[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#883792: marked as done (libxcursor: CVE-2017-16612: heap overflows when parsing malicious files)

Your message dated Mon, 11 Dec 2017 09:05:48 +0000
with message-id <E1eOK20-000EkX-Bz@fasolo.debian.org>
and subject line Bug#883792: fixed in libxcursor 1:1.1.14-3.1
has caused the Debian Bug report #883792,
regarding libxcursor: CVE-2017-16612: heap overflows when parsing malicious files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
883792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883792
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: libxcursor
Version: 1:1.1.14-1
Severity: important
Tags: patch security upstream

Hi,

the following vulnerability was published for libxcursor.

CVE-2017-16612[0]:
| libXcursor before 1.1.15 has various integer overflows that could lead
| to heap buffer overflows when processing malicious cursors, e.g., with
| programs like GIMP.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16612
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
[1] 
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: libxcursor
Source-Version: 1:1.1.14-3.1

We believe that the bug you reported is fixed in the latest version of
libxcursor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883792@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxcursor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 Dec 2017 08:45:47 +0100
Source: libxcursor
Binary: libxcursor1 libxcursor1-udeb libxcursor-dev
Architecture: source
Version: 1:1.1.14-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 883792
Description: 
 libxcursor-dev - X cursor management library (development files)
 libxcursor1 - X cursor management library
 libxcursor1-udeb - X cursor management library (udeb)
Changes:
 libxcursor (1:1.1.14-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix heap overflows when parsing malicious files (CVE-2017-16612)
     (Closes: #883792)
Package-Type: udeb
Checksums-Sha1: 
 424a1e70149bf20ecd9f5fa3abae12e02ec30a07 2422 libxcursor_1.1.14-3.1.dsc
 2ffec746fe09c462f6e7fbce1afcf162d201bff2 9836 libxcursor_1.1.14-3.1.debian.tar.xz
Checksums-Sha256: 
 b1cd95c8131cf8fe4252c379e702a9531a76ac532752f79b8dee94a01dc51a9e 2422 libxcursor_1.1.14-3.1.dsc
 b2cc4ae463ae8e015f16c15ae0e058625a401422a30c001dcae71ebbf5ba9dc8 9836 libxcursor_1.1.14-3.1.debian.tar.xz
Files: 
 801502fe0f22b4d76723210ca0184889 2422 devel optional libxcursor_1.1.14-3.1.dsc
 b7306def0044a280ec1ca9db1dd4b964 9836 devel optional libxcursor_1.1.14-3.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlorlc5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbkoP/jlAWJQiFaCKUCoNrX0wevlTTGdvrvsI
o8lqdVMizMsZbBgKhrs2st4zPA7Sw0RKnaQg0+lITNVL99hDsj1QBt4QsoiaDwk3
uWgnqojgVlBvShuk0klV0TwYjPA1NycKMVTm0g5Uy9zy0JJJUesJy6BXO3g3pnZf
gOKvUcObfsHxp2j80jXE3mzK4F1ztL6gY6FJIiGCVMQFDyT4XVjIQFX7CmmDqDJK
FLD7/Kq+pd6utVnNUL3v/0VCQBu3+RtleJ5b+L0J7Dvd2+95sUiq015kWm1iQZ1r
QrLYkR2Zb1mNtsbNTM6KQfGbsHplx/2SHLRnzEghnprogxKAuh4mJqNOCM+ZvlXr
rjMP5hnZkEzDuiadJ3+so3viSjjuAkOByeR+DCFi9Wu34YnC9iYbadYIMeqGYqfB
Dmuv3N94M86B3FQqqeS8LWcSO1TaIw2s7ISjN6niDjiy60OQrJKwtydK75YVClG5
XWEldVMk7ZoWBGDoIP+oStMkCRMQdhgmdZQmKFkZDBNkpotKjo873eDOIKA2iIsU
BSOs0+PprPdxzklbg/02iMnrLFMSYt7vMQ8NDe9VDI2wKqozxAK4aoOWQmJuQX9y
FZtTyc5iqQ3+26zIVEsA912SWmdUU4zlttPU8quUNHaiEKPtOhqKYgBJJFgheVfg
AuRt09alqXjV
=A/gj
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: