Your message dated Mon, 29 May 2023 19:32:23 +0000
with message-id <[email protected]>
and subject line Bug#1031790: fixed in libraw 0.20.2-1+deb11u1
has caused the Debian Bug report #1031790,
regarding libraw: CVE-2021-32142
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1031790: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031790
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libraw
Version: 0.20.2-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/LibRaw/LibRaw/issues/400
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: fixed -1 0.21.1-1
Hi,
The following vulnerability was published for libraw. The wording for
the CVE description from the feed is disputable, believe this should
be at most DoS.
CVE-2021-32142[0]:
| Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows
| attacker to escalate privileges via the
| LibRaw_buffer_datastream::gets(char*, int) in
| /src/libraw/src/libraw_datastream.cpp.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32142
https://www.cve.org/CVERecord?id=CVE-2021-32142
[1] https://github.com/LibRaw/LibRaw/issues/400
[2]
https://github.com/LibRaw/LibRaw/commit/bc3aaf4223fdb70d52d470dae65c5a7923ea2a49
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libraw
Source-Version: 0.20.2-1+deb11u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libraw, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libraw package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 May 2023 07:51:55 +0200
Source: libraw
Architecture: source
Version: 0.20.2-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1031790 1036281
Changes:
libraw (0.20.2-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* check for input buffer size on datastream::gets (CVE-2021-32142)
(Closes: #1031790)
* do not set shrink flag for 3/4 component images (CVE-2023-1729)
(Closes: #1036281)
Checksums-Sha1:
c97542c8d3c1a032bee9a0ce50aab3dff2a3edab 2371 libraw_0.20.2-1+deb11u1.dsc
0b425d9a5ed873adeeb68ea1b4945745f3ec1507 512176 libraw_0.20.2.orig.tar.gz
5689b82f4d93fa85f715fb391ed878965482dac1 23208
libraw_0.20.2-1+deb11u1.debian.tar.xz
Checksums-Sha256:
b8ec7dc340f46a1925f717067efe905449628cb76581a75aa92ddd1d7e4f1b68 2371
libraw_0.20.2-1+deb11u1.dsc
02df7d403b34602b769bb38e5bf7d4258e075eeefbe980b6832e6e1491989d60 512176
libraw_0.20.2.orig.tar.gz
bd16a68a2d776b77964e931d67cf08b342639540b11ba12bcfe305c36ae11772 23208
libraw_0.20.2-1+deb11u1.debian.tar.xz
Files:
9405bdd1638d2e715351385b41bafb76 2371 libs optional libraw_0.20.2-1+deb11u1.dsc
f92fd7c0f47b771e18607a2198618d15 512176 libs optional libraw_0.20.2.orig.tar.gz
a00883b5ca1cdab77813f4048b8acf39 23208 libs optional
libraw_0.20.2-1+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRxm1dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ec0AP/AqdVkUH6g7DFzxMrOeiLIFuqZ2rq9JA
cTWYIYxm++3rppTJ2ZvNSZWGyh1C0N/x9I9qbMo6klHk6zaZhFqKOTYu0OA/A+sv
WYcTIUduHRPSkt+ctfTYZYTVzMecrJamQHw5cHTEA9VJ0f/A6gdWp62n20GJ0LUM
i34CxpTeY2JKNofTJzrYnyJZ1vSq82vGts0HIqI4VdsUq+aEeJHzoiX+ruZpY7FJ
V6FuL4FI1v/CCDad7So6/DXMsfI0lKftHNul1DcauXjlMl4+BljNiMFEMl6Q80cr
sSUhHYPJUdRfDCAFceU+2Q+Xl4YKsJK+C0l4J4I3jBvmKiXtq3XVpqfq41ohTFvl
gU/+SGijyzkdW7nDKZpx5t6WHy6yzEFMoH5B/uDKgHoSuUpEh6iZXzat6Tpyrcr/
XHMxGyw+SFfLNdAkeJnxwX71bPfxtIydyuwaKl+1R/wnZw25m6sFmd1lXvaYhvuQ
aQOvH1Qc0VQffFlEWRTGTxkzgsoVJDA2ZrxDHUbUCmSo56uAGdWrMnzp0DUlGdFn
aU15Ia30goN+4ei9KxUjR2cGEuIvfzVwmDARVxr0DWY6Kvv3hFQQNTHK2H3Pr7C7
FFyStksGFNBtULfQtoMdqEItBmPm2zySIfNOsCFDxi5V2RwcAC5CtidGS83yAJbD
jS2v2MbGyOj7
=Kff3
-----END PGP SIGNATURE-----
--- End Message ---
