Bug#992973: marked as done (plib: CVE-2021-38714)
Your message dated Sat, 02 Oct 2021 12:28:24 +0000
with message-id <E1mWe7s-0008Gn-Gd@fasolo.debian.org>
and subject line Bug#992973: fixed in plib 1.8.5-10
has caused the Debian Bug report #992973,
regarding plib: CVE-2021-38714
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
992973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992973
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: plib: CVE-2021-38714
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Wed, 25 Aug 2021 21:23:37 +0200
- Message-id: <162991941769.987712.18163262677794256766.reportbug@eldamar.lan>
Source: plib
Version: 1.8.5-8
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://sourceforge.net/p/plib/bugs/55/
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for plib.
CVE-2021-38714[0]:
| In Plib through 1.85, there is an integer overflow vulnerability that
| could result in arbitrary code execution. The vulnerability is found
| in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file.
The severity of the this bug is set op purpose higher as it is
probably warranted. There is the following reason for that: plib is
orphaned in Debian for a while, it is obsoleted and unmaintained
upstream as well. Ideally it get's removed from Debian from the next
release, but thee would be some revers dependencies issues to be
solved, making it imposssible for now to remove the package:
| Checking reverse dependencies...
| # Broken Depends:
| crrcsim: crrcsim [amd64 arm64 armhf i386 mips64el mipsel ppc64el s390x]
| flightgear: flightgear
| openuniverse: openuniverse
| stormbaancoureur: stormbaancoureur
| torcs: torcs
|
| # Broken Build-Depends:
| crrcsim: libplib-dev
| flightgear: libplib-dev
| torcs: libplib-dev
|
| Dependency problem found.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-38714
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38714
[1] https://sourceforge.net/p/plib/bugs/55/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: plib
Source-Version: 1.8.5-10
Done: Anton Gladky <gladk@debian.org>
We believe that the bug you reported is fixed in the latest version of
plib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 992973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated plib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Oct 2021 13:38:47 +0200
Source: plib
Architecture: source
Version: 1.8.5-10
Distribution: unstable
Urgency: medium
Maintainer: Anton Gladky <gladk@debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Closes: 992973
Changes:
plib (1.8.5-10) unstable; urgency=medium
.
* [6a45ca2] Add .gitlab-ci.yml
* [7284a82] Add autopkgtests
* [820a8f6] Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714
(Closes: #992973)
* [b3dfe58] Trim trailing whitespace.
* [53ad3b7] Update watch file format version to 4.
* [11591a3] Avoid explicitly specifying -Wl,--as-needed linker flag.
* [ee5f26d] Take the package
* [d84e16c] Set compat-level 13. Standards-version: 4.6.0
* [fd16cb9] Add not-installed (for .la-files)
Checksums-Sha1:
e17ddd182dd6cd010a37125049a22b13214262b9 2015 plib_1.8.5-10.dsc
14b7a941a1831fcad5f5a9ede31c7c8a01d9e2c6 11780 plib_1.8.5-10.debian.tar.xz
dfb15ac8d0015b02a4e9fd96822ed465a84193f0 8269 plib_1.8.5-10_source.buildinfo
Checksums-Sha256:
03bbc773cd827ccd75866bb04b7555fdf70cd2d62ef61b26ab0770d9e692d83e 2015 plib_1.8.5-10.dsc
f659da51f9dd2599a84a0824966f96eea84b3a28a38c1661161a3927d43a5843 11780 plib_1.8.5-10.debian.tar.xz
f09cbb8d023fb76ac8d694584df67f42b3c93a535be52d62738f9d7b58eb3b52 8269 plib_1.8.5-10_source.buildinfo
Files:
463eaee6ab79865e4fef28974d0c497e 2015 devel optional plib_1.8.5-10.dsc
cbdc25224185f17c080907ef1b928f0d 11780 devel optional plib_1.8.5-10.debian.tar.xz
b13578f510a952ad0af0cfeac87909bf 8269 devel optional plib_1.8.5-10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFYRo0ACgkQ0+Fzg8+n
/wbJ2Q//XX648riAuYrjMufHNGnuFlb5pFOELHjTWvK83Xpb6jPG1eu+xA7TzWS8
AkWKp979ikzoEILgeuy3UGTKT0Tawwdp9GwM4wCY0k+1aQ8eKf2KBCs0G0JbESt8
7IircdRYtRq8GsVV76ZA1tC+CcLC4TRNaEqso2j6BNfbAsUIp/LfHkc7JCayP2zt
z4Vg2lj/ktUy35Egkml1ftDXZPnIRj680cHGwfiRAjbKTZX+keYsPtPWzDxehv6y
In5ct1avHSBgLnzkwF8YGP1UtHNLuTOvX0qmyhUBxVf+GO/9q2bPq2RW7xudFdA6
13tMT34CwbsVosxbQ1xF6vTwzxp50Jy165e7QIGIGgp5U48Q5fln7GRCGsFNvI2e
UJtFrDb0w5X35GGDS7ez62P+tmGsjnhXT4eNHEugqys8PVkmBjJ6KG7mq2MVJugc
IdeoqsEn0EPlOhSjFCBfB27VSCy3na4kfXPMFqKE2Y15ZyKqepWv1/cToYAaIxKm
AhmBeGLm4F+2tQWvf/Mur+HsWhp9x1eXWOlwYsrqN50x24XiYk9gMKnQhBXT8BLC
wRRxDzAQpOm0+ltrrY3plTiRPB5nKv/feCF0bCjPTC5EZY5lgAzgiKGTpupRTjdB
aM43eCtdyrL9TpR2GQzjwgNc/mOeYAEyHa+iHz9I2uoDYyF2IRE=
=JG6a
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: