Your message dated Thu, 30 Jan 2020 20:36:36 +0000
with message-id <[email protected]>
and subject line Bug#946628: fixed in fig2dev 1:3.2.7a-5+deb10u3
has caused the Debian Bug report #946628,
regarding fig2dev: CVE-2019-19746
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946628
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fig2dev
Version: 1:3.2.7b-2
Severity: normal
Tags: security upstream
Forwarded: https://sourceforge.net/p/mcj/tickets/57/
Hi,
The following vulnerability was published for fig2dev.
CVE-2019-19746[0]:
| make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation
| fault and out-of-bounds write because of an integer overflow via a
| large arrow type.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19746
[1] https://sourceforge.net/p/mcj/tickets/57/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fig2dev
Source-Version: 1:3.2.7a-5+deb10u3
We believe that the bug you reported is fixed in the latest version of
fig2dev, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Rosenfeld <[email protected]> (supplier of updated fig2dev package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 07 Jan 2020 19:53:09 +0100
Source: fig2dev
Architecture: source
Version: 1:3.2.7a-5+deb10u3
Distribution: buster
Urgency: medium
Maintainer: Roland Rosenfeld <[email protected]>
Changed-By: Roland Rosenfeld <[email protected]>
Closes: 946628 946866
Changes:
fig2dev (1:3.2.7a-5+deb10u3) buster; urgency=medium
.
* 42_CVE-2019-19746: Reject huge arrow types causing integer overflow.
This fixes CVE-2019-19746 (Closes: #946628).
* 43_fgets2getline: Replace most calls to fgets() by getline() in
read.c. This fixes CVE-2019-19797 and several other segfaults
(Closes: #946866).
Checksums-Sha1:
2f533312a54f2b9b4eb3f554142e222beb0e3795 2264 fig2dev_3.2.7a-5+deb10u3.dsc
059e56314654871ec65f493d8c27289de31788e6 229696
fig2dev_3.2.7a-5+deb10u3.debian.tar.xz
0df3a471fd8717dc54d4d097b67063ebb1ddf6bc 9021
fig2dev_3.2.7a-5+deb10u3_source.buildinfo
Checksums-Sha256:
4158ba63d6e9ba74337967ec13b6670a52f28cc78a04ac6ab32417bed02198bb 2264
fig2dev_3.2.7a-5+deb10u3.dsc
f78abbb17ba2b0fe3b98c3be51def71161d4df8a8d68e96ae047b5cd8ccedd28 229696
fig2dev_3.2.7a-5+deb10u3.debian.tar.xz
8394a15967a8d837d33564631191627807de1278b4fdca9827fc0cebc68bbc2c 9021
fig2dev_3.2.7a-5+deb10u3_source.buildinfo
Files:
7d82715329e10f895b7d123377617a90 2264 graphics optional
fig2dev_3.2.7a-5+deb10u3.dsc
07d5a58a18ecbcadfd26dc57a8542014 229696 graphics optional
fig2dev_3.2.7a-5+deb10u3.debian.tar.xz
c95d84aa42ceee66f448b69884dda716 9021 graphics optional
fig2dev_3.2.7a-5+deb10u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAl4U09AACgkQAnE7z8pU
ELKOmw/6AhCvUa1SuGmQbvZr9v8wyQjrZsh7SYl2kR6sMulE0o9VDZd84FOu975v
JG1aP0cF3vn/IrU+Nm+eEME+BRmNUysopWffGTfFbXWLlhOSEz3/YAjqXj1nAPxa
Em833bzf5xfvYZuXsILMadZfJB5wbOhedIdZOYuUcWV5+vN7/rwRcsPXHWLEzk/p
RHLOBzr/572vpMe5LnvHHcRf7+6d2U73U5Dvf2vbECLPebvCpiIpAQ9IgJrR7Ot4
J4b0WUvA3m6liQ0QwmXNn7uSqPT/RQ5mQ0MGvpQ5Kffg6taQ2cvd7RkEP7HLGh/t
0auBx9pLaPLFfG6HnWShM8xF5Y1xQJi9Qd1DR0F/oMPgMoRztJtVJ6ojRcFAjWOv
xiFNJC2fzCyJmK9e/0HDwU+fcR1SmZJmIdjvM4wAoDOHxtvSuVyVbxmkowloN7PO
9kZXGLY90SAvdPLcDYTodfZMyx1I1qByg2yIkio8OD69JRzQlNYxg8IkW74BJAvj
oYITqsl6e+T7bnEJg7lVwdDF9yw0NCc9CghNCNX+w+ub3hybRwPayUSzAn4CBQsV
lWMnbgY+ohIIqElt4o4LeIIW46my5N4wT/Zmlf2aNIWIiQFw4SBOvF23Ptz17yBY
CgqecfI2u4ChBgIoj4XIQ7KsC5noc7DgHF8E5zI1SkqXcBhrgvo=
=M5bZ
-----END PGP SIGNATURE-----
--- End Message ---
