Your message dated Sat, 07 Dec 2019 21:02:33 +0000
with message-id <[email protected]>
and subject line Bug#942646: fixed in libxslt 1.1.29-2.1+deb9u2
has caused the Debian Bug report #942646,
regarding libxslt: CVE-2019-18197
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
942646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942646
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.32-2.1
Severity: important
Tags: security upstream
Control: found -1 1.1.32-1
Control: found -1 1.1.32-2.1~deb10u1
Control: found -1 1.1.29-1
Control: found -1 1.1.29-2.1+deb9u1
Hi,
The following vulnerability was published for libxslt.
CVE-2019-18197[0]:
| In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable
| isn't reset under certain circumstances. If the relevant memory area
| happened to be freed and reused in a certain way, a bounds check could
| fail and memory outside a buffer could be written to, or uninitialized
| data could be disclosed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
[3] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
[4]
https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxslt
Source-Version: 1.1.29-2.1+deb9u2
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Dec 2019 15:41:16 +0100
Source: libxslt
Architecture: source
Version: 1.1.29-2.1+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 942646
Changes:
libxslt (1.1.29-2.1+deb9u2) stretch; urgency=medium
.
* Non-maintainer upload.
* Fix dangling pointer in xsltCopyText (CVE-2019-18197) (Closes: #942646)
Checksums-Sha1:
5b0397e01d0892b5892dba3e903a783c8fe76d59 2563 libxslt_1.1.29-2.1+deb9u2.dsc
599bc811bea08f02f26b6ac583fd5d6f0a71545e 30804
libxslt_1.1.29-2.1+deb9u2.debian.tar.xz
Checksums-Sha256:
f644968cb411405b108d4e188210471d8541d398ce89d53958dd81c3544ebfe3 2563
libxslt_1.1.29-2.1+deb9u2.dsc
c9cef9ceafb04d3702f0943d38baaaf1758035574e5958b30625931a0204f737 30804
libxslt_1.1.29-2.1+deb9u2.debian.tar.xz
Files:
fd05b05c17073c8a00c85b6b25b71c80 2563 text optional
libxslt_1.1.29-2.1+deb9u2.dsc
2124ee7c43f5a27db99998136b277cb7 30804 text optional
libxslt_1.1.29-2.1+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3nxpJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/8AQAJ/ZbNBi2YLx6b+RRS7Ut8nMQhY9zXIB
R1D/Q/aF2iiVLl43D9qkHpFM8TTLNVNQ2b25R9z7xFQzYvULTeVYvqHc1NWz/au6
h4fzF30iyBgCcoXkdg6Pvs2FXP5EsgfoxY+pxRPf6wwcuBnKcjhBHgWgDyQGKpbT
9Pgjy1B2kV4Rl60AKPKc5WmyaFZtIbl3pE/+1U/T+27r3ag2tDn/pTl85uT2aJkv
nyUZqD7DniTDzu6tlwTtFaAl1GKh8DKBrsx44FvQARtdvqXdcUeWy/0oxvG9g3yb
zpmV7foDOqXWIaMf7pGeWa3d4aUg1XtrnT8Bi+SFCZK/ekgOSGuqcs8HldJHgw7I
VQIGWuGA9A0ylCWI2jh4oTCh2ilr7LdJrnPM9XlML893oGdzkvohm3PUbDlDjCNi
buJ7EgihQtkBqWfP3fbdQSlc3XdzWa5UkW+M+3UaGd4ACSz0U22POpi3BXnsoI0C
mn3tMfhSecqCKXVAYgzNxHulyBbKvJQbyQ9Pb4LuK4BuyoJEUhvzzDNurNlMgOy6
ApXyt4O76Q7Z6X0sGpz59DiinHbQ3sdxfM7OeyLaImyrUduutpSqVIikFGJvestR
Mvs6H0BafK1LEU0paEwcp1vMhCYPWB+Tc0TugJd57oyhdz/3dOp6bKmfRMLHn/nK
yF2z9wzl+bs6
=NGkD
-----END PGP SIGNATURE-----
--- End Message ---
