Bug#850497: marked as done (jbig2dec: CVE-2016-9601: Heap-buffer overflow due to Integer overflow in jbig2_image_new function)
Your message dated Mon, 23 Jan 2017 21:07:26 +0000
with message-id <E1cVlpm-0006QC-Ng@fasolo.debian.org>
and subject line Bug#850497: fixed in jbig2dec 0.13-4
has caused the Debian Bug report #850497,
regarding jbig2dec: CVE-2016-9601: Heap-buffer overflow due to Integer overflow in jbig2_image_new function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
850497: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850497
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: jbig2dec
Version: 0.13-3
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for jbig2dec.
NOTE: Actually not much has been published yet. There is an upstream
bugreport at [1], so I opening this bug in the Debian BTS to help
tracking the issue. There is a report, but it is restricted to the
developers yet. From a look at the trace and the current code some
issue might be present, but it is not really possible to say more yet
without having access to the report ... hope you as maintainers could
find more out from upstream. There is as well no patch referenced yet.
CVE-2016-9601[0]:
Heap-buffer overflow due to Integer overflow in jbig2_image_new function
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
[1] https://bugs.ghostscript.com/show_bug.cgi?id=697457
Please adjust the affected versions in the BTS as needed, once more
known.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
- To: 850497-close@bugs.debian.org
- Subject: Bug#850497: fixed in jbig2dec 0.13-4
- From: Jonas Smedegaard <dr@jones.dk>
- Date: Mon, 23 Jan 2017 21:07:26 +0000
- Message-id: <E1cVlpm-0006QC-Ng@fasolo.debian.org>
Source: jbig2dec
Source-Version: 0.13-4
We believe that the bug you reported is fixed in the latest version of
jbig2dec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated jbig2dec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 23 Jan 2017 21:13:34 +0100
Source: jbig2dec
Binary: libjbig2dec0-dev libjbig2dec0 jbig2dec
Architecture: source
Version: 0.13-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
jbig2dec - JBIG2 decoder library - tools
libjbig2dec0 - JBIG2 decoder library - shared libraries
libjbig2dec0-dev - JBIG2 decoder library - development files
Closes: 850497
Changes:
jbig2dec (0.13-4) unstable; urgency=medium
.
* Add patches cherry-picked upstream to squash signed/unsigned
warnings and to fix warning for always-false unsigned < 0 tests.
Closes: Bug#850497. Thanks to Salvatore Bonaccorso.
* Modernize Vcs-Browser field: Use git subdir (not cgit).
* Stop override lintian for
package-needs-versioned-debhelper-build-depends: Fixed in lintian.
* Update copyright info: Extend coverage of Debian packaging.
Checksums-Sha1:
2db0ccd11b95df2922fc89580610de291f02688d 2128 jbig2dec_0.13-4.dsc
970d576e73e5a0de0b19d78820b0febc5181b3dc 24772 jbig2dec_0.13-4.debian.tar.xz
Checksums-Sha256:
0dcf037787d3f96b572ede3a72cb4e06503bbdcd48dd323d2a31eec13ce8e5c2 2128 jbig2dec_0.13-4.dsc
c4776c27e4633a7216e02ca6efcc19039ca757e8bd8fe0a7fbfdb07fa4c30d23 24772 jbig2dec_0.13-4.debian.tar.xz
Files:
6a67f43ba7787eff7f95d21fba9cba57 2128 libs optional jbig2dec_0.13-4.dsc
870247e545c46712a6de6257974d7eee 24772 libs optional jbig2dec_0.13-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAliGZXAACgkQLHwxRsGg
ASFBExAAiJyWSSxuqBatHwOyWLlstV5FK03+g2SaSclkJzC/P1Fy0Ux/RqQr/LMq
m3PvD+hdA4HrWkg+q0QK6LebRAxLualD9omOyoNR/UaIwmWmPB9HlOFXZSMPi86X
rs/ZWt+HGHewQh26bchFHU2Lx/by6wCMfhRL3VGqUXBBT8ANXv61c/8g3lhwRz2E
MPQ7BSETGn95lcwZIXe7VCECbfVOWON/ov9eCQJtS5OauPDtHnYbba21Ec+Kuyu7
cRLq2OsswL/9qluwNpCNhA2uXlHI6NCj4yuHjvMgPTTjfWv9Bc7baHwU42zClV1B
SS7pgvu1G9od58jmVkj0K5NNXmbPMjxhm7BAVUfMXoAqN2JP7A/A3G7nPLPzc72T
Ek37o2Avs95fk3GBveDLc4JRcfhpO58HIQG22BArE2t+r1c44XF1mKQwea0wvUKk
H/LZGPizjnwzRpLRvihRb3LixZzMRKx4iozXUA7BPpJxrE7L6/eF6+ApMSoUlwn2
iJPZIfnts5dExWk8ajaJHYX7/PoKAl4mzAh0T6BSXgBBDvt8gniJe1uDMjPl3P1K
t4TKqGj69dQkvIPoiBWi3pmzxYhZ7gMqZn0++9wCey5Hq0S2r68Hz0Bfj8U/1Lxs
cl7HomCgoKpUAquFxqSLobN6hB15/VU6EuBpKRf0Xtf7KRnp8N8=
=Jfzl
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: