Bug#1069191: marked as done (glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence)
Your message dated Tue, 23 Apr 2024 16:47:50 + with message-id and subject line Bug#1069191: fixed in glibc 2.31-13+deb11u9 has caused the Debian Bug report #1069191, regarding glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1069191: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: glibc Version: 2.37-17 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.37-15 Control: found -1 2.36-9+deb12u5 Control: found -1 2.36-9+deb12u4 Control: found -1 2.36-9 Control: found -1 2.31-13+deb11u8 Control: found -1 2.31-13 Hi, The following vulnerability was published for glibc. CVE-2024-2961[0]: | The iconv() function in the GNU C Library versions 2.39 and older | may overflow the output buffer passed to it by up to 4 bytes when | converting strings to the ISO-2022-CN-EXT character set, which may | be used to crash an application or overwrite a neighbouring | variable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2961 https://www.cve.org/CVERecord?id=CVE-2024-2961 [1] https://www.openwall.com/lists/oss-security/2024/04/17/9 Regards, Salvatore --- End Message --- --- Begin Message --- Source: glibc Source-Version: 2.31-13+deb11u9 Done: Aurelien Jarno We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1069...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Apr 2024 22:40:26 +0200 Source: glibc Architecture: source Version: 2.31-13+deb11u9 Distribution: bullseye-security Urgency: medium Maintainer: GNU Libc Maintainers Changed-By: Aurelien Jarno Closes: 1069191 Changes: glibc (2.31-13+deb11u9) bullseye-security; urgency=medium . * debian/patches/any/local-CVE-2024-2961-iso-2022-cn-ext.patch: Fix out-of-bound writes when writing escape sequence in iconv ISO-2022-CN-EXT module (CVE-2024-2961). Closes: #1069191. Checksums-Sha1: d555a20390c7fba05a2cd1f5419bf973c1e9a969 8347 glibc_2.31-13+deb11u9.dsc 60fc288d2351b8b8c2b6ad23aa1f8f65c795249c 961928 glibc_2.31-13+deb11u9.debian.tar.xz 42ef9addd34cfe89709a746373618fcea2ea8d11 9270 glibc_2.31-13+deb11u9_source.buildinfo Checksums-Sha256: d434d56ceee9b81ca36558abdf21fe95ce96dd0be5f296c4d1394a53aac3bdce 8347 glibc_2.31-13+deb11u9.dsc c57f8a2e9bfbedeb110cfe35f9aa387337464ab1233de37f520a802f828a2b97 961928 glibc_2.31-13+deb11u9.debian.tar.xz cd4f7494c0cb52b6f0d8b001cffb111b21f8d33515f43321103b41224e6b2dba 9270 glibc_2.31-13+deb11u9_source.buildinfo Files: 1380cc777ac43126bbdd4897ee61b795 8347 libs required glibc_2.31-13+deb11u9.dsc 1d4c2a4a8ac6df5fa8aa09d321aed75b 961928 libs required glibc_2.31-13+deb11u9.debian.tar.xz b5e0bcd9c0e7954c897758490d5647ad 9270 libs required glibc_2.31-13+deb11u9_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmYi2KcACgkQE4jA+Jno M2tKbBAAiAu+/4xAq5ZQxjpEcxESNsgZomD1Wz0z17IuvkQD1+bUYAkFu/Bkxz+k hSA7COEzXSO8xEp2fmkRPrL711MR2USsDde0muZFHHYpcBQXgGJdRwSDnFJ9HE/l nGgaBHJSQyi/li8lGuGLjiRECCzLZF6pw0mAggEkULwnjN0FG7kMW39EBcZAABpX WmZacAJOozUDTYNEowx4V+lwDujMUKr6nxrtL1xUUsMnY7wcU7Kd/hOCXgcU37VO fjYQkDw5XBLCP/sDgxjAtsv5Ep4qLcsbm23SAycv00JUygyL4/OolQWSU8vSt8Bs Pdfdd1CaTSY+LdjrxtHXxFbKsNcjXI+2u2GNQ8m8jzvYEB4j2yX6dyE1zOugxOBo EOZNu13+/8Tn6XFm7gsQmo4CBju9je3CpgrWAa+XGUP3KKWe+XotmqlkEJwZDn3X XXZaGYNtb5HebmUgQhs+H56J/qpcv2Cb4CM4K7mF/e3YKzwAb53qHsisjYN+krMC QEfdEqUl9i1ip8f2z6ME8WB+92mfCg/i3YOk5NfdBS6BQWXeDAtkALyxxWRZgIsa 4vPDc0poYFTpUj6QrqbymlSnC/iKVUydrmjrok6XhxuJUrE+vcM7EK0lfChyVP17 rm8hcN2/xVHOebJFPTC9+jWr4VQHoBFND2unKHib2xH+2lkJVFg= =tfsn -END PGP SIGNATURE-
Bug#1069191: marked as done (glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence)
Your message dated Tue, 23 Apr 2024 16:47:08 + with message-id and subject line Bug#1069191: fixed in glibc 2.36-9+deb12u6 has caused the Debian Bug report #1069191, regarding glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1069191: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: glibc Version: 2.37-17 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.37-15 Control: found -1 2.36-9+deb12u5 Control: found -1 2.36-9+deb12u4 Control: found -1 2.36-9 Control: found -1 2.31-13+deb11u8 Control: found -1 2.31-13 Hi, The following vulnerability was published for glibc. CVE-2024-2961[0]: | The iconv() function in the GNU C Library versions 2.39 and older | may overflow the output buffer passed to it by up to 4 bytes when | converting strings to the ISO-2022-CN-EXT character set, which may | be used to crash an application or overwrite a neighbouring | variable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2961 https://www.cve.org/CVERecord?id=CVE-2024-2961 [1] https://www.openwall.com/lists/oss-security/2024/04/17/9 Regards, Salvatore --- End Message --- --- Begin Message --- Source: glibc Source-Version: 2.36-9+deb12u6 Done: Aurelien Jarno We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1069...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Apr 2024 18:34:04 +0200 Source: glibc Architecture: source Version: 2.36-9+deb12u6 Distribution: bookworm-security Urgency: medium Maintainer: GNU Libc Maintainers Changed-By: Aurelien Jarno Closes: 1069191 Changes: glibc (2.36-9+deb12u6) bookworm-security; urgency=medium . * debian/patches/any/local-CVE-2024-2961-iso-2022-cn-ext.diff: Fix out-of-bound writes when writing escape sequence in iconv ISO-2022-CN-EXT module (CVE-2024-2961). Closes: #1069191. Checksums-Sha1: 89201c9a3dc4b12a21085158cc671e65ef2cd2d2 9761 glibc_2.36-9+deb12u6.dsc ce2b34137062a0ddba922d5b34a80770737bb59c 858672 glibc_2.36-9+deb12u6.debian.tar.xz a44d3239eba25b6c7f4ce2756457d71ae0b857ac 9744 glibc_2.36-9+deb12u6_source.buildinfo Checksums-Sha256: fbd6a3b34c8019bc677c1aa3c55a7cdd2fac0f5226151d408cbf107e89002c10 9761 glibc_2.36-9+deb12u6.dsc dab8173d6a6393b50ed0737bd32ff993a3fa7bf4a837573eab8c67f1391ecb12 858672 glibc_2.36-9+deb12u6.debian.tar.xz 7ee850a9b13f43b44460b82fd59ca548b22123dd500bf942c3af4acbbb957bf6 9744 glibc_2.36-9+deb12u6_source.buildinfo Files: d98990edb6c22014e5b8c48aa43152c9 9761 libs required glibc_2.36-9+deb12u6.dsc 65d05b6e083f7e0d364a30fa0349efd9 858672 libs required glibc_2.36-9+deb12u6.debian.tar.xz 1cdb197b7714c8fd5c6e9ca7d19aa569 9744 libs required glibc_2.36-9+deb12u6_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmYirqMACgkQE4jA+Jno M2sPNQ/+LTclWWW5JsLlpFpI1n0eCno6yzVxuU7nW31IffIRQ/eNYPqKa2iM+Wi+ q41DfI/0KV8yLdVkGiTofVK4RnFAAwN7FIzX0NBazCNlhr3cgBOR33YS8ep0bOfN EjXAS0PYsUwCB1Rf5ozKja6j0Lt8oWoodhRYayL29/WA8yf7oJru/Xaho0bVj68B lP29vRFEtNeBcG+s9iR617jlnUrbyY+1qCP5CwtRH6cBTKM6RozK8hCcNiw/BSwx S9wK+62oMNOpUJaOJLfuIygJH0nwaHzKQU+MQkQhI97ROeJJkGOhzBjAZK44CjkZ HYsizViEUO2Qjq5stTuExD6uYeLK9lcmlhwRgQVqqyQTRKoUOssQDeiNY/SyYscH 3f/HbUJ4QYQ5mlnpYrP3i7EQ2qHbzHEy6qgnmhhnoiPBr7vFQ7/CijIzt7RF78E8 B3XWTiWFuy5SCouXtEoJHhWrE2XNU/w5Ucpe+e2R23mnu5362ECGGvT+WHU2maaD TBdCwNYqw1oA5iy5XwF/FdlRqSEQk88vohl73EFPHl9HTyYiKcxlocQgRFRumv7x NFPHMxk27kGm7kXJb0FtBT7XOX+XUOjbCYRiNqWMlT/mH8bFg/Ey5KXI9TKXUjHB +fQKMYdXSn9O1waG9XFkDmz5TmrbP2+4vv9iahgXoanYnezUKCY= =p/cK -END PGP SIGNATURE- pgpJxbA8Mzw_d.pgp
Bug#1069191: marked as done (glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence)
Your message dated Fri, 19 Apr 2024 05:20:35 + with message-id and subject line Bug#1069191: fixed in glibc 2.37-18 has caused the Debian Bug report #1069191, regarding glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1069191: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: glibc Version: 2.37-17 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.37-15 Control: found -1 2.36-9+deb12u5 Control: found -1 2.36-9+deb12u4 Control: found -1 2.36-9 Control: found -1 2.31-13+deb11u8 Control: found -1 2.31-13 Hi, The following vulnerability was published for glibc. CVE-2024-2961[0]: | The iconv() function in the GNU C Library versions 2.39 and older | may overflow the output buffer passed to it by up to 4 bytes when | converting strings to the ISO-2022-CN-EXT character set, which may | be used to crash an application or overwrite a neighbouring | variable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2961 https://www.cve.org/CVERecord?id=CVE-2024-2961 [1] https://www.openwall.com/lists/oss-security/2024/04/17/9 Regards, Salvatore --- End Message --- --- Begin Message --- Source: glibc Source-Version: 2.37-18 Done: Aurelien Jarno We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1069...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Apr 2024 07:10:32 +0200 Source: glibc Architecture: source Version: 2.37-18 Distribution: unstable Urgency: medium Maintainer: GNU Libc Maintainers Changed-By: Aurelien Jarno Closes: 1069191 Changes: glibc (2.37-18) unstable; urgency=medium . * debian/patches/git-updates.diff: update from upstream stable branch: - Fix fix out-of-bound writes when writing escape sequence in iconv ISO-2022-CN-EXT module (CVE-2024-2961). Closes: #1069191. Checksums-Sha1: 55a2d32004c64d219b2c24802cc30e5a7aa02729 9043 glibc_2.37-18.dsc 6e6a9646c9296dc7de9b321f2a07a432472ff27b 422556 glibc_2.37-18.debian.tar.xz 1b076043374ce74f757b97bf54b4dca9705b9a33 10084 glibc_2.37-18_source.buildinfo Checksums-Sha256: 53fec1eca4e1c6e7ccb36a533eeb3e6b76c6ba5ecfb6ad0e66ee251ae356b638 9043 glibc_2.37-18.dsc 2d04ca854821da8d1a414d0afa20812cba5e3cfb9e10da7d824f9d8215acccad 422556 glibc_2.37-18.debian.tar.xz c8e98dd7add508db574499a2543b7d6f425dde3bee4de28502977dac0392f0c0 10084 glibc_2.37-18_source.buildinfo Files: 7f6b5b38d801a916027c292fedf6c6af 9043 libs required glibc_2.37-18.dsc 62a072981057354cea926396dd00c0ff 422556 libs required glibc_2.37-18.debian.tar.xz 87335394d5cf6b840689e187a8b591e7 10084 libs required glibc_2.37-18_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmYh/VUACgkQE4jA+Jno M2s+5w//SZHS7bFkz8VPpL2HrkP1cYgMuCswNIyLtf9h3533u9V4LU/XfEIh6OGV 7WnGDMO3HGUr2RvrgN5JqYRIP0YO5XaYJtkZrr9Tgy4QshTf8KZxxML2nKYJW62h GSEH8rPyHGjWwOgIOZ1tlMUp2Io+l15SEfMotOmDfjIoc5epwlXqdp1pgZaAlxZn i72jTm+Bj7/BlfTjYmrl1VDKJUw6fJmN+GOhEhl1eOsLWl1QN3S+d/pwtaPbgscF rCN18d9r1IodH8wpUmAKosgZ7hDuEIlL/+Z5f1YwcquE5+UtzVv7VfCor289Xi1i rKSTy7Eyurfh/zvfBvl9gdgmN66Y+Ey4h8ks1HkItQS53R6QjFaFqiNOjDNF1VKv MOvsqENoARp3fS/gcbL53mEi53pSvPWIiaiZygQ/2aonwIFEJSKC6s4QQ96OIjSs AJVCKjVYFU1Kht5kAr5yhUEg0fdcj11jLLF5UD7ZXABx4fFU+aKffnBd4qfiNRsY 4l/3hxKv6gsxaBVEAINCXJZmuMv7xz/Ir6YcKATQdiGNgTRijxJ6teqr+uUrxgqt k5DxrVntZwL8Xoy20gIejYwRGx4MlhSW5eYGWXyygyG8rnt6T+rR8eo+/WF0Blnq fzImbXtNf+vHkOpgAGmk7iIuG8MJZcFIEIRn/3vrYsghAqsq56U= =EcGb -END PGP SIGNATURE- pgpnpA4A7sfFs.pgp Description: PGP signature --- End Message ---