Bug#883792: marked as done (libxcursor: CVE-2017-16612: heap overflows when parsing malicious files)
Your message dated Sat, 09 Dec 2017 14:38:27 +0000
with message-id <E1eNgGp-0001cu-QB@fasolo.debian.org>
and subject line Bug#883792: fixed in libxcursor 1:1.1.14-1+deb8u1
has caused the Debian Bug report #883792,
regarding libxcursor: CVE-2017-16612: heap overflows when parsing malicious files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
883792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883792
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: libxcursor
Version: 1:1.1.14-1
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for libxcursor.
CVE-2017-16612[0]:
| libXcursor before 1.1.15 has various integer overflows that could lead
| to heap buffer overflows when processing malicious cursors, e.g., with
| programs like GIMP.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16612
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
[1]
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
- To: 883792-close@bugs.debian.org
- Subject: Bug#883792: fixed in libxcursor 1:1.1.14-1+deb8u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 09 Dec 2017 14:38:27 +0000
- Message-id: <E1eNgGp-0001cu-QB@fasolo.debian.org>
Source: libxcursor
Source-Version: 1:1.1.14-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
libxcursor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883792@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxcursor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Dec 2017 16:41:25 +0100
Source: libxcursor
Binary: libxcursor1 libxcursor1-udeb libxcursor1-dbg libxcursor-dev
Architecture: source
Version: 1:1.1.14-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 883792
Description:
libxcursor-dev - X cursor management library (development files)
libxcursor1 - X cursor management library
libxcursor1-dbg - X cursor management library (unstripped)
libxcursor1-udeb - X cursor management library (udeb)
Changes:
libxcursor (1:1.1.14-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix heap overflows when parsing malicious files (CVE-2017-16612)
(Closes: #883792)
Package-Type: udeb
Checksums-Sha1:
f5b40465c76de143ba07b0dd875b0f726c1e7c55 2489 libxcursor_1.1.14-1+deb8u1.dsc
873a91831946cdedc0724b1d048c8041d958807c 374910 libxcursor_1.1.14.orig.tar.gz
5f9c33126ce19bf8fcfc2350ab6e78fdad60139e 19303 libxcursor_1.1.14-1+deb8u1.diff.gz
Checksums-Sha256:
7af9f2b539d1fca5fda58ad45597cb748a3bfc60ac40e979264d99354ceefea3 2489 libxcursor_1.1.14-1+deb8u1.dsc
be0954faf274969ffa6d95b9606b9c0cfee28c13b6fc014f15606a0c8b05c17b 374910 libxcursor_1.1.14.orig.tar.gz
eaeb821b3d4eab91585687533da6bfec45e1195e7f6cf984ced43b221cc4296d 19303 libxcursor_1.1.14-1+deb8u1.diff.gz
Files:
7ba0e1b103e6a968b699d0058f99e564 2489 devel optional libxcursor_1.1.14-1+deb8u1.dsc
39c8423de190d64f1c52fbc00022e52c 374910 devel optional libxcursor_1.1.14.orig.tar.gz
d3446e44aadefbf91843af6a2ceae6cf 19303 devel optional libxcursor_1.1.14-1+deb8u1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopoZRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Eu6wP/3/vjAKrdRGIR32KXepIebQvyiNK/quh
WpvOYEWQFUuQxUmBC7MECBE9xTOmOEWhC2a0riRLgol7lzu8aVHHNcMxUpGHC3pa
ioATVgzQTVRweg65oRbN9q8VLwNx+jEjN4yFBzjiRkdxtlwjdugIwFLG5id/6yfR
w3sEKyQFAa1UNAkqtPPtGVqbqwhB8FGvfZFKA8MTiZzFNnqxGZudkga0YOKFBTkI
eo206Kyx7P45blnLQm3z2Tb80ygQ11LvS9fYfeK7I83klVCNXmGUnwrhV7a7ffB/
QIr0kpEqKoSNTIJwVfU0xzHfdnOI6PojqBLrc0DVjzl0a6BZZU3vQ35oKkozNlul
CDkQS6DEOTnrsIr/5B4ftpZLQcBwfsLhL2pZQlaXQ7s/GVf5hPDTCJYcbqPdKh1h
P1r//ouQWQ/HYadCnkFIa5Rqd4gs6wewqtgosrLeiUfxpWN5SFV2jmlnKK/99EHw
BoaGu41jJofbRrbKDUH8qAtLHxIHDu/mUcpl8zDiBGKR4YC41MkWzzoUYbwdoDe+
mGvoAhL00Dam6NgXfZTCf63VoD5Xtu2xtijrYiQ+0/HUHse3Lloi1aPFC2RMNAa0
phLagWHhW+Jq77Ry/XQAt4hWN+gtGXQMLvD5k+rGeyxWRIW1Rmq5HSmWYd5kSA+q
/MNICxjDIutA
=IxDI
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: