Your message dated Sun, 22 Dec 2019 19:19:14 +0000
with message-id <[email protected]>
and subject line Bug#945312: fixed in libonig 6.9.4-1
has caused the Debian Bug report #945312,
regarding libonig: CVE-2019-19203: heap-buffer-overflow in gb18030_mbc_enc_len
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
945312: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945312
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libonig
Version: 6.9.2-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/kkos/oniguruma/issues/163
Hi,
The following vulnerability was published for libonig.
CVE-2019-19203[0]:
| An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the
| function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is
| dereferenced without checking if it passed the end of the matched
| string. This leads to a heap-based buffer over-read.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19203
[1] https://github.com/kkos/oniguruma/issues/163
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libonig
Source-Version: 6.9.4-1
We believe that the bug you reported is fixed in the latest version of
libonig, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jörg Frings-Fürst <[email protected]> (supplier of updated libonig package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Dec 2019 16:00:46 +0100
Source: libonig
Architecture: source
Version: 6.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Jörg Frings-Fürst <[email protected]>
Changed-By: Jörg Frings-Fürst <[email protected]>
Closes: 939988 944959 945312 945313
Changes:
libonig (6.9.4-1) unstable; urgency=medium
.
* Neu upstream release.
- Refresh symbols file and add Build-Depends-Package field.
- Remove upstream applied patches:
+ 0105-CVE-2019-13224.patch
+ 0110-CVE-2019-13225.patch
- Refresh debain/copyright.
- Fixes CVE-2019-19204: heap-buffer-overflow in fetch_interval_quantifier
due to double PFETCH (Closes: #945313).
- Fixes CVE-2019-19203: heap-buffer-overflow in gb18030_mbc_enc_len
(Closes: #945312).
- Fixes CVE-2019-19012: Out of bounds read in mbc_to_code()
(Closes: #944959).
- Fixes CVE-2019-16163: Stack Exhaustion Problem (Closes: #939988).
- Fixes CVE-2019-19246: heap-based buffer over-read in
str_lower_case_match.
* debian/watch:_Correct typo.
* Declare compliance with Debian Policy 4.4.1.1 (No changes needed).
* Switch to debhelper-compat:
- debian/control: change to debhelper-compat (=12)
- remove debian/compat
* debian/control:
- Add Rules-Requires-Root: no.
* Remove outdated debian/NEWS.Debian.
Checksums-Sha1:
53a3c4f640be1f82cdee2f729d89c8870ccfe4ec 1862 libonig_6.9.4-1.dsc
4e91bc2f373a64788a2d2350ee34a1b424a1706d 582597 libonig_6.9.4.orig.tar.gz
4de35cbdf9258e95feb01c552fb4989edde2d063 9376 libonig_6.9.4-1.debian.tar.xz
b6ca94a337cda8671d3c75b4bab0d0740aa006a6 5758 libonig_6.9.4-1_source.buildinfo
Checksums-Sha256:
77366a368d2427a81024f9237f88e503feaf566d23d6e84e078593ffb0ed6bea 1862
libonig_6.9.4-1.dsc
aea68e5843b627f5fe6d3d6b598845b7f3622910e0568408e7cc2fa6b3690b87 582597
libonig_6.9.4.orig.tar.gz
f458d7fd6cfb3676ebf8a8eada5020eecc940ad6ef9ce18fbfde224e765d37df 9376
libonig_6.9.4-1.debian.tar.xz
bce2aabe56a5b4ed3d3a34e4b48ef1c277849ea00d29c4c7908a9e42a99ec17e 5758
libonig_6.9.4-1_source.buildinfo
Files:
4a1ee87710f88e568babc2b9b189781d 1862 libs extra libonig_6.9.4-1.dsc
b8054311a0747f7ae96b63531a3f93a0 582597 libs extra libonig_6.9.4.orig.tar.gz
9ea0519aae3e59e55949d3100f6adba5 9376 libs extra libonig_6.9.4-1.debian.tar.xz
170cc9440417402335000757decc43fd 5758 libs extra
libonig_6.9.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAl3/vzAACgkQweDZLphv
fH5H4RAAgCGOm1WXmWaXquMTdC/4Gke/cLgEzPWdHeZbnxQJdDN3yGDjEr6l9JnA
IWMu/g4Av0xF/ekzoD7dlosu01RRdh1AqqY6BZBq+G/EkmPtXJ47GckPzQ22GPHk
bhYBd/6IF0i0G6KCS7b9zIsbl6vV0CE9DXnZ1OMD72eZ+RMpl39ufW2YckORfy3f
2WzTMsgeadnslltMMdoca7rF0Y9g6TKmgKPq4VzLNVJySY9JS+iLlpQ/HnnLi8KW
ttb6ZzbbvVHdnEloA4ZMAOobQBUyx33SJXmsqkiUe+M2XeKZP1c8HxVyhi8mj1Ke
JV9fSPV6Ukxw8oPOmHBO/QElCCtf1CcZ3fwckN7ylX/MjHGrWlHNtlPy1bQX4Ad2
X0z4y/Fj+7kw7hAuqoG+zsX27l/3b7Mx17QHCF6GPnEuJKP5sdhN1GkVf1pKkm5m
SqJtVlDnlsQsGAaKRRalD8ZK2zfUzmB2DbvUmKG98GYKeFISL5WmmcuQtyFvymNa
Ewl7maYxhmcTKTu/k28IFtWgsdONPcAjckpojuh5ZgEc4uADn0qfhR1SfVwaAsqO
z1QbHS8keEX/AC6tRSQnbyAU2E4jyxjwerqASIuDRx12lVbXmbXf1Vk9dUnqCF/D
NM6ZXIgVJPgFc/ZzV5478i1KW2/ftP0y71zqejrIdctJGgX5hPA=
=eVb1
-----END PGP SIGNATURE-----
--- End Message ---
