Your message dated Mon, 09 May 2022 02:36:50 +0000
with message-id <[email protected]>
and subject line Bug#1009044: fixed in mruby 3.0.0-4
has caused the Debian Bug report #1009044,
regarding mruby: CVE-2022-1212 - Use-After-Free in str_escape
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1009044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009044
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mruby
Version: 3.0.0-3
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
The following vulnerability was published for mruby.
CVE-2022-1212[0]:
| Use-After-Free in str_escape in mruby/mruby in GitHub repository
| mruby/mruby prior to 3.2. Possible arbitrary code execution if being
| exploited.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-1212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1212
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: mruby
Source-Version: 3.0.0-4
Done: Nobuhiro Iwamatsu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mruby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <[email protected]> (supplier of updated mruby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 07 May 2022 17:09:06 +0900
Source: mruby
Binary: libmruby-dev mruby mruby-dbgsym
Architecture: source amd64
Version: 3.0.0-4
Distribution: unstable
Urgency: medium
Maintainer: Nobuhiro Iwamatsu <[email protected]>
Changed-By: Nobuhiro Iwamatsu <[email protected]>
Description:
libmruby-dev - lightweight implementation of the Ruby language (development
file
mruby - lightweight implementation of the Ruby language
Closes: 1009044
Changes:
mruby (3.0.0-4) unstable; urgency=medium
.
* Fix CVE-2022-1212. (Closes: #1009044)
Add d/patches/CVE-2022-1212.patch. Fix Use-After-Free in str_escape.
* Fix CVE-2022-1286.
Add d/patches/CVE-2022-1286.patch. Fix heap-buffer-overflow in mrb_vm_exe.
* Add 'DEB_BUILD_MAINT_OPTIONS = hardening=+all' to d/rules.
Checksums-Sha1:
8365839417048983a660a1e135064d7f22f9e6b4 1899 mruby_3.0.0-4.dsc
6a6a4aba765c242be9447b9d1fc4bf7e9396e226 9164 mruby_3.0.0-4.debian.tar.xz
9c198ccca967a50b523e06fbe5f65f515433f040 372412 libmruby-dev_3.0.0-4_amd64.deb
77815a1388cfdbcb553b824a1df9ba4215a3fed6 4261432 mruby-dbgsym_3.0.0-4_amd64.deb
5b46a0fc389fd1cc94c2ccfe05f1703d1aed0ce5 6694 mruby_3.0.0-4_amd64.buildinfo
c48db82dcf3e671d3e3bf4ccfd5a676d17fcba04 611968 mruby_3.0.0-4_amd64.deb
Checksums-Sha256:
9c7c8d9a5c3c05c3c7e53cb3d37b64cef403d6987174004eacca8676c432596f 1899
mruby_3.0.0-4.dsc
671bc4a069c9b48c3f9dc0bdad128c74aa850d0d5b5e0a37a169097239429e06 9164
mruby_3.0.0-4.debian.tar.xz
4948116c9f2ca1dd90bae9a4fa3b7ed95de20430d9ea9a5caf06a1185f1901a2 372412
libmruby-dev_3.0.0-4_amd64.deb
d11d53a26fe8ddf71986dbf4881443a522b7fc60705ea5c9c624218b5932add3 4261432
mruby-dbgsym_3.0.0-4_amd64.deb
abb719a21f5c32608b6357d921f87d62fd89cef74e1ebf0a77281065c5bccb56 6694
mruby_3.0.0-4_amd64.buildinfo
15b86fa3f76a547aa2b8d2d9a0ac869c07a3bd49abfd85fbcb75993783634008 611968
mruby_3.0.0-4_amd64.deb
Files:
e61364ed4d94098f661dcc1aafe1684c 1899 ruby optional mruby_3.0.0-4.dsc
f80c659cd4970232bd25c3905c9e65a1 9164 ruby optional mruby_3.0.0-4.debian.tar.xz
e72ca51bba93ac7ef6313c6d27b182b4 372412 libdevel optional
libmruby-dev_3.0.0-4_amd64.deb
af84b69d42fe0626dfe41e3e7faa2be1 4261432 debug optional
mruby-dbgsym_3.0.0-4_amd64.deb
b7c99699ce242198f93c9e01f37e4631 6694 ruby optional
mruby_3.0.0-4_amd64.buildinfo
d0f380f8428c672e6bdd4baf460e074d 611968 ruby optional mruby_3.0.0-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAmJ4c98ACgkQMiR/u0Ct
H6bmrQ//af22DZE5QaHyOnGu0vvv468JaO1NoaRPgzQr/57KBQptB4wEHsfqwATa
Z7LBnX0iaZom3sveIzL7fQj3sLkse4QsJBUAJIRgWLGPVr7Pfoj3aPRy52wc4OFW
LiFaA8JSBfk8wK8DScBZ2B1aLb44Mf7o4ZquCurYacqGNd6zzPdU6K1uWk4CrA6C
lQDNnhMrkWEtle8PpAlBol/VNWch6kTox73rqXQXjswiPDgRIDRfEBiyGODJ2R9W
0OY5+z4scDDmTR8Rzq6d6fy2VI+D5A6EkPfggs9FfI7Gn0QntpEGra3go97JToTA
AzAMztHUQEqrMMzcXVwZj7zkZRd71K4nBrp49HANMWrECJ8jaktfugOXfME0efl4
YEN+9mylBrMcD3RzrBnrKt5u1v/ReQBe9hYc2pZWcdI2C7waF/aRAo0R6UOP9qeH
ljooMT3drqlxnAXj+vvRk6qbq9xwlh0/5fF+X2Gb58weOdzuD7E7r/C8NolkPXM2
7VGQADdoh3dqqt/RP7AsnN2pmb7IdgzIfU2xM4+vRu601YqCtWWlHrEqZO5x9iLy
U3DAv6FQX7ml60b+Gd8q01ARTu9btEs4nk41F0OsOPa4WyMrPYriS3GR7QtXVxfj
SBidIOQ5/1V394o4GB4e4YCRqvSKh2aZxtYb3/wqkTXYZVCoRnk=
=hWAs
-----END PGP SIGNATURE-----
--- End Message ---
