Your message dated Sun, 10 Feb 2019 19:17:09 +0000
with message-id <[email protected]>
and subject line Bug#910757: fixed in gnulib 20140202+stable-2+deb9u1
has caused the Debian Bug report #910757,
regarding gnulib: CVE-2018-17942 heap-based buffer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
910757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910757
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnulib
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for gnulib.
CVE-2018-17942[0]:
| The convert_to_decimal function in vasnprintf.c in Gnulib before
| 2018-09-23 has a heap-based buffer overflow because memory is not
| allocated for a trailing '\0' character during %f processing.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-17942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17942
Patch is available here:
https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: gnulib
Source-Version: 20140202+stable-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
gnulib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated gnulib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 Feb 2019 21:58:02 +0100
Source: gnulib
Binary: gnulib git-merge-changelog
Architecture: source
Version: 20140202+stable-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Ian Beckwith <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 910757
Description:
git-merge-changelog - git merge driver for GNU ChangeLog files
gnulib - GNU Portability Library
Changes:
gnulib (20140202+stable-2+deb9u1) stretch; urgency=medium
.
* Non-maintainer upload.
* vasnprintf: Fix heap memory overrun bug (CVE-2018-17942) (Closes: #910757)
Checksums-Sha1:
9aab0b9b8729984acffeda2dc14308a201c65762 2192
gnulib_20140202+stable-2+deb9u1.dsc
b5587c93c90e5c3dc69cdfacdf3455d64943d12a 290364
gnulib_20140202+stable-2+deb9u1.debian.tar.xz
Checksums-Sha256:
7de5910cf588495d5f9543dd2a8684db6f2aec97fb5929c49d7cc095ee91fce4 2192
gnulib_20140202+stable-2+deb9u1.dsc
8529f3c565ad3f31504ebfbeab819e4f8f89cbd618987d3942b8184a8b3fa9f9 290364
gnulib_20140202+stable-2+deb9u1.debian.tar.xz
Files:
24ab39e38e58470f1081ecd62fc1af9e 2192 devel optional
gnulib_20140202+stable-2+deb9u1.dsc
48277af55bb4f363bf7b1a5d15c2d6d2 290364 devel optional
gnulib_20140202+stable-2+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxfP7RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EG3AP/jpcJT3KAgWNyLnSubQW7s0dS0NkIydn
sy3p9Y/bDuVAtXxCAx9Zj0uDpsy3fqbpCv6+KF9c4bKtjNc9qNOm0WL+Npuy//JI
w8uMjEwDfy3mESu0AVBfvCbeUQ2tElwX5/XZPGzKlkcDriDGtqtRb7pcXzvXsNdv
vBpb5EQV6oJwtJYPHCtbYY+wHSBjNuFgaLXh8kUVuI3TR8IGOsFh4OWRZ6Vm6+Ps
baatrFjHz4YcNUg0XeTok7rTcJ2J4iW2HW99gsrLhwBn/LS4U8aXbqPQbe+Mfbtb
l9wkcN5uMxr8z3zSKsqYophGW3Ot2hOhC6KgEXVEjV78ryZZNyRTJLpCf/dX6zgm
xC8xCRTdBNBI29M17nmFq/s9ItpYow9MCPYBtiKH0zGfz6SdoeCyxoUcfXX0AX0e
bCJDMY4La72vlDl5j7Z6+9ljOx+L0wJTwS4eAW3fgtu/YuJS+UgleutMAecOs6rT
gAkV6T5uS9G81M8bT5AIydoyp6vQR6SVI0B0HYIJgCERUauoQQNHGV/+OJ9U94Ri
6NN/Xn0RSGf6dx6AnYqkfzx/VDpJEVg09jpFBqlGWuU16ivphj1Wc7ON/tl9RJkl
mMCy/J/DxvPKqjsMs/IsdoDyDtOdfBJ3+SExoG4hzrMN3Tb7Xk1f6/CQLsvxvy9x
rs31B2sP4sn8
=C0Y/
-----END PGP SIGNATURE-----
--- End Message ---
