Your message dated Tue, 12 May 2020 16:52:09 +0000
with message-id <[email protected]>
and subject line Bug#947276: fixed in libspiro 1:20200505-1
has caused the Debian Bug report #947276,
regarding libspiro: CVE-2019-19847
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
947276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947276
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libspiro
Version: 1:20190731-2
Severity: normal
Tags: security upstream
Forwarded: https://github.com/fontforge/libspiro/issues/21
Hi,
The following vulnerability was published for libspiro. Although the
problematic function is exported, there seem at least in Debian not to
be any users of this (and it's not in the 'advertised' API). But just
filling the bug for tracking the upstream issue mainly.
CVE-2019-19847[0]:
| Libspiro through 20190731 has a stack-based buffer overflow in the
| spiro_to_bpath0() function in spiro.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19847
[1] https://github.com/fontforge/libspiro/issues/21
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.3.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: libspiro
Source-Version: 1:20200505-1
Done: Hideki Yamane <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libspiro, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hideki Yamane <[email protected]> (supplier of updated libspiro package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 May 2020 00:26:00 +0900
Source: libspiro
Architecture: source
Version: 1:20200505-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Fonts Task Force <[email protected]>
Changed-By: Hideki Yamane <[email protected]>
Closes: 947276
Changes:
libspiro (1:20200505-1) unstable; urgency=medium
.
* New upstream version 20200505
- Fix CVE-2019-19847 (Closes: #947276)
* Trim trailing whitespace.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
* debian/control
- Update standards version to 4.5.0, no changes needed.
- Drop debhelper and set debhelper-compat (= 13)
- Update Maintaier address
* debian/{libspiro-dev,not-installed,libspiro-dev.manpages}
- Add more files to install, thanks to dh_missing
* debian/rules
- Drop override_dh_missing, it is enable by default with dh13
- Drop override_dh_install, use not-installed and install .a file instead
* debian/watch
- Adjust to catch upstream tarball name with "-dist"
Checksums-Sha1:
fcc32c4e135c9f9bec4f23f9ac7bbcbd730c2bed 1985 libspiro_20200505-1.dsc
43d17334d700bf35ea4cf55f6878b7deb2f0c8bc 422546 libspiro_20200505.orig.tar.gz
72cad005b59ea936065f6775cfaabe27865846a9 4172 libspiro_20200505-1.debian.tar.xz
fd86d5bf43c95a88ce66b5d7461765b4059eb626 6035
libspiro_20200505-1_amd64.buildinfo
Checksums-Sha256:
3cd254f13cead552bc9eb3835806abc664c0b195a1a2e8702fde0daf575f543c 1985
libspiro_20200505-1.dsc
06c69a1e8dcbcabcf009fd96fd90b1a244d0257246e376c2c4d57c4ea4af0e49 422546
libspiro_20200505.orig.tar.gz
741b72f0fd45718488cb9077ebfdfd1d758c43247c0333d4a03f52de5e52ae1e 4172
libspiro_20200505-1.debian.tar.xz
13fe678c4b6edbcdb386a62613063eb85c32e2bf3c342b138e4ca7474b7e0f81 6035
libspiro_20200505-1_amd64.buildinfo
Files:
f7e40c48985390004b68a5ec9bbeb287 1985 libs optional libspiro_20200505-1.dsc
d2d3eef9381c05a9a0268c0863ec9f9d 422546 libs optional
libspiro_20200505.orig.tar.gz
5af82c9c6cb8301a8095cbecac17efed 4172 libs optional
libspiro_20200505-1.debian.tar.xz
a3e2d4113e1e6624cbd0672c7b144073 6035 libs optional
libspiro_20200505-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWOEiL5aWyIWjzRBMXTKNCCqqsUAFAl66zYEACgkQXTKNCCqq
sUA8AxAAh6p2+pUn5iyO3BPB9IQXa9wSt6JFgxjU/uF1RP3Y2/r/yIxenPVJQli7
67YzVs3tmCM1A8HEoPOmZoG8PZmg2D1fgUPfB1mMCstzfl2ph5rAuOtfo1vVN4Db
3GbXuQRAfq3YykfaozD9W3pWw+gVyIj380TTEj5mVAJn6oWpF8aRcy7UzEU7uhLG
nAJGdVzbYRWqxqvYayQPNFcTGCYAACdGDD9kqda0X0uh9uMfHwrsyFkQC4zn61tK
0V1rvKaD58yNutShXVnVn8tJ/Ko9fwkxbIPZbN0JGDn6p9Val19N6D5MPr2NoTxx
KhF55d6JGKhcnCEciXstC/aomSupm/vzteWi/AsNAt+lscfNvlr0KakiNi/i+G+q
GAdNIe/oKH3xbqARZTDtloGb3reA0RCNfSpsdXuDSK6o76iPogU+6PBPWUjjptvY
lO1u7mCBPBnXh1rbIpq7nx4qvMdgrRauM5LtHsyp4YQJ4Z0TiPEnph1TZf6fVzRg
peegoT5A+WKvR8OsHgZQ2KHQbLIH62u+lC4NiY8TEtmQT41gj42pKITLQPA7Di+k
5cGZp7uQpqlwiuuYu6DJUBQLj3yZgzIObs09dS5coPEMpxR32C5xayREAQip8X5R
3FtGaLqa0j8Br4g+v4VWdK+4MGw1k225peWsJdVTNwTEuxgY/Ik=
=HfLk
-----END PGP SIGNATURE-----
--- End Message ---
