Bug#971396: marked as done (md4c: CVE-2020-26148)

To: Patrick Franz <patfra71@gmail.com>
Subject: Bug#971396: marked as done (md4c: CVE-2020-26148)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 30 Sep 2020 03:24:03 +0000
Message-id: <[🔎] handler.971396.D971396.160143600830828.ackdone@bugs.debian.org>
Reply-to: 971396@bugs.debian.org
References: <E1kNSf0-000BBY-SM@fasolo.debian.org> <[🔎] 160141224441.1112172.12580594751296021309.reportbug@eldamar.local>

Your message dated Wed, 30 Sep 2020 03:20:06 +0000
with message-id <E1kNSf0-000BBY-SM@fasolo.debian.org>
and subject line Bug#971396: fixed in md4c 0.4.5-2
has caused the Debian Bug report #971396,
regarding md4c: CVE-2020-26148
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
971396: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971396
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: md4c: CVE-2020-26148
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 29 Sep 2020 22:44:04 +0200
Message-id: <[🔎] 160141224441.1112172.12580594751296021309.reportbug@eldamar.local>

Source: md4c
Version: 0.4.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mity/md4c/issues/130
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for md4c.

CVE-2020-26148[0]:
| md_push_block_bytes in md4c.c in md4c 0.4.5 allows attackers to
| trigger use of uninitialized memory, and cause a denial of service
| (e.g., assertion failure) via a malformed Markdown document.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-26148
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26148
[1] https://github.com/mity/md4c/commit/22ca89a3008966c4316d6b0a158b1a49f9038df0
[2] https://github.com/mity/md4c/issues/130

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 971396-close@bugs.debian.org
Subject: Bug#971396: fixed in md4c 0.4.5-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 30 Sep 2020 03:20:06 +0000
Message-id: <E1kNSf0-000BBY-SM@fasolo.debian.org>
Reply-to: Patrick Franz <patfra71@gmail.com>

Source: md4c
Source-Version: 0.4.5-2
Done: Patrick Franz <patfra71@gmail.com>

We believe that the bug you reported is fixed in the latest version of
md4c, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 971396@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <patfra71@gmail.com> (supplier of updated md4c package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 30 Sep 2020 04:52:53 +0200
Source: md4c
Architecture: source
Version: 0.4.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <patfra71@gmail.com>
Closes: 971396
Changes:
 md4c (0.4.5-2) unstable; urgency=medium
 .
   * Add fix_CVE-2020-26148.patch to fix CVE-2020-26148 (Closes: #971396).
Checksums-Sha1:
 1f56a28ac1902d37a23cf98d0dc7df4a78d290c8 2173 md4c_0.4.5-2.dsc
 083462f1ba3c4e6df41a6193c6465dea2935f78d 9804 md4c_0.4.5-2.debian.tar.xz
 e00537964f986abbede24bcd59946202cb3bab4c 6940 md4c_0.4.5-2_source.buildinfo
Checksums-Sha256:
 be8c7a72e59d7890d8af574693521c968d566fe5975f2b91ecf6c0ba560a429f 2173 md4c_0.4.5-2.dsc
 dbc21bf91436a0c518a7c0e7a5715daec7d7af8fa131ea8e4a23d63d378b95a2 9804 md4c_0.4.5-2.debian.tar.xz
 8849491c5c5e5c7a8556716902ed4463e037ace9b0a421cc52e19ab0ab1153e3 6940 md4c_0.4.5-2_source.buildinfo
Files:
 cb7507070b1cda8de654cdf2a099e23d 2173 libs optional md4c_0.4.5-2.dsc
 bf558ed06163817c8e137cfdd108811e 9804 libs optional md4c_0.4.5-2.debian.tar.xz
 e1fc6c6b4ade62bee178f2a90215b67d 6940 libs optional md4c_0.4.5-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAl9z9RUTHHBhdGZyYTcx
QGdtYWlsLmNvbQAKCRCen3pgMHf+Vv8PD/9wWJWeXuYUSCoNjh3jGPu8yQRBQYve
1JAXv0H77hhL4SHl5ebg1uQuJ39jZRg9IUV157qp+C3SPBWP0OmEro5N9blFC8zs
Vz+HLF3bBJTVoJ8M8+18ZvlDh0MxhWF4aWJeZxURTq/NU6mp4kj+r1Q5cRNiR1SQ
wXWQZu/DiUw8ZuaogIVx5uj/6gRSI6WxEVJt2rs6eIoI+PedWHRNSwVZLkJhpRtf
CPn7Gv0lv1UIIQJfxw7zoIaWgO6jw7ha/DEYP/bRdbg5mCbXW8LEx5yyPjjQbFcs
+0PrPexpbvKdPn1NDuuv/ceEvONgaWLdA15kjQYafh3b0TCjskRj+uxH3+NiN2pm
0SjzoHyrSQmGsQC9piTzHWCUmJKA5TyaUT75wRKHNFZAzf1YDx/YZFvjImnj+nf9
xQJpr6ZwPIgTAfvMq6fAsAyPx/qxYw404qedAzSCbdBLKtzvb6+xrdn45OkngZxM
3nmOfF7US5rumafTqpjpfPvUs6nIBS5IhvpKJHYpIelV82ag94raWIoJcVwRp0rP
/QsNdUvao6CrLTtjmllrJepNoA09iOi4UvQIhA+MJv2e54L2S6I/XSLXAnskmEQm
Ny7EcjqEDAonBz0w9XbylUY7Zb6Pafe8lENRA4ruHAH5biygg6crEZBvi5J0ImvF
MZzJeBXZSDMxNg==
=YlHM
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#971396: md4c: CVE-2020-26148
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#971396: md4c: CVE-2020-26148
Next by Date: Processing of md4c_0.4.5-2_source.changes
Previous by thread: Bug#971396: md4c: CVE-2020-26148
Next by thread: Processing of md4c_0.4.5-2_source.changes
Index(es):
- Date
- Thread