Bug#840440: marked as done (libxi: CVE-2016-7945 CVE-2016-7946)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 06 Dec 2016 00:03:41 +0000
with message-id <E1cE3ET-0009vd-2f@fasolo.debian.org>
and subject line Bug#840440: fixed in libxi 2:1.7.8-1
has caused the Debian Bug report #840440,
regarding libxi: CVE-2016-7945 CVE-2016-7946
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
840440: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840440
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libxi: CVE-2016-7945 CVE-2016-7946
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 11 Oct 2016 17:38:48 +0200
• Message-id: <147620032875.13494.17337545528489318328.reportbug@eldamar.local>

Source: libxi
Version: 2:1.7.4-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerabilities were published for libxi.

CVE-2016-7945[0]:
or all of the integer overflows

CVE-2016-7946[1]:
for all of the other mishandling of the reply data

Note there is an regression in the original fix.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-7945
[1] https://security-tracker.debian.org/tracker/CVE-2016-7946

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 840440-close@bugs.debian.org
• Subject: Bug#840440: fixed in libxi 2:1.7.8-1
• From: Emilio Pozuelo Monfort <pochu@debian.org>
• Date: Tue, 06 Dec 2016 00:03:41 +0000
• Message-id: <E1cE3ET-0009vd-2f@fasolo.debian.org>

Source: libxi
Source-Version: 2:1.7.8-1

We believe that the bug you reported is fixed in the latest version of
libxi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840440@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated libxi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 06 Dec 2016 00:50:24 +0100
Source: libxi
Binary: libxi6 libxi6-udeb libxi-dev
Architecture: source
Version: 2:1.7.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
 libxi-dev  - X11 Input extension library (development headers)
 libxi6     - X11 Input extension library
 libxi6-udeb - X11 Input extension library (udeb)
Closes: 840440
Changes:
 libxi (2:1.7.8-1) unstable; urgency=medium
 .
   [ Andreas Boll ]
   * New upstream release.
     - Fixes CVE-2016-7945 and CVE-2016-7946 (Closes: #840440).
   * Update d/upstream/signing-key.asc with Matthieu Herrb's key.
   * Update a bunch of URLs in packaging to https.
   * Bump Standards-Version to 3.9.8, no changes needed.
 .
   [ Emilio Pozuelo Monfort ]
   * Acknowledge 2:1.7.6-1.1 NMU.
   * Cherry-pick upstream commit 7ac03c6c to plug a memory leak in the
     security fix.
   * Cherry-pick upstream commit 4c5c8d62, check a buffer was allocated
     before writing to it.
   * Bump debhelper compat to 10.
     + debhelper now calls dh-autoreconf automatically.
     + debhelper now enables --parallel by default.
   * Switch to -dbgsym packages.
   * debhelper passes --disable-silent-rules to configure for us.
   * Drop explicit build target. dh $@ can handle it.
Checksums-Sha1:
 a15fc310383ebaef32ac14925a65fccaab680881 2202 libxi_1.7.8-1.dsc
 3cf75684a7263f41cbd6fbf9e1709202ca9005eb 604295 libxi_1.7.8.orig.tar.gz
 eb47baac2ed9fae41bdc54e90b6a23986819c8e9 15620 libxi_1.7.8-1.diff.gz
Checksums-Sha256:
 7f6f2a9453142d84f86dc967a1bb766f23c0d981985ee9e9eca1f118662de3a1 2202 libxi_1.7.8-1.dsc
 7466d0c626a9cc2e53fd78c811815e82924cd7582236a82401df3d282a9c2889 604295 libxi_1.7.8.orig.tar.gz
 b2ce3efbcdd63775f91015a2eef6fce1fb0db565062b8bdc6869aa3e3261d4d5 15620 libxi_1.7.8-1.diff.gz
Files:
 78bbd4d62559ee690b493ea4dfa75633 2202 x11 optional libxi_1.7.8-1.dsc
 0b7e861d0591451f89d8f87ff558900c 604295 x11 optional libxi_1.7.8.orig.tar.gz
 809306996ad487a661be19daa38b703d 15620 x11 optional libxi_1.7.8-1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlhF/VoACgkQnUbEiOQ2
gwJYbhAAu1Q74Ef9yTWgbxWIPDgeP2iheKFHnhAXb49N4jF4SdvYM1qf1/FNn/Qo
/LQP9JiqPwSpGD8hTiRH2lRdZ+Nd7VGumxez6c3R7aKNq0mEbeK5aLy2GvXOfMYr
ocNRPpf8fzNo01brQWWepfmGSNRGezBJ7UHIItQ4yasmxFRi33+ks8doZiGxHa0U
h6NuAQR+qZflQ5zoxTCOhQ7Q+S3Q7UbyhTkz34w4XTiZ/s1RQfDZu16cDpPnfL9k
DBnYS7G+ZjcxdUcD9E6trOqYwX2u276JGsKQ7HKk35h1E7kmhT7NvUXWyGL2MZ+v
qQTlOifZ2DMLEP7IBa5XgXq2D6AQUYMubcLyGBuOxDI2IM0ImkrjEZKq/Ko5VgCV
5if9XfVsvleX7uSfCrAvibH8aSbjzFssV0B69mUXhB0NzIeK8j5Sxca30xDTfZ0R
w9G+lUj6WnLFjkN7nKCnc1ns1E04koVYcbu8p0NoyutBNsStn1UGy4F4WRYpFc1c
6XivESeIr8qgggbn3ZAmSE1q/kMf5cSxQPms0OXHXACw5RQ8zJqDfwddImEHa0DT
kX4+nbrsjjgqB1qZfiulvHng9MxiEaTqVr2GEEGaL7d3bVCFX1yR7fYUl9bDx/ku
VCnJRS/e6oXZaHgzLU465oh+1mchSiISkAwSc0ojjkqD108AFag=
=NTJC
-----END PGP SIGNATURE-----

--- End Message ---