Bug#990527: marked as done (kimageformats: CVE-2021-36083)

To: Norbert Preining <norbert@preining.info>
Subject: Bug#990527: marked as done (kimageformats: CVE-2021-36083)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 01 Jul 2021 20:36:03 +0000
Message-id: <[🔎] handler.990527.D990527.16251716082661.ackdone@bugs.debian.org>
Reply-to: 990527@bugs.debian.org
References: <E1lz3NF-0009AF-NW@fasolo.debian.org> <[🔎] YN2m91eWYzXoot+v@pisco.westfalen.local>

Your message dated Thu, 01 Jul 2021 20:33:25 +0000
with message-id <E1lz3NF-0009AF-NW@fasolo.debian.org>
and subject line Bug#990527: fixed in kimageformats 5.78.0-5
has caused the Debian Bug report #990527,
regarding kimageformats: CVE-2021-36083
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990527
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: kimageformats: CVE-2021-36083
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Thu, 1 Jul 2021 13:28:55 +0200
Message-id: <[🔎] YN2m91eWYzXoot+v@pisco.westfalen.local>

Source: kimageformats
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for kimageformats.

CVE-2021-36083[0]:
| KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer
| overflow in XCFImageFormat::loadTileRLE.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml
https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-36083
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36083

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 990527-close@bugs.debian.org
Subject: Bug#990527: fixed in kimageformats 5.78.0-5
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 01 Jul 2021 20:33:25 +0000
Message-id: <E1lz3NF-0009AF-NW@fasolo.debian.org>
Reply-to: Norbert Preining <norbert@preining.info>

Source: kimageformats
Source-Version: 5.78.0-5
Done: Norbert Preining <norbert@preining.info>

We believe that the bug you reported is fixed in the latest version of
kimageformats, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990527@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <norbert@preining.info> (supplier of updated kimageformats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 02 Jul 2021 05:21:43 +0900
Source: kimageformats
Architecture: source
Version: 5.78.0-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Norbert Preining <norbert@preining.info>
Closes: 990527
Changes:
 kimageformats (5.78.0-5) unstable; urgency=medium
 .
   [ Norbert Preining ]
   * Cherry-pick upstream fix for CVE-2021-36083 (Closes: #990527)
Checksums-Sha1:
 8b2d0d9dc5ae7b705bcc1f613e9502d0bdcbc36e 2162 kimageformats_5.78.0-5.dsc
 49422ee5bcd3dfeac9ab4e2408b0bf08f50ae4e2 10596 kimageformats_5.78.0-5.debian.tar.xz
 ab26e6c78c820f7e2b424c0a4d23de11d6b31cdd 11529 kimageformats_5.78.0-5_source.buildinfo
Checksums-Sha256:
 f29227176c3703befbe159defdeaf7a62d5e021de43f40f97eda18061132e80a 2162 kimageformats_5.78.0-5.dsc
 9299655606e0554a425478547f8884e8fe6ed7b94548ee519cfb781be2ad08b9 10596 kimageformats_5.78.0-5.debian.tar.xz
 2f939b292d50487795043425da1e11b218badee3aed9c731457b53291de2cecd 11529 kimageformats_5.78.0-5_source.buildinfo
Files:
 249beba635a36d519947d274cb1ce42b 2162 kde optional kimageformats_5.78.0-5.dsc
 544783464e88a2defd0dece952143ec9 10596 kde optional kimageformats_5.78.0-5.debian.tar.xz
 ce209f7d8db659a0c0d67307e05794b9 11529 kde optional kimageformats_5.78.0-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE68ws0vrA2voQX53I2A4JsIcUAGYFAmDeJFIACgkQ2A4JsIcU
AGaQjwf/fTNOg+2HrsPsEqIlajZUBAwS2N+XmXwtDfdwZv68ePmyjVug3ObmXTNO
1+S84IxX2wE0kK1k2MHcDSsT6/3svUHfuKdm7QDEytH1TLqqdrGBBP91UJlPoXM8
cmL9zC4kSyUhx21ngDoYsUHDABP86OoDC8YaChHzcL186xq8KFKZsDJZz5XMgMQZ
3/oOXUViE9z1vqPH2mw5DrDjn/Wira9GUGZ27UIDIORsI66B0lFVOtALKz5Ru6Xx
sRAPMBoXK+9+1GMNlscmqXrMXxgcdRUpCfnUsDhWNEiPhMc98s6EatSCcwwidGwQ
1+xl3eDiXb29sZORSWG6X7REBpcYyA==
=wWum
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#990527: kimageformats: CVE-2021-36083
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#990527: kimageformats: CVE-2021-36083
Next by Date: Processing of kimageformats_5.78.0-5_source.changes
Previous by thread: Bug#990527: kimageformats: CVE-2021-36083
Next by thread: Processed: found 990527 in 5.78.0-4, closing 990527
Index(es):
- Date
- Thread