015-0852: integer overflow in PluginPCX.cpp)

[Debian Bug Tracking System]

Your message dated Fri, 06 Nov 2015 09:32:56 +0000
with message-id <e1zudoc-0005d2...@franck.debian.org>
and subject line Bug#797165: fixed in freeimage 3.15.1-1.1
has caused the Debian Bug report #797165,
regarding CVE-2015-0852: integer overflow in PluginPCX.cpp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
797165: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797165
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: freeimage
Version: 3.10.0-4
Severity: serious
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for freeimage.

CVE-2015-0852[0]:
Integer overflow in PluginPCX.cpp

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-0852
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0852
    https://marc.info/?l=oss-security&m=144073280200732&w=2
    Please adjust the affected versions in the BTS as needed.

BTW upstream patches are available but they are not minimal patches:
http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.17&r2=1.18&pathrev=MAIN
http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.18&r2=1.19&pathrev=MAIN

Hopefully one the of the people who will discover this RC bug (because
their package depends on freeimage or whatever) can be convinced to take
over this package... it has been orphaned for way too long.

Note that the package has another pending security issue (#786790).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

--- End Message ---

--- Begin Message ---

Source: freeimage
Source-Version: 3.15.1-1.1

We believe that the bug you reported is fixed in the latest version of
freeimage, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gl...@debian.org> (supplier of updated freeimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Oct 2015 22:33:32 +0100
Source: freeimage
Binary: libfreeimage-dev libfreeimage3 libfreeimage3-dbg
Architecture: source amd64
Version: 3.15.1-1.1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian QA Group <packa...@qa.debian.org>
Changed-By: Anton Gladky <gl...@debian.org>
Description: 
 libfreeimage-dev - Support library for graphics image formats (development 
files)
 libfreeimage3 - Support library for graphics image formats (library)
 libfreeimage3-dbg - Support library for graphics image formats (debugging 
symbols)
Closes: 797165
Changes: 
 freeimage (3.15.1-1.1) wheezy-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix integer overflow CVE-2015-0852. (Closes: #797165)
Checksums-Sha1: 
 a9c206f0eb2dd894c34fc537a2f6ca23c3dad4e5 2135 freeimage_3.15.1-1.1.dsc
 5a56c590c433ff2573320e7288b194ee617f1de9 5242162 freeimage_3.15.1.orig.tar.gz
 c528ca5f5314214142b46bb7ded8734366cf749e 17812 
freeimage_3.15.1-1.1.debian.tar.gz
 d1c619e5bdb529bc0332fd4f4e7ceb81ef236dc8 2015470 
libfreeimage-dev_3.15.1-1.1_amd64.deb
 547a244e643667a9be3b7d725876ddcb8361773c 837078 
libfreeimage3_3.15.1-1.1_amd64.deb
 4a85b0c7454433c049b4f080aa69b6a81ce3a69b 2939862 
libfreeimage3-dbg_3.15.1-1.1_amd64.deb
Checksums-Sha256: 
 450fd366dad5bd3170fdb2ffa9c779a7a9e39d65dca89c3c8d3ca1a8da242f67 2135 
freeimage_3.15.1-1.1.dsc
 023b242dfe19d1fce328165b78a7fada6ed29718feba38b26760d21f36c79408 5242162 
freeimage_3.15.1.orig.tar.gz
 05fdcd5577bb30487ad7b5e38e24b1e87fb2e8a5db8f8088c7c93543cf92e36a 17812 
freeimage_3.15.1-1.1.debian.tar.gz
 eadc4c6df17d1a24946787dc84d17d0fc354b4a2159300699f68bea83b336969 2015470 
libfreeimage-dev_3.15.1-1.1_amd64.deb
 1c821aad7a9f58002daefcd4b9386f8a8f1bf027e97fb3ab902ce87d5eeabba4 837078 
libfreeimage3_3.15.1-1.1_amd64.deb
 a4af9b3b23bb34edae9474de284156b912a159c355b908769c77f4bb61798ae4 2939862 
libfreeimage3-dbg_3.15.1-1.1_amd64.deb
Files: 
 b8cbe939e31479ca5af0e065414cb24c 2135 libs optional freeimage_3.15.1-1.1.dsc
 676378ed0c2e53948c9e4e6c8cf6e699 5242162 libs optional 
freeimage_3.15.1.orig.tar.gz
 b1c5de5478d02d8aa1204008253c9260 17812 libs optional 
freeimage_3.15.1-1.1.debian.tar.gz
 fb7169338d838b683d8e42954214f720 2015470 libdevel optional 
libfreeimage-dev_3.15.1-1.1_amd64.deb
 a563a1d2b1fc93faf47853fdc623e6fa 837078 libs optional 
libfreeimage3_3.15.1-1.1_amd64.deb
 56d3307905b97517a04cccbb2972d5d7 2939862 debug extra 
libfreeimage3-dbg_3.15.1-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWMpIGAAoJENPhc4PPp/8GdioP+gM5/m2A+XI3WsNLR7DZz8nM
fyCy80E75MBfSVKu92ngzfyhuuLM7PsSkOpnzszHbJWDFd0p0qwxavCZSqzRY0MY
QVXmjcE2TFOkilyHoZIRqUxTnSau46D5bFRnrIdLoFdKOfaIcmUhr9ed2MBivRNS
Irp74//b3XfFNjXPfqcAeDrzDEkSa23tRe0AJxWLoyJqHilrcKtozWri/J3xKe7k
+ItvRYomBsjLPoRTcUcFnFp4uu4T9mAb/3n2x+bndO1mdPZgZhuBiJ6Vp6brSAV/
8iwthVgBIuAAbhDaI+iQWnmGIBYWxbn+5sfMIqjgDQFGCZB+xYXV6ABxHOMSCBlv
R1i4O+tlDLtGVyEPRB34gpM/USF32+3QnapWETGcJES8eaJFw6D1R0WdRiyu2NPU
tq8GcrniQJk7nUeihrev+vh26KwzWEWyXu83ugiBINQH5lzHjN/5J6ZBFiCGSVjE
w2BKDMf3Nwb4Jz80w5SzQvvQXPzldsLzZqmsnMDoX633FXYW2bvMsvF2yX1QVmFP
BAmFTB8c1Ho4RBss4RTj+xp2NtS8pj/O/2Mmb6ctW7tpKtPNB5nnqP7Esyg/rlrU
mZd/49a0TKDURI0vISts6J2hkl1LeDM7PR/ixy39h6eFzYriLv504PCog4m655Wo
pZKhZ4zT4bsZ8kCeBKL3
=oO1+
-----END PGP SIGNATURE-----

--- End Message ---

-- 
debian-science-maintainers mailing list
debian-science-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers