Your message dated Thu, 23 Jan 2025 17:14:33 +0000 with message-id <E1tb0mn-00DoiC-Mw@fasolo.debian.org> and subject line Bug#1075852: fixed in onnx 1.17.0-2 has caused the Debian Bug report #1075852, regarding onnx: CVE-2024-5187 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1075852: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075852 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: onnx: CVE-2024-5187
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 06 Jul 2024 17:24:38 +0200
- Message-id: <172027947850.1994262.157876315347226048.reportbug@eldamar.lan>
Source: onnx Version: 1.14.1-2.1 Severity: important Tags: security upstream Forwarded: https://github.com/onnx/onnx/pull/6164 X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for onnx. CVE-2024-5187[0]: | A vulnerability in the `download_model_with_test_data` function of | the onnx/onnx framework, version 1.16.0, allows for arbitrary file | overwrite due to inadequate prevention of path traversal attacks in | malicious tar files. This vulnerability enables attackers to | overwrite any file on the system, potentially leading to remote code | execution, deletion of system, personal, or application files, thus | impacting the integrity and availability of the system. The issue | arises from the function's handling of tar file extraction without | performing security checks on the paths within the tar file, as | demonstrated by the ability to overwrite the | `/home/kali/.ssh/authorized_keys` file by specifying an absolute | path in the malicious tar file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-5187 https://www.cve.org/CVERecord?id=CVE-2024-5187 [1] https://github.com/onnx/onnx/pull/6164 [2] https://github.com/onnx/onnx/commit/3fc3845edb048df559aa2a839e39e95503a0ee34 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 1075852-close@bugs.debian.org
- Subject: Bug#1075852: fixed in onnx 1.17.0-2
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Thu, 23 Jan 2025 17:14:33 +0000
- Message-id: <E1tb0mn-00DoiC-Mw@fasolo.debian.org>
- Reply-to: Mo Zhou <lumin@debian.org>
Source: onnx Source-Version: 1.17.0-2 Done: Mo Zhou <lumin@debian.org> We believe that the bug you reported is fixed in the latest version of onnx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1075852@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mo Zhou <lumin@debian.org> (supplier of updated onnx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 23 Jan 2025 11:21:11 -0500 Source: onnx Architecture: source Version: 1.17.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Deep Learning Team <debian-ai@lists.debian.org> Changed-By: Mo Zhou <lumin@debian.org> Closes: 1075852 Changes: onnx (1.17.0-2) unstable; urgency=medium . * Upload to unstable. (Closes: #1075852) (Fixes: CVE-2024-5187) The CVE was already fixed in the 1.16.2 release. I forgot to close the bug back then. Checksums-Sha1: afb089e4557997c5876acd2b55f16863d141a46d 2456 onnx_1.17.0-2.dsc 33f0771cfb03d5a7ec64d5c52d0723a2aac219b9 13236 onnx_1.17.0-2.debian.tar.xz 072fe13308ae65fd135dd2238d9e21f6afd390d8 7344 onnx_1.17.0-2_source.buildinfo Checksums-Sha256: bbd9aa42126d03a0dd6e6b00390987f43abe4727305da9fbce9da92651ebb994 2456 onnx_1.17.0-2.dsc b0fe614f6998e228a063920782949925c543c2b962c145eeb6b0b616efe390bd 13236 onnx_1.17.0-2.debian.tar.xz fda5edf568c93f638a59b6875b247f26e782ed64b5c4a1b8a6f95e1b4867d990 7344 onnx_1.17.0-2_source.buildinfo Files: ba6cae30eb4c200e06d8f07123608ef3 2456 science optional onnx_1.17.0-2.dsc 93e86c2e811ac9aa6abbeef2219a55ca 13236 science optional onnx_1.17.0-2.debian.tar.xz e5943e2cde87ebef51090d5ea90c86de 7344 science optional onnx_1.17.0-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEY4vHXsHlxYkGfjXeYmRes19oaooFAmeSbM0RHGx1bWluQGRl Ymlhbi5vcmcACgkQYmRes19oaorqhg/+Oucc17FFVKEdsdlQVbgwqI4UpuDBWgRY GZpNqZ7w2PtMJh8q/Bn7OuJx0ADF9iS3ezCjzfsnAxd/4EHimXFx+sKpU1toR0PZ gOaRI3KQKiRiThaBJchByg85rH2Sb4x5Jgn85ON5jk4ypc8pwa5hS6eRt/cnLSJC zqztQWVsGARaHTQ2ZwK3/0KQWkaLKmE1cOz+YyjnY8q0kPiqpp73/PFwhgCJvrDA +LkBntp50v9oVbArgU7lC0tHyeoieKaK8CqyaegNxqs2AWvbP1d9hqmnojp6oomM wTTGMIoorv8/7y8c7eN3kBjXfOvhc93OKsLBN3eB9RjWGK1oHhG/f3izendHZxRI CV03P5Yp+OZMqz/GtQW2FJUO4+v8T8kYqaySQ4DX+QDOnQoofj2Wu8uYspsvbDgd +iV14vQGZefJwr2Xk5VeWWv3l55OWEDE+kwx0Lp0AGr4UfKXG88/9wNhY6iVKSwr 4FVrNkqB0DRl/NSYGqLkhiyLtYOT5nsBWZ5724H9u3m96gThFuGPjqtrwxZ8UYfW 7ctkTRHwOr/DqmP/d+gtGengg67a3jutJBqUgR8yzijwdYVo9b1SUjgItgqbPDLN LVt40B8QhbwLLjfrLK+3cOB1kxEM/mgL8SgF5yIIdi460N92g8UBptfTZKKPTUwa VoDHbFfqnaQ= =ZZMs -----END PGP SIGNATURE-----Attachment: pgpf4WA8t7UfT.pgp
Description: PGP signature
--- End Message ---