Bug#889681: marked as done (wayland: CVE-2017-16612)

To: Héctor Orón Martínez <zumbi@debian.org>
Subject: Bug#889681: marked as done (wayland: CVE-2017-16612)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 04 Mar 2018 11:24:05 +0000
Message-id: <[🔎] handler.889681.D889681.152016252815756.ackdone@bugs.debian.org>
Reply-to: 889681@bugs.debian.org
References: <E1esRiQ-0004M0-OX@fasolo.debian.org> <151786013614.32221.17283281733773329930.reportbug@eldamar.local>

Your message dated Sun, 04 Mar 2018 11:22:06 +0000
with message-id <E1esRiQ-0004M0-OX@fasolo.debian.org>
and subject line Bug#889681: fixed in wayland 1.14.0-2
has caused the Debian Bug report #889681,
regarding wayland: CVE-2017-16612
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
889681: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889681
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wayland: CVE-2017-16612
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 05 Feb 2018 20:48:56 +0100
Message-id: <151786013614.32221.17283281733773329930.reportbug@eldamar.local>

Source: wayland
Version: 1.6.0-1
Severity: important
Tags: patch security upstream
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=103961

Hi,

the following vulnerability was published for wayland.

CVE-2017-16612[0]:
| libXcursor before 1.1.15 has various integer overflows that could lead
| to heap buffer overflows when processing malicious cursors, e.g., with
| programs like GIMP. It is also possible that an attack vector exists
| against the related code in cursor/xcursor.c in Wayland through
| 1.14.0.

Note, I asked MITRE for advice if the CVE should apply as well to
wayland leading to the above updated description.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16612
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
[1] https://bugs.freedesktop.org/show_bug.cgi?id=103961
[2] https://cgit.freedesktop.org/wayland/wayland/commit/?id=5d201df72f3d4f4cb8b8f75f980169b03507da38
[3] https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 889681-close@bugs.debian.org
Subject: Bug#889681: fixed in wayland 1.14.0-2
From: Héctor Orón Martínez <zumbi@debian.org>
Date: Sun, 04 Mar 2018 11:22:06 +0000
Message-id: <E1esRiQ-0004M0-OX@fasolo.debian.org>

Source: wayland
Source-Version: 1.14.0-2

We believe that the bug you reported is fixed in the latest version of
wayland, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889681@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Héctor Orón Martínez <zumbi@debian.org> (supplier of updated wayland package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 04 Mar 2018 11:56:31 +0100
Source: wayland
Binary: libwayland-client0 libwayland-server0 libwayland-cursor0 libwayland-dev libwayland-doc libwayland-bin
Architecture: source
Version: 1.14.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Héctor Orón Martínez <zumbi@debian.org>
Description:
 libwayland-bin - wayland compositor infrastructure - binary utilities
 libwayland-client0 - wayland compositor infrastructure - client library
 libwayland-cursor0 - wayland compositor infrastructure - cursor library
 libwayland-dev - wayland compositor infrastructure - development files
 libwayland-doc - wayland compositor infrastructure - documentation files
 libwayland-server0 - wayland compositor infrastructure - server library
Closes: 889681
Changes:
 wayland (1.14.0-2) unstable; urgency=medium
 .
   * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
     - libXcursor before 1.1.15 has various integer overflows that could lead
       to heap buffer overflows when processing malicious cursors, e.g., with
       programs like GIMP. It is also possible that an attack vector exists
       against the related code in cursor/xcursor.c in Wayland through
       1.14.0.
   * switch back to use upstream tarball
   * debian/control: bump standards version, drop priority stanzas
Checksums-Sha1:
 6f88a222b16d48ba31319b683d2c6051c62f16df 2404 wayland_1.14.0-2.dsc
 07fb66726fa530902982c494867ebffb2be23f73 673438 wayland_1.14.0.orig.tar.gz
 bf08b8a4c3a1f542ed8aa264242eda1aeb687291 10855 wayland_1.14.0-2.diff.gz
 53765ac72a781ae713afed17f3d0c5033b733d75 5599 wayland_1.14.0-2_source.buildinfo
Checksums-Sha256:
 bd10ee4e17a0cc97590890d74fc3094ca06f6f1eca1d022260b85717717d6fa1 2404 wayland_1.14.0-2.dsc
 6042516a27d56ad78dab123fbde7ba697ae6af1080ab9f9ca9f9783a888ce8db 673438 wayland_1.14.0.orig.tar.gz
 06db73e127907b3033a1caf1fd36a6701b427795763d369f914d836d5d8a7c05 10855 wayland_1.14.0-2.diff.gz
 ae059f2b221d32bbfb8317031945212f4f2299f4899565aadcaebfe79c8bbdb4 5599 wayland_1.14.0-2_source.buildinfo
Files:
 6adaa0fdfa79ed38064c7ea1f6879953 2404 x11 optional wayland_1.14.0-2.dsc
 8a058bdde410219c0fd607215d81d8a9 673438 x11 optional wayland_1.14.0.orig.tar.gz
 795c4407bdd0659d3697516b495aa39f 10855 x11 optional wayland_1.14.0-2.diff.gz
 4f6d413373ac65126d5d22800449ca3b 5599 x11 optional wayland_1.14.0-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE6Q8IiVReeMgqnedOryKDqnbirHsFAlqb08YACgkQryKDqnbi
rHs2dA/9F6jbAgHLowEvqsd0qV6FyRm8Bs9bL3L/Gb3liHvi0GhPlo4q7tcF36Wl
kvjUw9g+fL6RYQhjosWhSiU82Yg6apjMQTB9dD+N2VN0aEyaKbuIu6pwgRWjm3V1
WRZQHdF8cTvvVYaa/fuaALog5KkvtI51QonWPGnyZdlEEnGENW3qyqBjwXeYJPPw
/L0fdGaaqWHHLmeGnVoZpyKghNANEqV2TMv5LtZwtTQxE1xuyTHnoIY20bKZiOS5
1/Zt5kpDuqex+mFCVxavqUzV+VPtIAB1ibXS/Umf2XUZ82SZRo4wjtS1r1Teb1ZJ
GXJbHPjToVTNqKlaqcDQ3AdAy/IYNAyVFMR6yQWT7hEvvm2v37L1F5UiWps9M/YQ
j+UPz8J4Pz+59Bx6RT1VR0r83dBrvOP4W2m71Z+t3A1hylrNTG2G7UOYSXMerp5p
/46ybEYEra8BLC3FjCPiphLuWd24yMlXkEg2jNXc3yLXFjVKEyM5XQrqRCzQ6OvQ
OdfxJtqZfGxMwxea2b5fv7Unz5GzfgRGoYcZMyf3aW0nvEQ47CEecalB0vAkwwDM
eECjX7pcrp/1Dzz7wF034sqFtvPz/qIIqf44HM7jKjew5c9CbxkKnCUx8lLuhYak
9U3RqJEqHB0eLpO4/V0po9042EgO1Pp5nz/b2bb04WunAWW3aSA=
=CdI/
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Accepted wayland 1.14.0-2 (source) into unstable
Next by Date: Processing of wayland_1.14.0-2_source.changes
Previous by thread: Accepted wayland 1.14.0-2 (source) into unstable
Next by thread: Processing of wayland_1.14.0-2_source.changes
Index(es):
- Date
- Thread