Your message dated Fri, 23 Feb 2024 22:54:01 +0000 with message-id <E1rdeQb-00HYWr-UB@fasolo.debian.org> and subject line Bug#1064517: fixed in texlive-bin 2023.20230311.66589-9 has caused the Debian Bug report #1064517, regarding texlive-bin: CVE-2024-25262 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1064517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064517 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: texlive-bin: CVE-2024-25262
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Fri, 23 Feb 2024 16:31:00 +0100
- Message-id: <[🔎] Zdi6NNkPF0BRoFI7@pisco.westfalen.local>
Source: texlive-bin X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for texlive-bin. CVE-2024-25262[0]: | texlive-bin commit c515e was discovered to contain heap buffer | overflow via the function ttfLoadHDMX:ttfdump. This vulnerability | allows attackers to cause a Denial of Service (DoS) via supplying a | crafted TTF file. https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605&view=co https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912 https://github.com/TeX-Live/texlive-source/pull/63 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25262 https://www.cve.org/CVERecord?id=CVE-2024-25262 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1064517-close@bugs.debian.org
- Subject: Bug#1064517: fixed in texlive-bin 2023.20230311.66589-9
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Fri, 23 Feb 2024 22:54:01 +0000
- Message-id: <E1rdeQb-00HYWr-UB@fasolo.debian.org>
- Reply-to: Hilmar Preusse <hille42@web.de>
Source: texlive-bin Source-Version: 2023.20230311.66589-9 Done: Hilmar Preusse <hille42@web.de> We believe that the bug you reported is fixed in the latest version of texlive-bin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064517@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hilmar Preusse <hille42@web.de> (supplier of updated texlive-bin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 23 Feb 2024 22:59:00 +0100 Source: texlive-bin Architecture: source Version: 2023.20230311.66589-9 Distribution: unstable Urgency: medium Maintainer: Debian TeX Task Force <debian-tex-maint@lists.debian.org> Changed-By: Hilmar Preusse <hille42@web.de> Closes: 1064517 Changes: texlive-bin (2023.20230311.66589-9) unstable; urgency=medium . * Rename / Remove obsolete patches form source package. * Add DEP-3 headers to a few other patches. * Add "DEB_BUILD_MAINT_OPTIONS = hardening=+all" to d/rules. * Add patch for CVE-2024-25262 (Closes: #1064517). * Remove surplus ${shlibs:Depends} from -dev packages. Checksums-Sha1: 4744da79ab6fdda55511b60ba5214a4a8d6b08b2 3490 texlive-bin_2023.20230311.66589-9.dsc b5cb8f23b5211a4d961261e107b1e606dc0a84c8 76760 texlive-bin_2023.20230311.66589-9.debian.tar.xz 97905f32c66e79130839235f5d2e3b502803548c 6497 texlive-bin_2023.20230311.66589-9_source.buildinfo Checksums-Sha256: deacf501f42f65b6cfaebfe4f0da13148fc3e5f04b4b9d661d52ad683fa9a160 3490 texlive-bin_2023.20230311.66589-9.dsc c77620e827226932c7c6f16df08003aa8a56029f4135fe0b32268979ffe6460a 76760 texlive-bin_2023.20230311.66589-9.debian.tar.xz eab20888bb6fe1f2114cd6355a0dedb2a60f29e93cf6bcf16ef30a59f6be7e9f 6497 texlive-bin_2023.20230311.66589-9_source.buildinfo Files: b4cfbab6c80a19ce3d8ddc68286e8f91 3490 tex optional texlive-bin_2023.20230311.66589-9.dsc b05073a88b4d9d09f1362d5cc0092826 76760 tex optional texlive-bin_2023.20230311.66589-9.debian.tar.xz 6fe185d410001a31a72789a31ceabd5f 6497 tex optional texlive-bin_2023.20230311.66589-9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAmXZG+FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5 NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg LIsLjRAAhUxawwvi49r6UBVd9hLTpSEItdu+OkpU/sHYnRiA8NK3mmcvgPoqBc0T 0nxvdj7rDYnQoL3YK1Zb3QPB20p5kElEKE4FEuh7mq0eWYRH8fseTARIEf2e0fn5 DQ2Lp8jfBFGFtOj1KOWmEQu3RGZ639lbm8meOAQbqZdFjG/KESA4OnnrYNiX4v71 9DPxLADWjtDlgcyOSQ244PNTwRB8q0TUHF424QhWm5AfbFykG+vPjJRHyZ266NJF /mJq0xNoyFUhXC6U3RrGV1dqWQENN27DvO5xinE1+vGdsh35YShRSkQj5J4yfzug prSZg55CQXKK8fTdONf+09BUQeoAOKNXVPU56rPaA1XZnKy/ZyNCJPbxfPAOXKVT edQluO5aNFe4aS3+Yx+VovXEdxuvnNI9yHqRSEJjs+nsCgHHCeaRLlTtyCx9+2Zj ASu+1uMveMiqxxOZfpiTYCH+VcJspqn0LlOaDGkBoe9dYjk72WGo4bxF4ZSjWGL3 zLzwictQ/f0d58y5tLhnt5pDA1h6jNBpHHoUYJZMsv5DwrdY9IsuILmArrZm59jN lSqIiwHIMFsCRTeapbX2Zo1boo3xSyVqxvKBGowkI+KlrW8bD2glooQzmfyfuZQc HnjDkCoP2rMFVEUYEn6gSlnSK22n2Dsif1CA3+tHEk5VJxUUdn0= =L/7e -----END PGP SIGNATURE-----Attachment: pgpq6CUJHUtYq.pgp
Description: PGP signature
--- End Message ---