Your message dated Sat, 09 Nov 2019 20:35:12 +0000
with message-id <[email protected]>
and subject line Bug#942646: fixed in libxslt 1.1.32-2.2~deb10u1
has caused the Debian Bug report #942646,
regarding libxslt: CVE-2019-18197
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
942646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942646
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.32-2.1
Severity: important
Tags: security upstream
Control: found -1 1.1.32-1
Control: found -1 1.1.32-2.1~deb10u1
Control: found -1 1.1.29-1
Control: found -1 1.1.29-2.1+deb9u1
Hi,
The following vulnerability was published for libxslt.
CVE-2019-18197[0]:
| In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable
| isn't reset under certain circumstances. If the relevant memory area
| happened to be freed and reused in a certain way, a bounds check could
| fail and memory outside a buffer could be written to, or uninitialized
| data could be disclosed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
[3] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
[4]
https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxslt
Source-Version: 1.1.32-2.2~deb10u1
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 03 Nov 2019 17:11:47 +0100
Source: libxslt
Architecture: source
Version: 1.1.32-2.2~deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 942646
Changes:
libxslt (1.1.32-2.2~deb10u1) buster; urgency=medium
.
* Rebuild for buster
.
libxslt (1.1.32-2.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646)
Checksums-Sha1:
e22ed6a42e18b40ba310a295705159f7f28f1cd4 2781 libxslt_1.1.32-2.2~deb10u1.dsc
216e765cecef9fd15a6b3dea7c537d2c237caf01 34232
libxslt_1.1.32-2.2~deb10u1.debian.tar.xz
Checksums-Sha256:
ae3c135ea738ba088bda7dc76fb63cb68920a1fac0514aa5ff8761182d48b1f3 2781
libxslt_1.1.32-2.2~deb10u1.dsc
1ac65664ec024a34da9c4180778073198868fb4ce78fb9bc936564dd61cc57e5 34232
libxslt_1.1.32-2.2~deb10u1.debian.tar.xz
Files:
290449437956abd00a2bd23b6dab80f9 2781 text optional
libxslt_1.1.32-2.2~deb10u1.dsc
41c077fdf6a03cb74f69f955236fcf1c 34232 text optional
libxslt_1.1.32-2.2~deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2/GU9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Eo84P/juorkyiekiwraOUAPG16b1KalNZDV1Q
2DvFosIUQUz/DTNM74l+BOthRKaRFG7kNNv3A+JiBYMpaylpfAkCOyhxGBdkYdgW
6JL85MvjIEI5e1gEcZwMiPAxp1XqcL5XjQeks9/jYbHFV37PZxhAkleMKJJFmUEa
nmBN6dGNKv2RzO0WnCJA0XjUeoNSSdh3mrXpUzPf1zlGH74u5YEokNIh4zPOIHI2
bW7Sc6S7vUeMkZhZma6EpaOFUAZKnIRdLHr0R4Y2jP8TqKaQiq7k8Og2xwO8/UvK
6y1htiKU7ZzBSXPQLlqtFYcieHnRN1QHQ/16tQmrHZ1UAV94+ieldHg8iR+ZC9Ik
f1xPH86t1pK/tPbQhIy+r41eORGXOMHTW4UETPX/I1DcaiFs3F49+IRvm4jgarwu
aoCkUbooRXq4+8bFvAxKw1RfE8ReQi3RkRfHETav++xrnQT3dxIewX6YxKq0qtjn
gcgD/Dp8k/Xp53c6T3a5Lvlitea9rtPMJdhetwdTMDl+ngV71KEM1geoOeB9bCCO
5570PzQMguSLERWgTeRH7oe/hgTQJL44gDJNaZfp+1DwtnGQuy8U1wy9dRCXeJt5
ICs7IenXYY1rNargE9rP4ogAckcZWeMXEeBl0NRWuQoGLTcYFNFjD/MOUZEu3jVB
aavWlGC6SjUd
=oKoe
-----END PGP SIGNATURE-----
--- End Message ---
