Your message dated Tue, 12 Feb 2019 06:34:53 +0000 with message-id <E1gtRef-0004qq-Sv@fasolo.debian.org> and subject line Bug#910757: fixed in gnulib 20180621~6979c25-3 has caused the Debian Bug report #910757, regarding gnulib: CVE-2018-17942 heap-based buffer overflow to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 910757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910757 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gnulib: CVE-2018-17942 heap-based buffer overflow
- From: Markus Koschany <apo@debian.org>
- Date: Wed, 10 Oct 2018 21:09:15 +0200
- Message-id: <6bc688ac-5b29-aed7-d41c-e95d705a006d@debian.org>
Package: gnulib X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for gnulib. CVE-2018-17942[0]: | The convert_to_decimal function in vasnprintf.c in Gnulib before | 2018-09-23 has a heap-based buffer overflow because memory is not | allocated for a trailing '\0' character during %f processing. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17942 Patch is available here: https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35 Please adjust the affected versions in the BTS as needed. Regards, MarkusAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 910757-close@bugs.debian.org
- Subject: Bug#910757: fixed in gnulib 20180621~6979c25-3
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Tue, 12 Feb 2019 06:34:53 +0000
- Message-id: <E1gtRef-0004qq-Sv@fasolo.debian.org>
Source: gnulib Source-Version: 20180621~6979c25-3 We believe that the bug you reported is fixed in the latest version of gnulib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 910757@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gnulib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Feb 2019 07:14:48 +0100 Source: gnulib Binary: git-merge-changelog git-merge-changelog-dbgsym gnulib Architecture: source Version: 20180621~6979c25-3 Distribution: experimental Urgency: medium Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 910757 Description: git-merge-changelog - git merge driver for GNU ChangeLog files gnulib - GNU Portability Library Changes: gnulib (20180621~6979c25-3) experimental; urgency=medium . * QA upload. * vasnprintf: Fix heap memory overrun bug (CVE-2018-17942) (Closes: #910757) Checksums-Sha1: b44c69fad285a3f0e142e02e1cdac34635979845 2165 gnulib_20180621~6979c25-3.dsc 65589cbc87596fed22ca019c3709a0c2ad317f18 298776 gnulib_20180621~6979c25-3.debian.tar.xz Checksums-Sha256: 02609da97810676c4805bea00e79017dd8dd25b2e561244c4400373c2a71e7d6 2165 gnulib_20180621~6979c25-3.dsc 0eaf3c3d0e51eb0cb75c612ddf38a8ad09f06f5a4d2e244aadc571d1ab7a26af 298776 gnulib_20180621~6979c25-3.debian.tar.xz Files: 2086a3b4c55f647e2ded9224300e8dc0 2165 devel optional gnulib_20180621~6979c25-3.dsc 16923d353055697e10c8874f4e744186 298776 devel optional gnulib_20180621~6979c25-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxiZUZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EjRUQAIt1rLYeNz1ZobCbgoGEDO4zBTqyPh6j yiw9d0QZMr36RMxjRHN4Jwltz8E5Ocw3z/W5Fn4jZ5qGsmAi83oakA/wam6peXiM d5POXoWz9q6Y/Tr1qjB9gvW8ZqLL8md58I/j7vqft8ktpmHofghm7j8edypv47Id sdsR97r41zceePqBlWI4oK4D26EJIaiVfXeKkTDW10dtX0v8D1s3akAOH8wSB1ed XOzsmx3YVUjwrpwBx2iHjT9fwkztcmjhr1T+kTXgYIcPfiPfYwuXhxohd4qTotT/ CN2w/kxIJ4vKzpcC8bJQ6YQzfKOkbKDPs9VuBNKQ2TTeC1KieB53ixoHMQDaMfmR P0D9jFwmLqpYMB7w5zO8SSFP28BR3C0qmwHl+ZVPOHRDtZgIH+wIBmKpvpuGa7yj 8c3w2AnyHlhCtVevMnmenQRe76JPqYZ8asPZg2JKScjgJjX+cQcasbIiW2jxiLrF tQr2KXfa01fM9iom+rJj9+8coXAmyMIIIHo4iOTEC9/wXS8CQ4T2FlvSWyj5/xnX 4VUL+jVd0qHvC0tIr+bAX2nrGdI1SNd0bj7I/kRE9YlAcd0Md1bzVPO95Yl0eEEQ mxAR1MU7zPqELDocgrXqX1huhsbpkkhMwuH4eJJR73jmvOUSAtulBCeqtZJP8jRJ aRSbfUIF8ONY =1d1N -----END PGP SIGNATURE-----
--- End Message ---