During the month of December 2023 and on behalf of Freexian, I worked on the
following:
ncurses
-------
Uploaded 6.1+20181013-2+deb10u5 and issued DLA-3682-1
https://lists.debian.org/msgid-search/?m=ZWzNC9maM3BUcYvE@debian.org
* CVE-2021-39537: The tic(1) utility was susceptible to a
heap overflow on crafted input due to improper bounds checking.
* CVE-2023-29491: Local users could trigger security-relevant memory
corruption via crafted terminfo database file.
ncurses now further restricts programs running with elevated
privileges (setuid/setgid programs). This change aligns ncurses'
behavior in buster-security with that of Bullseye's latest point
release (6.2+20201114-2+deb11u2).
roundcube
---------
Uploaded 1.3.17+dfsg.1-1~deb10u5 and issued DLA-3683-1
https://lists.debian.org/msgid-search/?m=ZW5nAj2P259DWfvt@debian.org
* CVE-2023-47272: cross-site scripting (XSS) vulnerability via a
Content-Type or Content-Disposition header (used for attachment
preview or download).
1.3.x is no longer supported upstream and the code has changed quite a
lot in 1.4.x, so I ended up backporting the entire download_headers()
function.
spip
----
Uploaded 3.2.4-1+deb10u12 and issued DLA-3691-1
https://lists.debian.org/msgid-search/?m=ZX-pL_ux-tD7JRpn@debian.org
Backported upstream security fixes from 4.1.10 and 4.1.11. No CVEs have
been assigned for these vulnerabilities yet.
tinyxml
-------
Uploaded 2.6.2-4+deb10u2 and issued DLA-3701-1
https://lists.debian.org/msgid-search/?m=ZZCkmiN1I4FhCPDD@debian.org
* CVE-2023-34194: Reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.
tinyxml has been abandoned upstream so I wrote the patch myself.
Fortunately in this case the fix turned out to be simple.
* After looking at the researchers' report, I concluded that other
CVEs (CVE-2023-40462 and CVE-2023-40458) were duplicates for another
product *using* tinyxml.
Also, uploaded 2.6.2-6.1 to sid after consultation with the maintainer,
and submitted the patch to the Security Team for bullseye and bookworm
which have the same upstream version 2.6.2.
libspreadsheet-parseexcel-perl
------------------------------
Uploaded 0.6500-1+deb10u1 and issued DLA-3702-1
https://lists.debian.org/msgid-search/?m=ZZC_Sl-WTc5dYOvi@debian.org
* CVE-2023-7101: Improper directive sanitation dynamically evaluated
code could lead to the execution of arbitrary code by using specially
crafted Number format strings within XLS and XLSX files.
xerces-c
--------
Uploaded 3.2.2+debian-1+deb10u2 and issued DLA-3704-1
https://lists.debian.org/msgid-search/?m=ZZFQAL46Y-a9ug2M@debian.org
* CVE-2023-37536: Integer overflow via crafted .xsd files,
which can lead to out-of-bounds access.
* While reviewing the upstream history I discovered that
CVE-2018-1311 was recently fixed upstream in 3.2.5, so replaced the
previous mitigation patch (which introduced a memory leak) with that
upstream vetted fix.
Also, uploaded 3.2.4+debian-1.1 to sid after consultation with the
maintainer, and submitted a debdiff (targeting bullseye) to the Security
Team with the aforementioned fixes.
php-guzzlehttp-psr7
-------------------
Uploaded 1.4.2-0.1+deb10u2 and issued DLA-3705-1
https://lists.debian.org/msgid-search/?m=ZZHwp6BkKP5NfJmN@debian.org
* CVE-2023-29197: Improper header parsing which may lead to
information disclosure or authorization bypass via crafted requests.
(This is a follow-up to CVE-2022-24775 where the fix was incomplete.)
Ended up backporting assertHeader() and its call sites, which had been
omitted in 1.4.2-0.1+deb10u1.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature