Your message dated Fri, 04 Dec 2020 16:37:03 +0000
with message-id <[email protected]>
and subject line Bug#976350: fixed in pngcheck 2.3.0-13
has caused the Debian Bug report #976350,
regarding pngcheck: CVE-2020-27818
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
976350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976350
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pngcheck
Version: 2.3.0-12
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.3.0-7
Hi,
The following vulnerability was published for pngcheck.
CVE-2020-27818[0]:
| global buffer overflow was discovered in check_chunk_name function
| via crafted pngfile
Red Hat has a report in [1] and fixed their releases with [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-27818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27818
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1902011
[2]
https://src.fedoraproject.org/rpms/pngcheck/blob/cc48791e34201caf7b686084b735d06cef66c974/f/pngcheck-2.4.0-overflow-bz1897485.patch
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pngcheck
Source-Version: 2.3.0-13
Done: David da Silva Polverari <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pngcheck, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David da Silva Polverari <[email protected]> (supplier of updated
pngcheck package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 04 Dec 2020 07:24:15 +0000
Source: pngcheck
Architecture: source
Version: 2.3.0-13
Distribution: unstable
Urgency: medium
Maintainer: David da Silva Polverari <[email protected]>
Changed-By: David da Silva Polverari <[email protected]>
Closes: 976350
Changes:
pngcheck (2.3.0-13) unstable; urgency=medium
.
* debian/patches/60-fix-buffer-overflow.patch: added to fix CVE-2020-27818.
Thanks to Salvatore Bonaccorso <[email protected]>. (Closes: #976350)
Checksums-Sha1:
29e02c03274e2e6bd23eea0fded6f7aa02f4c97d 1897 pngcheck_2.3.0-13.dsc
75d2a1ea6d9c3c67a8802f76a76348c8bbc2a7d8 18664 pngcheck_2.3.0-13.debian.tar.xz
d4fa02fc15f42b1326307cd81d33c50a2d19014b 5678
pngcheck_2.3.0-13_source.buildinfo
Checksums-Sha256:
ad78e08c5b111fbcfc40e988a5fa6f2bec24e6d44fb9df7103cbacf274c98fc2 1897
pngcheck_2.3.0-13.dsc
a8be397ce0832836bf5270c821e343c522d00ab5336487190e4bf57bfbacb7bb 18664
pngcheck_2.3.0-13.debian.tar.xz
e4e54971651326657f2056ccbb24037546020d3f6cd53250c596481df9c544d4 5678
pngcheck_2.3.0-13_source.buildinfo
Files:
26fc709e30ea9201be72e9ed328e8843 1897 graphics optional pngcheck_2.3.0-13.dsc
8ad4b5f7c3554ea682dce15a1b71077b 18664 graphics optional
pngcheck_2.3.0-13.debian.tar.xz
770a98e648a4f3cf473d2d665a64197b 5678 graphics optional
pngcheck_2.3.0-13_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEHTjuPGJPlVzh+jyFWjA1kfjNsIsFAl/KXggACgkQWjA1kfjN
sItLmhAAlNXB3ohACKXenpWsf48yeiP4126M5UUXZH0kSX1Hpfqimu3Tve6QZoCn
U8wHwNG7Zsy2Dcbv8OB53MbkVz5rQvegS70USS/CLRJI2LPczjW4EFo9YDlRggfS
i0zztD9TMQhI4r0u3lz/Oc284pqxTcVLpzOvy3ZGKdm2heosODTirAWPixm3rmSn
uij20VUF9jyzYjx7BbXXgjOitsSespFlv/sA/zvkJnv4Q/ad0G2+yWJnvde4VVDW
rlR6IzZc2jOXSk0WWMnzvgWpcNUVS8+4i4+NXmLP+E1Eb+qC+p1MDtUzZT6CVk5V
9fXVtFz+WHwGKZ95quAe4SU46ipESdtTb0oOpMswVX6lzLC5sIElJwk7+rLhEbaM
YzhJUmnSJXqZRAIcb2rFNLouS/U+0pLzYltdY4JXXMWio4orDvKdesWrYFcPdIIW
1Afzr1KlY2QoMKILvf5C2Vj3hjw6j14uumFuapeTRdjV3nYajJXL2asyY/jL845p
eroDQMIfLIxx0GKsc0H+K9jdXfSECE/gXO4ankXG+TZB+jHAtVe3BnGTajaMUdpe
6GUOEgV/mZGDgmWd3avueamMuJe7DI5zJu5C1Fi4FKTNOTZKlDfI62PDy2SZeP2g
QhEZqMKH31Yj6Bpuun89KFLWeeSlsrdC1ASsXDe5a4QgCnH/Bjo=
=EAcR
-----END PGP SIGNATURE-----
--- End Message ---