Bug#963626: marked as done (tuxguitar: CVE-2020-14940)

To: Bastian Germann <bage@debian.org>
Subject: Bug#963626: marked as done (tuxguitar: CVE-2020-14940)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 06 Nov 2023 22:45:04 +0000
Message-id: <[🔎] handler.963626.D963626.16993104053472705.ackdone@bugs.debian.org>
Reply-to: 963626@bugs.debian.org
References: <E1r08GI-00DUqT-Dg@fasolo.debian.org> <159302593877.2268194.16232383085856286031.reportbug@eldamar.local>

Your message dated Mon, 06 Nov 2023 22:40:02 +0000
with message-id <E1r08GI-00DUqT-Dg@fasolo.debian.org>
and subject line Bug#963626: fixed in tuxguitar 1.5.6+dfsg1-7
has caused the Debian Bug report #963626,
regarding tuxguitar: CVE-2020-14940
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
963626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963626
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tuxguitar: CVE-2020-14940
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 24 Jun 2020 21:12:18 +0200
Message-id: <159302593877.2268194.16232383085856286031.reportbug@eldamar.local>

Source: tuxguitar
Version: 1.2-25
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/tuxguitar/bugs/126/
Control: found -1 1.2-23
Control: found -1 1.2-22

Hi,

The following vulnerability was published for tuxguitar.

CVE-2020-14940[0]:
| An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar
| 1.5.4. It uses misconfigured XML parsers, leading to XXE while loading
| GP6 (.gpx) and GP7 (.gp) tablature files.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-14940
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14940
[1] https://sourceforge.net/p/tuxguitar/bugs/126/
[2] https://logicaltrust.net/blog/2020/06/tuxguitar.html

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 963626-close@bugs.debian.org
Subject: Bug#963626: fixed in tuxguitar 1.5.6+dfsg1-7
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 06 Nov 2023 22:40:02 +0000
Message-id: <E1r08GI-00DUqT-Dg@fasolo.debian.org>
Reply-to: Bastian Germann <bage@debian.org>

Source: tuxguitar
Source-Version: 1.5.6+dfsg1-7
Done: Bastian Germann <bage@debian.org>

We believe that the bug you reported is fixed in the latest version of
tuxguitar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 963626@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Germann <bage@debian.org> (supplier of updated tuxguitar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 06 Nov 2023 23:13:56 +0100
Source: tuxguitar
Architecture: source
Version: 1.5.6+dfsg1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Bastian Germann <bage@debian.org>
Closes: 963626
Changes:
 tuxguitar (1.5.6+dfsg1-7) unstable; urgency=medium
 .
   * QA upload
   * Fix CVE-2020-14940 (Closes: #963626)
   * Try build on every Linux arch
Checksums-Sha1:
 bd5490c294a7e6df83ebfae119ac1b5af76467ae 2462 tuxguitar_1.5.6+dfsg1-7.dsc
 1d818430660906cd0150980a6ee61f47b6109326 15372 tuxguitar_1.5.6+dfsg1-7.debian.tar.xz
 a8023c7409781a9c00f9383d30875028be272162 10431 tuxguitar_1.5.6+dfsg1-7_source.buildinfo
Checksums-Sha256:
 1ac76f4b71a04d7aead2e0fff0a1a9c0d90123651d9c2dc007dfb6f61f59e6c4 2462 tuxguitar_1.5.6+dfsg1-7.dsc
 7952589da5bb5d40843a3d7d84e3925461119b52dee4c5579a26bfd5f05441c4 15372 tuxguitar_1.5.6+dfsg1-7.debian.tar.xz
 04718c4a0a498cbeedc630c7639df9cdb92eaaf622118e77f0ec0a18fad29a62 10431 tuxguitar_1.5.6+dfsg1-7_source.buildinfo
Files:
 f224310810b0e0009bfeb616a0298d13 2462 sound optional tuxguitar_1.5.6+dfsg1-7.dsc
 e1dfd2962eb2d294744e6503aecb0247 15372 sound optional tuxguitar_1.5.6+dfsg1-7.debian.tar.xz
 7627dfdb61a35885c66c7ac186b438c0 10431 sound optional tuxguitar_1.5.6+dfsg1-7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmVJZwsQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFBN1DACEi0ATIESPqd7u/3O35rMGjhxEpYCKKqS0
zdJHfIO1gZCB90N3vHGRL6qwTzP6G7YKBukjdmkZXGZaGHIad2z7lHD+jotyJaX3
DpNBrTSsoltT8/yKkebJgO3Yjp08y4ieWeW99G9NU0kCpj8yuTfo/8swx+Y2m3Ff
VQrPUWZVFKky03+ZxD9H/Em7EMKNF2DyAwMXcYDXV+G3upuuENQAOAPOMybIfERD
JsrhloeV+afllWmF3IzqAIBOz9kI0fpPKzlOI5B3aFDqGUj/zdyLMjpzWTm77Qvq
0AEmfDFNO2XESHOIV/kNbuuseln3/+RkTaTAeL5XvItX63F5tc9rf+LIX+FmAp2J
Mckm+Ss/lx5TTBc+zYHmnkPfvMhwUWJVGhDjXVEd13bUFJ4b5q0ujUW7hTDwCPDu
mlQ3NlyA/PzLyldeaLJez6ZIOJA2GGkLGB2mexTCeOvaT4jGQNqIc5nrCsRCNrPP
wLjHnLjwEheSIjVPHgwcNxLdlRSYzWY=
=ZE7m
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processing of tuxguitar_1.5.6+dfsg1-7_source.changes
Next by Date: tuxguitar_1.5.6+dfsg1-7_source.changes ACCEPTED into unstable
Previous by thread: Processing of tuxguitar_1.5.6+dfsg1-7_source.changes
Next by thread: tuxguitar_1.5.6+dfsg1-7_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread