Your message dated Mon, 11 Feb 2019 15:20:15 +0000 with message-id <E1gtDNX-0001mQ-9i@fasolo.debian.org> and subject line Bug#910757: fixed in gnulib 20140202+stable-3.1 has caused the Debian Bug report #910757, regarding gnulib: CVE-2018-17942 heap-based buffer overflow to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 910757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910757 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gnulib: CVE-2018-17942 heap-based buffer overflow
- From: Markus Koschany <apo@debian.org>
- Date: Wed, 10 Oct 2018 21:09:15 +0200
- Message-id: <6bc688ac-5b29-aed7-d41c-e95d705a006d@debian.org>
Package: gnulib X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for gnulib. CVE-2018-17942[0]: | The convert_to_decimal function in vasnprintf.c in Gnulib before | 2018-09-23 has a heap-based buffer overflow because memory is not | allocated for a trailing '\0' character during %f processing. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17942 Patch is available here: https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35 Please adjust the affected versions in the BTS as needed. Regards, MarkusAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 910757-close@bugs.debian.org
- Subject: Bug#910757: fixed in gnulib 20140202+stable-3.1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Mon, 11 Feb 2019 15:20:15 +0000
- Message-id: <E1gtDNX-0001mQ-9i@fasolo.debian.org>
Source: gnulib Source-Version: 20140202+stable-3.1 We believe that the bug you reported is fixed in the latest version of gnulib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 910757@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gnulib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 09 Feb 2019 11:11:06 +0100 Source: gnulib Binary: git-merge-changelog git-merge-changelog-dbgsym gnulib Architecture: source Version: 20140202+stable-3.1 Distribution: unstable Urgency: medium Maintainer: build-common team <team+build-common@tracker.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 910757 Description: git-merge-changelog - git merge driver for GNU ChangeLog files gnulib - GNU Portability Library Changes: gnulib (20140202+stable-3.1) unstable; urgency=medium . * Non-maintainer upload. * vasnprintf: Fix heap memory overrun bug (CVE-2018-17942) (Closes: #910757) Checksums-Sha1: f22c4b862cd091919608257810d079313c62f1d7 2248 gnulib_20140202+stable-3.1.dsc 018993c5a9231fb15a91af10122a797be6ace43a 290736 gnulib_20140202+stable-3.1.debian.tar.xz Checksums-Sha256: 908100709722fa9a71a549573c89a71948d8f04816d01714e9408a732bde5a06 2248 gnulib_20140202+stable-3.1.dsc 6a5794a899258b507bbc90c30c46ad6ac4272fbae12b5b821185a6032b4e7151 290736 gnulib_20140202+stable-3.1.debian.tar.xz Files: 8872aa72b62c513c741f76ee027e366a 2248 devel optional gnulib_20140202+stable-3.1.dsc c46df6821d9b26275bd1e4306248a9b9 290736 devel optional gnulib_20140202+stable-3.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxe5khfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ETcQP/1VKoiSbQhAtjYX/VcJj76DNTLFWLTG1 yFytzSZtNnVgOPiMba4T0imhanI0m68V+xLwvpn5WEWfnrPRjZ+D/EoG48IGJxuP sLIY11gYmDMW9ZvYkjrdBzRXWu/2P9f9jFrlNO02w4Q/q2hAKxCIA+Ck0h4bRBdC rH2KO0F2ODaP9YiQHe9246U3TCnj2FTeAc4TBwK3XOHRlc7itM/lTycO7OwyMOb4 +cr4Pd6cMEhCWct1DmGu1fsOv5vdRpc/zXBzxK2TdN1KTk7BO9DkFTBT22ITWqYX JiJ+SNlHPTCVEkR0Reyl8hrlX2hMO6NVmVgDnlztURUubUnalXk2rrQL5ccD9bLi 1q8A+CQsXhzIFVKeHFUiu5Wz0MdkB30gZmwxOZt1gBBskwG7I6RpsWqzFtk1PJt7 yE1eBY2ADPr2d3/6ByWqm4MCxP+g6ZaAGIZYSzoxig6J5NBCmAly3cwf+3lANPYC RpENKQkUiPQlF1uD8W4uQp01207GMF1LgTlrQ4R4DTu2ElufIh0pKvVrmGi9Tb+A /yaTazu5Wk7XPTWIJQesTmiDIdRzsK3TuinoWpfbW6THQdA9DSCOAJ7FuXG9I6Q8 F/RIFHk0DCZ4mAN6tyX/rUCWfVYljZmzdhaBVQYMUJnMiaG1qgD2/wbQkzQpWJca X+zmd7CcWBhI =jkhB -----END PGP SIGNATURE-----
--- End Message ---