Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1
- To: Nicolas Mora <babelouest@debian.org>, 1013893@bugs.debian.org
- Subject: Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Fri, 15 Jul 2022 22:24:21 +0200
- Message-id: <YtHM9TqQ+oKPP/Ec@eldamar.lan>
- Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1013893@bugs.debian.org
- In-reply-to: <165627940222.12101.18276776410537965.reportbug@galahad>
- References: <165627940222.12101.18276776410537965.reportbug@galahad> <165627940222.12101.18276776410537965.reportbug@galahad>
Hi,
On Sun, Jun 26, 2022 at 05:36:42PM -0400, Nicolas Mora wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> [ Reason ]
> Fix possible buffer overflow when decrypting forged jwe with invalid iv or
> cypherkey
>
> [ Impact ]
> program might crash or execute arbitrary code
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> Check iv and cypherkey len before decoding them
>
> [ Other info ]
> CVE id pending
Looks the CVE is CVE-2022-32096 now:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32096
Regards,
Salvatore
Reply to: