Bug#797165: marked as done (CVE-2015-0852: integer overflow in PluginPCX.cpp)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 18 Sep 2015 19:50:37 +0000
with message-id <E1Zd1g5-0003LO-Du@franck.debian.org>
and subject line Bug#797165: fixed in freeimage 3.15.4-5
has caused the Debian Bug report #797165,
regarding CVE-2015-0852: integer overflow in PluginPCX.cpp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
797165: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797165
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: CVE-2015-0852: integer overflow in PluginPCX.cpp
• From: Raphael Hertzog <hertzog@debian.org>
• Date: Fri, 28 Aug 2015 10:29:28 +0200
• Message-id: <20150828082928.GA7391@home.ouaza.com>

Source: freeimage
Version: 3.10.0-4
Severity: serious
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for freeimage.

CVE-2015-0852[0]:
Integer overflow in PluginPCX.cpp

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-0852
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0852
    https://marc.info/?l=oss-security&m=144073280200732&w=2
    Please adjust the affected versions in the BTS as needed.

BTW upstream patches are available but they are not minimal patches:
http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.17&r2=1.18&pathrev=MAIN
http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.18&r2=1.19&pathrev=MAIN

Hopefully one the of the people who will discover this RC bug (because
their package depends on freeimage or whatever) can be convinced to take
over this package... it has been orphaned for way too long.

Note that the package has another pending security issue (#786790).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

--- End Message ---

--- Begin Message ---

• To: 797165-close@bugs.debian.org
• Subject: Bug#797165: fixed in freeimage 3.15.4-5
• From: debacle@debian.org (W. Martin Borgert)
• Date: Fri, 18 Sep 2015 19:50:37 +0000
• Message-id: <E1Zd1g5-0003LO-Du@franck.debian.org>

Source: freeimage
Source-Version: 3.15.4-5

We believe that the bug you reported is fixed in the latest version of
freeimage, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797165@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
W. Martin Borgert <debacle@debian.org> (supplier of updated freeimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 15 Sep 2015 22:50:49 +0200
Source: freeimage
Binary: libfreeimage-dev libfreeimage3 libfreeimage3-dbg
Architecture: source
Version: 3.15.4-5
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: W. Martin Borgert <debacle@debian.org>
Description:
 libfreeimage-dev - Support library for graphics image formats (development files)
 libfreeimage3 - Support library for graphics image formats (library)
 libfreeimage3-dbg - Support library for graphics image formats (debugging symbols)
Closes: 797165
Changes:
 freeimage (3.15.4-5) unstable; urgency=medium
 .
   [ W. Martin Borgert ]
   * QA upload.
   * [e807e1c] Fix integer overflow. (Closes: #797165)
Checksums-Sha1:
 9a3d187e315da299918aab1e73137d7a7228d0dd 2140 freeimage_3.15.4-5.dsc
 f3db0ed1c0f3f5b2173dbe8ca666c0edef3f7107 33224 freeimage_3.15.4-5.debian.tar.xz
Checksums-Sha256:
 dcd5904b934f84cccdb5818a680662914918c76f5697db926f3c06d1faf6186a 2140 freeimage_3.15.4-5.dsc
 1670d7bb031427cd1392bf197bb92c08fe3b1cf822c2afd42938807f2580aa5c 33224 freeimage_3.15.4-5.debian.tar.xz
Files:
 ce8cbfe9aa8034d4a5086648ed2e31bd 2140 libs optional freeimage_3.15.4-5.dsc
 df3d35dd419158482f7b6757208a1d39 33224 libs optional freeimage_3.15.4-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV+cFvAAoJENPhc4PPp/8GV7UQAIiPdVkEYezwY8K/iE919Kr8
CGBzYblbwinm0CkAWk8+CHCqncIsi/4VbpNZCB0WYgNGcVHjDBzSiegoZzlEa6/x
IaXJtK1KRSMWGhlmFgYuqJCi+icc62fKD5TnfpVXCK/lHfpKGPh24PsEuKQbtvLC
20FRiaWXtj+2zCm6XoI1ptjbQXrcUZxgUuGzLuncSZYRJ499gI/Xfjvj/4WGDZbL
x1ExB5GPq/OrZ8saXSaP2xpby118iQDf+8w6zQwoxd7xuUn36in85/dm6OcdP1Au
OFDevZOByjOERyOtcjLGeDPgd8L14Afeph7ik2HUQfErVZCOj0mo4wfm4C+Wh1d8
CoFRKGjKODgTEKzqo+BWgqF6uff/Xm//rYi9r4gMDFrbJMzr34aG9JXO9WWKFTLH
Q6TEimDDutz7bm2RrzgC2tzyTu0Nrniphh6KV/dfKjMrpYtppTIil0rl8ncGRtio
5+XgGKaaZcPRUI/y5m1XdtpAJA1nZqEgmDcoBY8ajWlQ3P9yQFpxdtDpuRdbb28w
eLy7Oa8eXEx2Dr+XgWVZrQhgF07VN7G6CiCoz+MmOVoP3K5Uc8aQ7AWGQgeOGgPR
lbzMkSeaPolF55AGtG1Tu+RcApNxgFvlEiZhVx71OWlXixZLXrfXpKCeK4oWp1v5
kk0sW+CoNhibHFMNAbob
=qVsb
-----END PGP SIGNATURE-----

--- End Message ---