Your message dated Sun, 28 May 2017 06:03:36 +0000
with message-id <[email protected]>
and subject line Bug#863316: fixed in libonig 6.1.3-2
has caused the Debian Bug report #863316,
regarding libonig: CVE-2017-9228
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
863316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863316
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libonig
Version: 5.9.5-3.2
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/kkos/oniguruma/issues/60
Hi,
the following vulnerability was published for libonig.
CVE-2017-9228[0]:
| An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
| Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
| out-of-bounds write occurs in bitset_set_range() during regular
| expression compilation due to an uninitialized variable from an
| incorrect state transition. An incorrect state transition in
| parse_char_class() could create an execution path that leaves a
| critical local variable uninitialized until it's used as an index,
| resulting in an out-of-bounds write memory corruption.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228
[1] https://github.com/kkos/oniguruma/issues/60
[2]
https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libonig
Source-Version: 6.1.3-2
We believe that the bug you reported is fixed in the latest version of
libonig, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jörg Frings-Fürst <[email protected]> (supplier of updated libonig
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 27 May 2017 12:05:50 +0200
Source: libonig
Binary: libonig4 libonig4-dbg libonig-dev
Architecture: source
Version: 6.1.3-2
Distribution: unstable
Urgency: high
Maintainer: Jörg Frings-Fürst <[email protected]>
Changed-By: Jörg Frings-Fürst <[email protected]>
Description:
libonig-dev - regular expressions library — development files
libonig4 - regular expressions library
libonig4-dbg - regular expressions library — debugging symbols
Closes: 863312 863313 863314 863315 863316 863318
Changes:
libonig (6.1.3-2) unstable; urgency=high
.
* New debian/patches/0500-CVE-2017-922[4-9].patch:
- Cherrypicked from upstream to correct:
+ CVE-2017-9224 (Closes: #863312)
+ CVE-2017-9225 (Closes: #863313)
+ CVE-2017-9226 (Closes: #863314)
+ CVE-2017-9227 (Closes: #863315)
+ CVE-2017-9228 (Closes: #863316)
+ CVE-2017-9229 (Closes: #863318)
Checksums-Sha1:
8878bdc9175853ad8f7d68dd18be483313b1b181 1974 libonig_6.1.3-2.dsc
0b34ed9aa2fa49687e73455b1371e9f05085bc1a 8376 libonig_6.1.3-2.debian.tar.xz
Checksums-Sha256:
890c77479a6d3a90085f6983d49b954c1c795d29953bc5265b28adbd98bf9527 1974
libonig_6.1.3-2.dsc
0e7112bd8eeaeba54212b8211f707b914bdf0c15c2075e3430d21f56c3ad212c 8376
libonig_6.1.3-2.debian.tar.xz
Files:
2938f89898d134d321017ae1ff314199 1974 libs extra libonig_6.1.3-2.dsc
bdbad76addb7c9320a8789b75e0bc8fd 8376 libs extra libonig_6.1.3-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE1TqBWjy3ZZr4guOVju3MG6ofMv8FAlkqY60ACgkQju3MG6of
Mv/AUQ/+JUm1qL1cZpXjyPLsBUeZLFFsl/NYC3Qsg5HwXEKym3nyq6TBzloZABf+
4lvpaXlVwe/MkBIT4mm4MpLtD4u+bhjxzo+YgELiutVeRp2zKUZEXWbDM/lXz6o5
EVjeBW3o3f0UQRboBVSUN+H0u8A0UImMxijMZ5FcxDOM9YLsUVGzWwnNl5kcdseb
LbGaGzRmXQsBw6jLueZVA9oLpd0y1anWQMZ4mpyz5p1okCQgTVd6ynzsVUc+vOCU
dhSDdJBhzuRJPMK3027LEySwGCmOmr1Efc4RIHgCbLRBYWp+AZ8jvJj77wfRGuoj
ny6bsVsJE0hxfe0P+AhuMkjvhwyow2n/rv7ELeXd5PrJjFnZNvLWvY7aXqzoJS0c
+pJmESiEi2SxudkHKtWs2DibH0vU9GuNnHxJoeUNIHj4OBs1atkLoqpgFubPUa8a
qikZzxe5XHCG3foA9MaC0dB3utVB2kII57oE9IR3Qaz91EsOW5UiYFbSXMG17lSH
nQaF9yyC3vgD1QbfSHZ2A7nHj4Cd62hs/P7KUP5I4vXBv7RlHtkGuuatM3GzyPR9
a9ubWgXuMviCj/SMUOSuNTLLcB8AkIOZWrE88888vH+03YYph7846pgX/YCB8E//
ECadBdOdqgZ3rJtXCztNZbACS6PZNwsK/xpPMImfTCqw/2ghlKA=
=g5n5
-----END PGP SIGNATURE-----
--- End Message ---
