Bug#1070370: marked as done (dmitry: CVE-2017-7938 CVE-2020-14931 CVE-2024-31837)

To: Petter Reinholdtsen <pere@debian.org>
Subject: Bug#1070370: marked as done (dmitry: CVE-2017-7938 CVE-2020-14931 CVE-2024-31837)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 12 Jul 2024 08:36:06 +0000
Message-id: <[🔎] handler.1070370.D1070370.1720773263978590.ackdone@bugs.debian.org>
Reply-to: 1070370@bugs.debian.org
References: <E1sSBjQ-006k4i-8L@fasolo.debian.org> <ZjZZ1PJoUZzUM-Tr@pisco.westfalen.local>

Your message dated Fri, 12 Jul 2024 08:34:20 +0000
with message-id <E1sSBjQ-006k4i-8L@fasolo.debian.org>
and subject line Bug#1070370: fixed in dmitry 1.3a-5
has caused the Debian Bug report #1070370,
regarding dmitry: CVE-2017-7938 CVE-2020-14931 CVE-2024-31837
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1070370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070370
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: dmitry: CVE-2017-7938 CVE-2020-14931 CVE-2024-31837
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sat, 4 May 2024 17:52:52 +0200
Message-id: <ZjZZ1PJoUZzUM-Tr@pisco.westfalen.local>

Source: dmitry
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for dmitry.

CVE-2017-7938[0]:
| Stack-based buffer overflow in DMitry (Deepmagic Information
| Gathering Tool) version 1.3a (Unix) allows attackers to cause a
| denial of service (application crash) or possibly have unspecified
| other impact via a long argument. An example threat model is
| automated execution of DMitry with hostname strings found in local
| log files.

https://packetstormsecurity.com/files/142210/Dmitry-1.3a-Local-Stack-Buffer-Overflow.html
https://github.com/jaygreig86/dmitry/pull/12

CVE-2020-14931[1]:
| A stack-based buffer overflow in DMitry (Deepmagic Information
| Gathering Tool) 1.3a might allow remote WHOIS servers to execute
| arbitrary code via a long line in a response that is mishandled by
| nic_format_buff.

https://github.com/jaygreig86/dmitry/issues/4
https://github.com/jaygreig86/dmitry/pull/6
Fixed by: https://github.com/jaygreig86/dmitry/commit/da1fda491145719ae15dd36dd37a69bdbba0b192

CVE-2024-31837[2]:
| DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-
| string vulnerability, with a threat model similar to CVE-2017-7938.

https://github.com/jaygreig86/dmitry/pull/12

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7938
    https://www.cve.org/CVERecord?id=CVE-2017-7938
[1] https://security-tracker.debian.org/tracker/CVE-2020-14931
    https://www.cve.org/CVERecord?id=CVE-2020-14931
[2] https://security-tracker.debian.org/tracker/CVE-2024-31837
    https://www.cve.org/CVERecord?id=CVE-2024-31837

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1070370-close@bugs.debian.org
Subject: Bug#1070370: fixed in dmitry 1.3a-5
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Fri, 12 Jul 2024 08:34:20 +0000
Message-id: <E1sSBjQ-006k4i-8L@fasolo.debian.org>
Reply-to: Petter Reinholdtsen <pere@debian.org>

Source: dmitry
Source-Version: 1.3a-5
Done: Petter Reinholdtsen <pere@debian.org>

We believe that the bug you reported is fixed in the latest version of
dmitry, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1070370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated dmitry package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 12 Jul 2024 09:40:24 +0200
Source: dmitry
Architecture: source
Version: 1.3a-5
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Closes: 746769 1070370
Changes:
 dmitry (1.3a-5) unstable; urgency=medium
 .
   * QA upload.
 .
   [ g0t mi1k ]
   * Fix ARM64 support.
 .
   [ Arnaud Rebillout ]
   * Fix CVE-2020-14931: Buffer overflow in nic_format_buff.
   * Fix format string.
   * Fix CVE-2017-7938 and CVE-2024-31837.
   * Closes: #1070370
 .
   [ Petter Reinholdtsen ]
   * Added file-open-return-type.patch to ensure consistent prototypes for
     file_open() (Closes: #746769).
Checksums-Sha1:
 97581c3a619232e82b5f82cbce9d30a80238a2fd 1837 dmitry_1.3a-5.dsc
 c9d56cffdf37b0089b729987b476ad3977603a4e 7312 dmitry_1.3a-5.debian.tar.xz
 b01d72f4265f94bee40710b74816318978d8d421 6362 dmitry_1.3a-5_source.buildinfo
Checksums-Sha256:
 13dff1f0c8763e87e0d620fc86bfaccbed3425ca782af162b817603d80f8dec5 1837 dmitry_1.3a-5.dsc
 f6e7d14e17c375107054b0b099f085b01ebca6366b4461b897b1ce2f88873067 7312 dmitry_1.3a-5.debian.tar.xz
 3a4e17a077f024eb4eafff1419e165abe8e283854d43f9a97792fe1f5f704da8 6362 dmitry_1.3a-5_source.buildinfo
Files:
 3e90dfab098f8a2713165e6985199980 1837 net optional dmitry_1.3a-5.dsc
 3666033ca1d766101cd4b62ab77424c2 7312 net optional dmitry_1.3a-5.debian.tar.xz
 7f7cc358fe7692cdba8a326086ca08f8 6362 net optional dmitry_1.3a-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAmaQ4PoACgkQgSgKoIe6
+w5yjhAAgJ/BPPlq1CGSBGdJVbVFDtN1czywk278QxvRDnDA6aUQcbRLhAKrIz1G
vt847+N3CJADz8ucriVbGh6uiVKD1+vBNMcEVrffxZnLAAOnt/BEw2+LcXgw96O4
C2nxwpTmTJALZXEo6mParXou6WKQUM5vgAsW5Brhd51WNkXZB8A1WIlY5+ajLJpt
gBEQfggKlXkkEjGa6K82yE7RFPRt8+fuae1UDcPjyjNr4XEIG0ZSYWW5oDJUSpoJ
MbXdXoYXAFMNatNqfnbWOzAW2c+8/vw+wx4e0Yv3Zhe3YuC76xc0UMUSJQfsBHz3
cH2RqsQJm4A0kUkng4RvWN/CMtPeQOvW+fMSracC37Y5uQGWujknwl2h3jHzJH7d
g5c7PWewJ70o0tPVBubOPk988etKqV+VrwBK8DZUMI8O+VJTagUTPgf4um60nUum
Kazl811piKP9h5KR+A1TnOKyQMepWf4vnYRBzSCPUNSaKDZX9q1pqTzmdGYt8HjZ
Qgh66d3s1dvXx8fu5zcAhzSkIuFLtcdtsO5Ze9uRTPKrmW8RpKaV+4u8vuyTRolq
BstI2hbWsWssr54djNFGR+2cY4GFD+OtBnOr+gYV9M4mLNZeVhms6JYRroOkJTM/
ToKzSbs4HUrgGwdgADtZv+VT6ZIfJrWPkqpnJbs2MDC4t1CLXYg=
=OpsD
-----END PGP SIGNATURE-----

Attachment: pgp7EREF8fXKQ.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: dmitry_1.3a-5_source.changes ACCEPTED into unstable
Next by Date: Bug#746769: marked as done (Conflicting declarations of function file_open)
Previous by thread: dmitry_1.3a-5_source.changes ACCEPTED into unstable
Next by thread: Bug#746769: marked as done (Conflicting declarations of function file_open)
Index(es):
- Date
- Thread