Bug#873718: Fixes for security vulnerabilities on libgig?
2017-10-03 20:07 GMT+02:00 Christian Schoenebeck < schoeneb...@linuxsampler.org>: Hi Christian, > I just applied your patch regarding CVE-2017-12950, CVE-2017-12952 and > CVE-2017-12953 for libgig on our side, in slightly modified form: > > http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision=3348 > > Additionally, the following 2 patches are yet missing on your side, as far > as > I can see it. > > 1. CVE-2017-12951: > http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision=3349 > > 2. CVE-2017-12954: > http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision=3350 > Sorry for coming so late ... I am just applying your patches and will update libgig in debian this evening. best regards mira
Bug#873718: Fixes for security vulnerabilities on libgig?
Hi there, I just applied your patch regarding CVE-2017-12950, CVE-2017-12952 and CVE-2017-12953 for libgig on our side, in slightly modified form: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision=3348 Additionally, the following 2 patches are yet missing on your side, as far as I can see it. 1. CVE-2017-12951: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision=3349 2. CVE-2017-12954: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision=3350 Thanks for your report! Best regards, Christian Schoenebeck
Bug#873718: Fixes for security vulnerabilities on libgig?
On Wednesday, August 30, 2017 15:09:39 Raphael Hertzog wrote: > [ Copy to the Debian bugtracker ] > > Hello Christian, Hi Raphael, > a few security issues have been reported against libgig: > http://seclists.org/fulldisclosure/2017/Aug/39 > > The reproducer files are attached too: > http://seclists.org/fulldisclosure/2017/Aug/att-39/poc_zip.bin > > I wanted to check that you were aware of those issues and if > you had any patch already. Thanks for letting me know. And no, I don't have any patch against those issues on my side yet. I see you already came up with some, so I will have a look at your patches. > I could not find any bug tracker > with open issues so I'm writing to you directly. The subversion > repository has no recent history related to those issues either. We do have a bug tracker: https://bugs.linuxsampler.org However it currently does not accept new user (self)registrations, because we had to struggle with massive spam bot attacks on that tracker. So we decided to disable self-registrations for a while. Thanks! CU Christian
Bug#873718: Fixes for security vulnerabilities on libgig?
On Wed, Aug 30, 2017 at 04:34:44PM +0200, Salvatore Bonaccorso wrote: > Hi > > All, but not CVE-2017-12951 are probably fixed already with the > 4.0.0-4 upload to unstable today. Might actually just uncover another problem after the fix. Regards, Salvatore
Bug#873718: Fixes for security vulnerabilities on libgig?
Hi All, but not CVE-2017-12951 are probably fixed already with the 4.0.0-4 upload to unstable today. Regards, Salvatore
Bug#873718: Fixes for security vulnerabilities on libgig?
[ Copy to the Debian bugtracker ] Hello Christian, a few security issues have been reported against libgig: http://seclists.org/fulldisclosure/2017/Aug/39 The reproducer files are attached too: http://seclists.org/fulldisclosure/2017/Aug/att-39/poc_zip.bin I wanted to check that you were aware of those issues and if you had any patch already. I could not find any bug tracker with open issues so I'm writing to you directly. The subversion repository has no recent history related to those issues either. Thank you! -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
