Bug#1023427: marked as done (pixman: CVE-2022-44638)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 06 Nov 2022 08:35:44 +0000
with message-id <E1orb84-000EmC-3Z@fasolo.debian.org>
and subject line Bug#1023427: fixed in pixman 0.40.0-1.1
has caused the Debian Bug report #1023427,
regarding pixman: CVE-2022-44638
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1023427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023427
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: pixman: CVE-2022-44638
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 03 Nov 2022 22:42:25 +0100
• Message-id: <[🔎] 166751174515.665597.9478578782468398866.reportbug@eldamar.lan>

Source: pixman
Version: 0.40.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for pixman.

CVE-2022-44638[0]:
| In libpixman in Pixman before 0.42.2, there is an out-of-bounds write
| (aka heap-based buffer overflow) in rasterize_edges_8 due to an
| integer overflow in pixman_sample_floor_y.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-44638
    https://www.cve.org/CVERecord?id=CVE-2022-44638
[1] https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
[2] https://gitlab.freedesktop.org/pixman/pixman/-/commit/a1f88e842e0216a5b4df1ab023caebe33c101395

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1023427-close@bugs.debian.org
• Subject: Bug#1023427: fixed in pixman 0.40.0-1.1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 06 Nov 2022 08:35:44 +0000
• Message-id: <E1orb84-000EmC-3Z@fasolo.debian.org>
• Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: pixman
Source-Version: 0.40.0-1.1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
pixman, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1023427@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pixman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 03 Nov 2022 23:07:46 +0100
Source: pixman
Architecture: source
Version: 0.40.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1023427
Changes:
 pixman (0.40.0-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Avoid integer overflow leading to out-of-bounds write (CVE-2022-44638)
     (Closes: #1023427)
Checksums-Sha1: 
 8f67c27d223bbdfb06561f8d323cc31bfa4215ec 2184 pixman_0.40.0-1.1.dsc
 05d2600f10ec9dd4b1e88e4874af066d02269fbc 327509 pixman_0.40.0-1.1.diff.gz
Checksums-Sha256: 
 9b70557c36ce3ac3dba10915b981043201cde21f56cec8821c87f4ab39420a06 2184 pixman_0.40.0-1.1.dsc
 5c3d8f81d864457c62344caaa9e9c83b38d98ec65f655fb264e12df6cb77e6d5 327509 pixman_0.40.0-1.1.diff.gz
Files: 
 9890b70ae8bda4dc15a95f368d3ee261 2184 devel optional pixman_0.40.0-1.1.dsc
 0755537f8d070f1f60a5e30a7d88cdb4 327509 devel optional pixman_0.40.0-1.1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNkxEpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDTkP+gPV6uySGI30iv+daGBpS8TMbMvpMChD
jvEWGGGfkjXF8m4oVRGEa+okbQkLLu/Uqy4xvtqEwGVc0Ogl7rY30LhosJl4jPJo
WePC5j7aOF6whaeIa+1FDBnqlULdDICyTvviboD9evrNejyDmhEWqIfYDpsk3Nv7
LZRZQTuafmlxO4cTnQOBwmSdlSsDeA4cC0gJYeAZR5uZ074FvtZfDr5ZSLr+lIrV
qyfPiJJjjtjO0a5fxNQ0/bo4aW3v6jGnroz3HPb468gATojHUj2vowoD4Vf93g/e
PaJ/glO6J1YT/BA72R5Qm3i56Om5NCXRtL5A1Qst/u0E8vKFzjAvDVJNCvPVh+bb
n8UVJeU8ze4qQjnwxO0qcqiuDk1a86dN5PAXa1/zJe9CRLVWr7OowzmyYOj0d88K
pYfK9d6kflm3XRngv2YyhtQXDQhNC7OasrKHzpfgh2FCnqy9PCq5Xp/X+VrFJ9Sm
WJI9z/C4jNcbMuaH4nsjcNG7yNsC4dl9p0LMV8AbPCe8+EGjsDzSZ9ZvgGPOazuC
t5swGeHTl0nT6xcksteKYAtQng3XdSMnK29b7QZ1kwrAYSwR8iE7FesksTrpbomP
C2B4/+WkX9eoFg1cJlTQcmpR24mSOybS691k7KpV0zJ+SwL1NRltX9vwshKl7z3O
D6KLuiweAol2
=ktKz
-----END PGP SIGNATURE-----

--- End Message ---