Your message dated Sun, 13 Feb 2022 17:49:41 +0000
with message-id <[email protected]>
and subject line Bug#1005641: fixed in openscad 2021.01-4
has caused the Debian Bug report #1005641,
regarding openscad: Out-of-bounds memory access (CVE-2022-0496 and
CVE-2022-0497)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1005641: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005641
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openscad
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Upstream has reported two out-of-bounds memory access bugs, which have been
assigned CVEs:
https://github.com/openscad/openscad-security-advisory/issues/3
CVE-2022-0497
https://github.com/openscad/openscad-security-advisory/issues/4
CVE-2022-0496
The impact of the bugs looks not very severe at first glance (read access
outside og memory array). But since there are associated CVEs it seems
useful to track for Debian.
Patches, including backported versions, are available from upstream.
-- Package-specific info:
Output of /usr/share/bug/openscad:
$ glxinfo |grep 'OpenGL .* string:'
OpenGL vendor string: Intel
OpenGL renderer string: Mesa Intel(R) UHD Graphics 620 (KBL GT2)
OpenGL core profile version string: 4.6 (Core Profile) Mesa 20.3.5
OpenGL core profile shading language version string: 4.60
OpenGL version string: 4.6 (Compatibility Profile) Mesa 20.3.5
OpenGL shading language version string: 4.60
OpenGL ES profile version string: OpenGL ES 3.2 Mesa 20.3.5
OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.20
-- System Information:
Debian Release: 11.2
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Source: openscad
Source-Version: 2021.01-4
Done: Kristian Nielsen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openscad, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kristian Nielsen <[email protected]> (supplier of updated openscad
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Feb 2022 16:46:19 +0100
Source: openscad
Architecture: source
Version: 2021.01-4
Distribution: unstable
Urgency: medium
Maintainer: Kristian Nielsen <[email protected]>
Changed-By: Kristian Nielsen <[email protected]>
Closes: 1005499 1005641
Changes:
openscad (2021.01-4) unstable; urgency=medium
.
* Backport fixes for CVE-2022-0496 and CVE-2022-0497 (Closes: #1005641).
* Backport compile fix for CGAL 5.4 (Closes: #1005499).
* Backport a fix for another FTBFS insid.
* Lintians.
Checksums-Sha1:
79e710795933826046ac4da7dedfea22a4922db4 2911 openscad_2021.01-4.dsc
01ee0a6a31238d9a0ed12e101bc189e34135ede8 52652 openscad_2021.01-4.debian.tar.xz
5bf3e8a93a3770f0934b8e37540e9307a79078e3 17260
openscad_2021.01-4_amd64.buildinfo
Checksums-Sha256:
a711016985d94486bf056a277bf34ce3bb8864d0198bc96ae56a07f05f386fa1 2911
openscad_2021.01-4.dsc
fa4f40f7f08594a0fa638f354d0815cf48eb6774240d1f707e2bb2d705b3194c 52652
openscad_2021.01-4.debian.tar.xz
e0ae65748ddb7c3df106a8d78346c8da1a6986643ed286fcfa3262fadd55507b 17260
openscad_2021.01-4_amd64.buildinfo
Files:
40b843d9505abff8591bcb89c5f07450 2911 graphics optional openscad_2021.01-4.dsc
53ee380c1a92ee32b4242499139dca02 52652 graphics optional
openscad_2021.01-4.debian.tar.xz
66123d1862523ec4edc091e25f2ee7d7 17260 graphics optional
openscad_2021.01-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZM9CxG1Rq9/6LBhSj+VQLkcE+dcFAmIJP4YACgkQj+VQLkcE
+dd6GA//QRtmPqoYeF7GVI/PTHc7rC/jrY14bsSCIkxw1z3O5wj8jX5LvhxUUA7l
sOTYt8C7PRCibpgiE1+W3qI4xBOrkpiI+Zj1GsxRkcEO/eNb3Vm9T5kyoMhj9ZxL
BAzZMEXuhh6S9gg9tcYEiYiBVSgRjZIeL5/6YY+R1yAtfMZbZgVCVol2SnGoN9w5
hG7gC1gfnWXg0tXeZPdGbPKRxUHoYkt9EGg/WvlXMvK3p3gw8XDUBtbkP2GT5iBZ
n88PcgYIN1thmHCbmbWtybW7zB2GNKc5EqPeKVKCLPYp8k9AxMHxn4XZvbev7dfo
qVc3y92sl0rBsSZ9NamZlHCYCphIVN07o/0LhlB5ZYfRLeo7sv5hMz88adGEYeAv
PYhgWdOBET7E8FERrGp+qiNBCk5T2EEIUHjSHRPWiFSVfyTHcL7Kfd1gfKwWmoB4
mur6PK8XnDtJ4zjoPS57JDk7tZSIy4CBaWCFyULre3AV2NeYN2UUJYyNz+8nSSGJ
yEsG0c5ZXYWaaF3H+bOTE4RFYE7wcvYTI6M01GE6vz1OZQsP+eaRCyUTosV/rkIj
nxhSXfSGnnp+LpLvnz32CFYPf/WTg10cGh7K7wSD0/RX92MzL90IqNRlyM7mdxj0
/QdTn6OYSLFt+K/XxaVckNYKAHXzqMmld1zKQ4rZYxQyj+l2STw=
=o83S
-----END PGP SIGNATURE-----
--- End Message ---