Your message dated Mon, 19 Sep 2022 01:13:05 +0000
with message-id <[email protected]>
and subject line Bug#990366: fixed in manuskript 0.14.0-1
has caused the Debian Bug report #990366,
regarding manuskript: CVE-2021-35196
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990366
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: manuskript
Version: 0.11.0-2
Severity: normal
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for manuskript.
CVE-2021-35196[0]:
| ** <A HREF="https://cve.mitre.org/about/faqs.html#disputed_signify_in_
| cve_entry">DISPUTED</A> ** Manuskript through 0.12.0 allows remote
| attackers to execute arbitrary code via a crafted settings.pickle file
| in a project file, because there is insecure deserialization via the
| pickle.load() function in settings.py. NOTE: the vendor's position is
| that the product is not intended for opening an untrusted project
| file.
Note as stated in the CVE description, vendor and reporter do not seem
to agree on the vulnerability state, and the vendor's position is that
the product is not intended for opening an untrusted project file. We
fill it for not to still track the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-35196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35196
[1] https://github.com/olivierkes/manuskript/issues/891
[2]
https://www.pizzapower.me/2021/06/20/arbitrary-code-execution-in-manuskript-0-12/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: manuskript
Source-Version: 0.14.0-1
Done: Miriam Ruiz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
manuskript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miriam Ruiz <[email protected]> (supplier of updated manuskript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 18 Sep 2022 23:47:29 +0200
Source: manuskript
Architecture: source
Version: 0.14.0-1
Distribution: unstable
Urgency: medium
Maintainer: Miriam Ruiz <[email protected]>
Changed-By: Miriam Ruiz <[email protected]>
Closes: 990366 1015345
Changes:
manuskript (0.14.0-1) unstable; urgency=medium
.
* New upstream release. Closes: #1015345
- Fixes CVE-2021-35196: Closes: #990366
· https://github.com/olivierkes/manuskript/pull/895
· https://github.com/olivierkes/manuskript/issues/891
·
https://www.pizzapower.me/2021/06/20/arbitrary-code-execution-in-manuskript-0-12/
* Upgraded Standards-Version from 4.6.0.1 to 4.6.1.1
* Removed patch: shared_OpenGL_contexts.patch. Not needed anymore.
Checksums-Sha1:
14dc7a6e9f512c18b37a1ac36d8a38682712089d 1797 manuskript_0.14.0-1.dsc
dedb9b6b884ffb18a90b9277e09cd8014cbdcb89 5524913 manuskript_0.14.0.orig.tar.gz
2852690dd4672b0b8ae27098a2b73a3edba447e7 75068
manuskript_0.14.0-1.debian.tar.xz
dcf1bc4ccb7193027a142d4acec2096d98325bc7 6937
manuskript_0.14.0-1_amd64.buildinfo
Checksums-Sha256:
bce8059c1b847083143d5bc1e7ec85aba591bb0a5ce1744871afd54cac08153c 1797
manuskript_0.14.0-1.dsc
5d7326e4f9941e83a74e186d502c82306b8ae66dccf806bf0bc016e0e933d0ae 5524913
manuskript_0.14.0.orig.tar.gz
536d7b3e953e9e1064af2ea12f4e05b5e56a22532108512d898131c8d8257c41 75068
manuskript_0.14.0-1.debian.tar.xz
542e334555a263efee8e6321a613598818158624625ef383c87b8d9fed620d11 6937
manuskript_0.14.0-1_amd64.buildinfo
Files:
ed701505b5b607bfb9bad00c30af06d6 1797 editors optional manuskript_0.14.0-1.dsc
f190e3770cf44abfd18e344c1508f90a 5524913 editors optional
manuskript_0.14.0.orig.tar.gz
4430b4342803258dc188b59e22f5844f 75068 editors optional
manuskript_0.14.0-1.debian.tar.xz
145df33d4d7536c66b9b35b2fdc7a29d 6937 editors optional
manuskript_0.14.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEde/EE4cQX/r0OS4CX45r4JKP+voFAmMnloYACgkQX45r4JKP
+vpF3Q//RPzXN7brv9Q6EXAU0UH9fm8Wga8rMun/8aOpNYnZRGr/ZdOr93ksY5+W
g8RiaGVfgKynqPI1ybaMhspViDZDW4Jq5QEmigIsSMLzu5YddZh+oSDd2efbIsEc
qtFuJdvj2Le9N5cv0o9VQp26j8c0hFbPc655DiaDKyZ45m2vjkiwoicnFigllo4t
bQ32ZZupC3I5N7BjmzZi7vCGeTzr/X3nJ/WrN0LYXhU26AET1fNbIRNMCpUb/mpO
CNLYi6Wv+/FbX7hHm9ZXptFg2ULvrOglJ4xqZYkryalKNqQFu9otZ1ibHgI7FwYM
/HkqFetRe23/Z6hei50n8Jrj6Ea0knRjuavmDYEiHHTYr6vypy9+m+6QHK0Vm6FF
iTe2Bqh7FOtRq6Brn4hujMiB6NNGADl8tUUDc7ZWLEVXYsimW9r31FQtXca8DdB3
oroYnp0gi99v+QcrGPL4a6EAno6SA4JKkt1OQjk5kr0pi6RXAqQ64rbHoHU4trla
PdZqSJoTuTQJuzOx2PhNJiokOYpdgxqvfCwD3vY2RZqA3+Rr1KYiITbzQL45Z0qs
XBMtd2Rg3Ltmm0aFpefmnomoVfoGfu41ogEVUlZuwB2H/G26TO3uTMNuuv5RDyXC
N1JLeVUCiId0a+ujp7ycINWl/o+0Od/+EXoiueULMG0uG3EgOSs=
=x2R+
-----END PGP SIGNATURE-----
--- End Message ---
