Your message dated Sat, 23 Jun 2018 12:32:13 +0100 with message-id <1529753533.11744.69.camel@adam-barratt.org.uk> and subject line Closing bugs for requests included in the EoL jessie point release has caused the Debian Bug report #901425, regarding jessie-pu: package file/1:5.22+15-2+deb8u3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 901425: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901425 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package file/1:5.22+15-2+deb8u3
- From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Date: Wed, 13 Jun 2018 08:15:48 +0200
- Message-id: <[🔎] 1528870244@msgid.manchmal.in-ulm.de>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hello release team, yet another security issue was found in file/libmagic: "The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file" (CVE-2018-10360) https://security-tracker.debian.org/tracker/CVE-2018-10360 https://bugs.debian.org/901351 After a brief discussion with the security team we agreed this should be addressed in the upcoming point release, so here we go. Following the new policy, I've already uploaded file_5.22+15-2+deb8u4 to oldstable. Kind regards, Christoph Biedl -- System Information: Debian Release: 8.10 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-proposed-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.14.48 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)diff -Nru file-5.22+15/debian/changelog file-5.22+15/debian/changelog --- file-5.22+15/debian/changelog 2016-12-04 10:00:07.000000000 +0100 +++ file-5.22+15/debian/changelog 2018-06-11 23:24:19.000000000 +0200 @@ -1,3 +1,10 @@ +file (1:5.22+15-2+deb8u4) oldstable; urgency=high + + * Avoid reading past the end of buffer. Closes: #901351 + [CVE-2018-10360] + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Mon, 11 Jun 2018 23:24:19 +0200 + file (1:5.22+15-2+deb8u3) stable; urgency=medium * Fix memory leak in magic loader. Closes: #840754 diff -Nru file-5.22+15/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch file-5.22+15/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch --- file-5.22+15/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch 1970-01-01 01:00:00.000000000 +0100 +++ file-5.22+15/debian/patches/cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch 2018-06-11 23:24:19.000000000 +0200 @@ -0,0 +1,19 @@ +Subject: Avoid reading past the end of buffer (Rui Reis) +ID: CVE-2018-10360 +Origin: FILE5_33-31-ga642587a +Upstream-Author: Christos Zoulas <christos@zoulas.com> +Date: Sat Jun 9 16:00:06 2018 +0000 +Bug-Debian: https://bugs.debian.org/901351 + +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -789,7 +789,8 @@ + + cname = (unsigned char *) + &nbuf[doff + prpsoffsets(i)]; +- for (cp = cname; *cp && isprint(*cp); cp++) ++ for (cp = cname; cp < nbuf + size && *cp ++ && isprint(*cp); cp++) + continue; + /* + * Linux apparently appends a space at the end diff -Nru file-5.22+15/debian/patches/series file-5.22+15/debian/patches/series --- file-5.22+15/debian/patches/series 2016-12-04 09:50:30.000000000 +0100 +++ file-5.22+15/debian/patches/series 2018-06-11 23:23:32.000000000 +0200 @@ -15,3 +15,4 @@ CVE-2015-8865.6713ca4.patch cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch +cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 831459-done@bugs.debian.org, 837458-done@bugs.debian.org, 862030-done@bugs.debian.org, 876944-done@bugs.debian.org, 879161-done@bugs.debian.org, 885533-done@bugs.debian.org, 885584-done@bugs.debian.org, 885619-done@bugs.debian.org, 887047-done@bugs.debian.org, 887138-done@bugs.debian.org, 887559-done@bugs.debian.org, 887857-done@bugs.debian.org, 888019-done@bugs.debian.org, 888553-done@bugs.debian.org, 888767-done@bugs.debian.org, 891611-done@bugs.debian.org, 891974-done@bugs.debian.org, 893507-done@bugs.debian.org, 893804-done@bugs.debian.org, 893970-done@bugs.debian.org, 895144-done@bugs.debian.org, 895887-done@bugs.debian.org, 895935-done@bugs.debian.org, 896841-done@bugs.debian.org, 896919-done@bugs.debian.org, 896942-done@bugs.debian.org, 897369-done@bugs.debian.org, 897447-done@bugs.debian.org, 897911-done@bugs.debian.org, 899018-done@bugs.debian.org, 899030-done@bugs.debian.org, 901194-done@bugs.debian.org, 901276-done@bugs.debian.org, 901425-done@bugs.debian.org, 901613-done@bugs.debian.org, 901645-done@bugs.debian.org
- Subject: Closing bugs for requests included in the EoL jessie point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jun 2018 12:32:13 +0100
- Message-id: <1529753533.11744.69.camel@adam-barratt.org.uk>
Version: 8.11 Hi, The updates referenced by these bugs were included in today's EoL point release for jessie (8.11). Regards, Adam
--- End Message ---