Your message dated Thu, 17 May 2018 18:10:21 +0000 with message-id <e1fjnm5-000dcf...@fasolo.debian.org> and subject line Bug#863151: fixed in lrzip 0.631+git180517-1 has caused the Debian Bug report #863151, regarding lrzip: CVE-2017-8845: invalid memory read in lzo_decompress_buf to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 863151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863151 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: lrzip Severity: important Tags: upstream security Forwarded: https://github.com/ckolivas/lrzip/issues/68 Hi, the following vulnerability was published for lrzip. CVE-2017-8845[0]: | The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in | lrzip 0.631, allows remote attackers to cause a denial of service | (invalid memory read and application crash) via a crafted archive. Filling this downstream in the Debian BTS, with foward to the upstream one so we can track any possible conclusion + fix. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8845 [1] https://github.com/ckolivas/lrzip/issues/68 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: lrzip Source-Version: 0.631+git180517-1 We believe that the bug you reported is fixed in the latest version of lrzip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 863...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated lrzip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 17 May 2018 15:42:06 +0000 Source: lrzip Binary: lrzip Architecture: source amd64 Version: 0.631+git180517-1 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Description: lrzip - compression program with a very high compression ratio Closes: 863145 863150 863151 863153 863155 863156 866020 866022 887065 888506 897645 898451 Changes: lrzip (0.631+git180517-1) unstable; urgency=high . * Git snapshot release to fix security issues: - CVE-2017-8842: divide-by-zero in bufRead::get() (closes: #863156), - CVE-2017-8843: NULL pointer dereference in join_pthread() (closes: #863155), - CVE-2017-8844: heap-based buffer overflow write in read_1g() (closes: #863153), - CVE-2017-8845: invalid memory read in lzo_decompress_buf() (closes: #863151), - CVE-2017-8846: use-after-free in read_stream() (closes: #863150), - CVE-2017-8847: NULL pointer dereference in bufRead::get() (closes: #863145), - CVE-2017-9928: stack buffer overflow in get_fileinfo() (closes: #866022), - CVE-2017-9929: another stack buffer overflow in get_fileinfo() (closes: #866020), - CVE-2018-5650: infinite loop from crafted/corrupt archive in unzip_match() (closes: #887065), - CVE-2018-5747: use-after-free in ucompthread() (closes: #898451), - CVE-2018-5786: infinite loop in get_fileinfo() (closes: #888506), - CVE-2018-9058: infinite loop in runzip_fd() , - CVE-2018-10685: use-after-free in lzma_decompress_buf() (closes: #897645). * Update homepage location. * Update debhelper level to 11: - don't need dh_installman anymore, - remove dh-autoreconf build dependency, - remove autotools-dev build dependency. * Update Standards-Version to 4.1.4 . Checksums-Sha1: 55c93759cf16e87ae9d56738e982f07396de915c 1833 lrzip_0.631+git180517-1.dsc 49d52bb9edc1524469d618cbe867560c8d704060 200660 lrzip_0.631+git180517.orig.tar.xz 3fbd5121440aee6c9a26fe2e53c0a7e42f095781 7688 lrzip_0.631+git180517-1.debian.tar.xz 8ac6130b8ceea862a54b253ffc17ebfc79b0cdb2 606280 lrzip-dbgsym_0.631+git180517-1_amd64.deb f79257b587a3fe3594f79400906d19018b352df5 6826 lrzip_0.631+git180517-1_amd64.buildinfo c10d6d80eaba467bd8472a836ee192dae21edf17 258876 lrzip_0.631+git180517-1_amd64.deb Checksums-Sha256: 18876a30fba64e3e5730a4ecf55687b762d50629a6c7dac52273cfb028b1ec3b 1833 lrzip_0.631+git180517-1.dsc 9e96b797efb4e908a2412c4e287fd42e766def638e8126cd306397d572a176ef 200660 lrzip_0.631+git180517.orig.tar.xz 176d38dd20bc9335562b1102d9c907f8bc33922ba07b9dada2461da73fc64c28 7688 lrzip_0.631+git180517-1.debian.tar.xz e58240fcd0eef1f3f7738b35ac6c81722f0b805b1e7639100a42ba3b335bd174 606280 lrzip-dbgsym_0.631+git180517-1_amd64.deb 748dfdf17c6cc651a9a97116429615bf4fbc2449c41bac4b57ccd1ccf9c1453e 6826 lrzip_0.631+git180517-1_amd64.buildinfo 0cd786cf86077e91fba4fc4944ea987643bb98459fa9f76a73ff9c5fd09a146b 258876 lrzip_0.631+git180517-1_amd64.deb Files: e9c146c5bc64bebe67a2ae4599ffbf49 1833 utils optional lrzip_0.631+git180517-1.dsc cd554ed96a3e4a4d02231df70879b842 200660 utils optional lrzip_0.631+git180517.orig.tar.xz 0e8c44a78604f83544d5f6a0ef79485a 7688 utils optional lrzip_0.631+git180517-1.debian.tar.xz 32e3570a65a39477911f384fedae8dc1 606280 debug optional lrzip-dbgsym_0.631+git180517-1_amd64.deb 4ed5c1db1b8ab0a27fa4b84ebbfe3aa8 6826 utils optional lrzip_0.631+git180517-1_amd64.buildinfo 04db0b66b329ea490835728f5244be53 258876 utils optional lrzip_0.631+git180517-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlr9wB8ACgkQ3OMQ54ZM yL90exAAkBIFwgAn2LJ58/BKFZ5jhndecOTJFQhWJ4G+N/ucDsp7Kf6S9h3DyxFJ EH5DHVFD07psF1ieGAieEvg58NpO6Nf7HAFFwtJdnoZ60p2LUe160Dum6sWdVTm7 gAxJdxoIXKVUy43wRbrMgGHfkq+QoS04VLrxEND+UW1i1Vkb6cOgZXhVbcMhPEfb pFoWNJtRT3WdEcIOgx8YFh2uaeFXMdcEWnda/OD5JDF4Wu2se53PLRJ2zj7GNtVb BNpPcyoTuOusxe965RNFzubIBrBchpJz8EtacdLt9lTZBY8VmKGnktR3ocIsLNIm f6LqxYbyWlyMBJo/QkIZ/DiQLFxNGzk5O5SARGMd1CduqTzj3sQyyXbQJuoO5VTy yxjBevSuCTx3LYJaE5H5zKvDhmfnDYioD1NGMho0SN3m3K8A1H/UjNhrgMmb44Ip 5buadpsgH4vZJ6RAe+uwuxjp9sj4/P9LLV+PY3xy1fregQPUxuOQVcdcEtzCJd4N +PHyZxAQOnH11BUj8WaAyyRK4JtrlqLQwm1EkjVCOAc55Z0FzM6VxwBAo/IkYvt1 VOWz20STbPoDycahnygADU57KBdQEm+X3FkTS2LKKXJSd3j/go2zG274ihqjaFQJ BNDnbJVx0UIrapmUHva7Dfu+WbCHScRRGWfGj0OtVG9dwKMGunw= =HAH8 -----END PGP SIGNATURE-----
--- End Message ---
