Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1

To: Nicolas Mora <babelouest@debian.org>, 1013893@bugs.debian.org
Subject: Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 15 Jul 2022 22:24:21 +0200
Message-id: <YtHM9TqQ+oKPP/Ec@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1013893@bugs.debian.org
In-reply-to: <165627940222.12101.18276776410537965.reportbug@galahad>
References: <165627940222.12101.18276776410537965.reportbug@galahad> <165627940222.12101.18276776410537965.reportbug@galahad>

Hi,

On Sun, Jun 26, 2022 at 05:36:42PM -0400, Nicolas Mora wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> Fix possible buffer overflow when decrypting forged jwe with invalid iv or
> cypherkey
> 
> [ Impact ]
> program might crash or execute arbitrary code
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Check iv and cypherkey len before decoding them
> 
> [ Other info ]
> CVE id pending

Looks the CVE is CVE-2022-32096 now:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32096

Regards,
Salvatore

Reply to:

Prev by Date: Bug#1007222: transition: onetbb
Next by Date: NEW changes in stable-new
Previous by thread: Bug#1007222: transition: onetbb
Next by thread: Bug#1010305: freetype 2.9.1-3+deb10u3 flagged for acceptance
Index(es):
- Date
- Thread