Bug#729867: marked as done (libjpeg8: CVE-2013-6629)

[Debian Bug Tracking System]

Your message dated Tue, 03 Dec 2013 23:33:47 +0000
with message-id <e1vnztp-0007u5...@franck.debian.org>
and subject line Bug#729867: fixed in libjpeg8 8d-2
has caused the Debian Bug report #729867,
regarding libjpeg8: CVE-2013-6629
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
729867: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729867
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libjpeg8
Severity: important
Tags: security

Hi Bill.
I noticed the following in the recent Google Chrome release announcement:
http://googlechromereleases.blogspot.de/2013/11/stable-channel-update.html

| [258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and 
| libjpeg-turbo. Credit to Michal Zalewski of Google.

The related Google bug is closed, but after some digging I found this
posting:
http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html

I don't think this warrants a DSA, but we could still fix this up in a point
release, let me know if you disagree.

Cheers,
        Moritz

--- End Message ---

--- Begin Message ---

Source: libjpeg8
Source-Version: 8d-2

We believe that the bug you reported is fixed in the latest version of
libjpeg8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bill Allombert <ballo...@debian.org> (supplier of updated libjpeg8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 02 Dec 2013 23:11:23 +0100
Source: libjpeg8
Binary: libjpeg8 libjpeg8-dev libjpeg8-dbg libjpeg-progs
Architecture: source amd64
Version: 8d-2
Distribution: unstable
Urgency: high
Maintainer: Bill Allombert <ballo...@debian.org>
Changed-By: Bill Allombert <ballo...@debian.org>
Description: 
 libjpeg-progs - Programs for manipulating JPEG files
 libjpeg8   - Independent JPEG Group's JPEG runtime library
 libjpeg8-dbg - Development files for the IJG JPEG library
 libjpeg8-dev - Development files for the IJG JPEG library
Closes: 729867
Changes: 
 libjpeg8 (8d-2) unstable; urgency=high
 .
   * Apply upstream patch to fix CVE-2013-6629 and CVE-2013-6630.
     closes: #729867.
Checksums-Sha1: 
 a23672a7cb9d42d019951ecaa237718a3a0d723f 1165 libjpeg8_8d-2.dsc
 1b9c17f9a791d17267f563fe1da42a7eb2a28324 14764 libjpeg8_8d-2.debian.tar.gz
 82f77f57155b8c5720a644a18513aa0b7ee732ce 120270 libjpeg8_8d-2_amd64.deb
 9468404ee2b9407f8b58e2462bcb44c3ee37174d 217334 libjpeg8-dev_8d-2_amd64.deb
 10f254f9e2644a1391d05791b8e7e469a577aae2 268334 libjpeg8-dbg_8d-2_amd64.deb
 9a7ac37f34cdbc6e92df9f7372b558797a1e3ff1 78656 libjpeg-progs_8d-2_amd64.deb
Checksums-Sha256: 
 add5d2fae5fb1efe6144462858a5f3f701a94dbbfb983623ea31d3db0f589106 1165 
libjpeg8_8d-2.dsc
 9b36468b2aba24d63d3c87625de89f31834ac429e6dec7d68d86a52b5110219c 14764 
libjpeg8_8d-2.debian.tar.gz
 de2f10daa6f328a2e71526a0d2d46ec0bf6ed30b260718492859020925697727 120270 
libjpeg8_8d-2_amd64.deb
 0ac3597ea737eb0b95d77de5bd8eb592cb3c97f7202b11b3198afce6535d601e 217334 
libjpeg8-dev_8d-2_amd64.deb
 648b42d0175359f66045d4032da9b73e268dbdf868e2dd02e83f41ba221dff83 268334 
libjpeg8-dbg_8d-2_amd64.deb
 7c9bd1875fc2322faccae666fcf246d54df77e7654b4f3da4faebb044120601f 78656 
libjpeg-progs_8d-2_amd64.deb
Files: 
 4a5e628f52d2736b43cc10b0040c498a 1165 graphics optional libjpeg8_8d-2.dsc
 efb851981026627f8722e4a9e0e13b62 14764 graphics optional 
libjpeg8_8d-2.debian.tar.gz
 e20facda363c9f6ae57f992a5f98461c 120270 libs optional libjpeg8_8d-2_amd64.deb
 2fd309f809ab4534c5244343bc94d0d8 217334 libdevel optional 
libjpeg8-dev_8d-2_amd64.deb
 54a8b5ac27c5d376d162416051f9817e 268334 debug extra libjpeg8-dbg_8d-2_amd64.deb
 5674384a322f5f7f9d287c6872d04ecc 78656 graphics optional 
libjpeg-progs_8d-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlKeZZgACgkQeDPs8bVESBXdOACeN6klSLd6iQoYlUTToo60iG7l
G2sAniwcDxjXN+4A9Urx3AUOEaJoJm83
=S5hz
-----END PGP SIGNATURE-----

--- End Message ---