Your message dated Sat, 10 Nov 2018 18:04:15 +0000
with message-id <[email protected]>
and subject line Bug#913173: fixed in gettext 0.19.8.1-9
has caused the Debian Bug report #913173,
regarding gettext: CVE-2018-18751
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
913173: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913173
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gettext
Version: 0.19.8.1-8
Severity: minor
Tags: security upstream
Hi Santiago,
The following vulnerability was published for gettext, and as
discussed already this has negligable security impact if at all. But
still filling the bug for tracking purpose so we can update the
tracker entry once the issue is fixed. Choosed severity minor as well.
CVE-2018-18751[0]:
| An issue was discovered in GNU gettext 0.19.8. There is a double free
| in default_add_message in read-catalog.c, related to an invalid free in
| po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-18751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18751
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gettext
Source-Version: 0.19.8.1-9
We believe that the bug you reported is fixed in the latest version of
gettext, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[email protected]> (supplier of updated gettext package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 10 Nov 2018 18:34:46 +0100
Source: gettext
Binary: gettext-base gettext gettext-el gettext-doc autopoint libgettextpo0
libasprintf0v5 libgettextpo-dev libasprintf-dev
Architecture: source
Version: 0.19.8.1-9
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <[email protected]>
Changed-By: Santiago Vila <[email protected]>
Description:
autopoint - The autopoint program from GNU gettext
gettext - GNU Internationalization utilities
gettext-base - GNU Internationalization utilities for the base system
gettext-doc - Documentation for GNU gettext
gettext-el - Emacs po-mode for editing gettext .po files
libasprintf-dev - GNU Internationalization library development files
libasprintf0v5 - GNU library to use fprintf and friends in C++
libgettextpo-dev - GNU Internationalization library development files
libgettextpo0 - GNU Internationalization library
Closes: 913173
Changes:
gettext (0.19.8.1-9) unstable; urgency=medium
.
* Fix double-free problem with *.po file input. Closes: #913173.
Patch extracted from upstream git where it was fixed by Daiki Ueno.
For reference, this is CVE-2018-18751.
* Add bison to Build-Depends, required by the above.
Checksums-Sha1:
a6fce80e66c025aac4102898fe53b92ae11db50a 2011 gettext_0.19.8.1-9.dsc
a798fb0408739e36b09a8f93af6c630bb29d1578 32792 gettext_0.19.8.1-9.debian.tar.xz
586a7c4c807f82e0b23819d8da24fcd69ca52d95 10751
gettext_0.19.8.1-9_source.buildinfo
Checksums-Sha256:
1854346197e167b6ac7eaa3cc0630cbfcad4b47c21980f045ee5c82fe37f9593 2011
gettext_0.19.8.1-9.dsc
646bee2ac7de6d6c8e64a612a03abaf9dab116671ec258199671894e90faf73e 32792
gettext_0.19.8.1-9.debian.tar.xz
1d7fa6627642a4b8cf510bccf7b9ed389246f59b5657bc4f5132ffc692d88042 10751
gettext_0.19.8.1-9_source.buildinfo
Files:
fefbe58f8c469eefb833d30aac4dc9be 2011 devel optional gettext_0.19.8.1-9.dsc
8e8190d1de59901c5064e4d01dc76c56 32792 devel optional
gettext_0.19.8.1-9.debian.tar.xz
7234ef96b70f2c5345743f8a669249fc 10751 devel optional
gettext_0.19.8.1-9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAlvnFzAACgkQQc5/C58b
izIJgAf9FH8FfEnKEdbDAOScxzm3Bq3gATuCjnkr7t0phMH8U5wEjVVajfNm4brB
2JRcM3kv6RTv28ATt6ADuYGcm7JodYbTthiTEwHArUqg4/kLT9mV1b9ddEWVcvq3
T6Z/iSHkg0YpYW5LsYPOvElGUxXbWYsmEidngxbFAcuFXhQ8+/KMO09yk1sJKjU/
jfQMghOxgvkON+X0488dAwL6lSwYzOyysf7dk/esZ1FC3fmS++rhPDKt+tj5dEo3
ASbB0taUS32VhWqLx71Cw0RGAbLZEgMSC/PykvJk/OV3Lbt20KqF1ujWugitjzSR
VD8zOj7Vwtkwg+cczsK6SE4T/lFWaA==
=mDy5
-----END PGP SIGNATURE-----
--- End Message ---
