[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1029976: marked as done (bullseye-pu: libzen/0.4.38-1+deb11u1)

Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id <502b8fb37ece620c9723446611a9287974ba5a0c.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1029976,
regarding bullseye-pu: libzen/0.4.38-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1029976: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029976
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bulleye
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for libzen fixes CVE-2020-36646 in Bullseye.
It has been already uploaded to all releases from Jessie to Buster.

This CVE has been marked as no-dsa by the security team.

  Thorsten

diff -Nru libzen-0.4.38/debian/changelog libzen-0.4.38/debian/changelog
--- libzen-0.4.38/debian/changelog	2020-04-10 17:32:09.000000000 +0200
+++ libzen-0.4.38/debian/changelog	2023-01-28 13:03:02.000000000 +0100
@@ -1,3 +1,11 @@
+libzen (0.4.38-1+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2020-36646
+    fix for possible null pointer dereference
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sat, 28 Jan 2023 13:03:02 +0100
+
 libzen (0.4.38-1) unstable; urgency=medium
 
   * [7cc8350] New upstream version 0.4.38
diff -Nru libzen-0.4.38/debian/patches/CVE-2020-36646.patch libzen-0.4.38/debian/patches/CVE-2020-36646.patch
--- libzen-0.4.38/debian/patches/CVE-2020-36646.patch	1970-01-01 01:00:00.000000000 +0100
+++ libzen-0.4.38/debian/patches/CVE-2020-36646.patch	2023-01-28 13:03:02.000000000 +0100
@@ -0,0 +1,27 @@
+commit 6475fcccd37c9cf17e0cfe263b5fe0e2e47a8408
+Author: Pave Pimenov <pavel.pimenov@gmail.com>
+Date:   Sat Sep 12 07:46:47 2020 +0300
+
+    fix V522 [CWE-690] There might be dereferencing of a potential null pointer 'Gmt'.
+
+diff --git a/Source/ZenLib/Ztring.cpp b/Source/ZenLib/Ztring.cpp
+index bc38fe4..21bbc58 100644
+--- a/Source/ZenLib/Ztring.cpp
++++ b/Source/ZenLib/Ztring.cpp
+@@ -1364,6 +1364,8 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const int32u Value)
+     #endif
+     Ztring DateT;
+     Ztring Date;
++    if (Gmt)
++    {
+     Date+=Ztring::ToZtring((Gmt->tm_year+1900));
+     Date+=__T("-");
+     DateT.From_Number(Gmt->tm_mon+1); if (DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_mon+1);}
+@@ -1381,6 +1383,7 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const int32u Value)
+     DateT.From_Number(Gmt->tm_sec); if (DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_sec);}
+     Date+=DateT;
+     assign (Date.c_str());
++    }
+     return *this;
+ }
+ 
diff -Nru libzen-0.4.38/debian/patches/series libzen-0.4.38/debian/patches/series
--- libzen-0.4.38/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libzen-0.4.38/debian/patches/series	2023-01-28 13:03:02.000000000 +0100
@@ -0,0 +1 @@
+CVE-2020-36646.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.7

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.7 point release.

Regards,

Adam

--- End Message ---
Reply to: