Your message dated Sun, 04 Feb 2024 00:47:43 +0000
with message-id <[email protected]>
and subject line Bug#1051724: fixed in zbar 0.23.90-1+deb11u1
has caused the Debian Bug report #1051724,
regarding zbar: CVE-2023-40889 CVE-2023-40890
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1051724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051724
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: zbar
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for zbar.
CVE-2023-40889[0]:
| A heap-based buffer overflow exists in the qr_reader_match_centers
| function of ZBar 0.23.90. Specially crafted QR codes may lead to
| information disclosure and/or arbitrary code execution. To trigger
| this vulnerability, an attacker can digitally input the malicious QR
| code, or prepare it to be physically scanned by the vulnerable
| scanner.
https://hackmd.io/@cspl/B1ZkFZv23
CVE-2023-40890[1]:
| A stack-based buffer overflow vulnerability exists in the
| lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes
| may lead to information disclosure and/or arbitrary code execution.
| To trigger this vulnerability, an attacker can digitally input the
| malicious QR code, or prepare it to be physically scanned by the
| vulnerable scanner.
https://hackmd.io/@cspl/H1PxPAUnn
It is unclear if these were reported upstream, could you please sync
up with them?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40889
https://www.cve.org/CVERecord?id=CVE-2023-40889
[1] https://security-tracker.debian.org/tracker/CVE-2023-40890
https://www.cve.org/CVERecord?id=CVE-2023-40890
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: zbar
Source-Version: 0.23.90-1+deb11u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
zbar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated zbar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Jan 2024 16:50:18 +0100
Source: zbar
Architecture: source
Version: 0.23.90-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Boyuan Yang <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1051724
Changes:
zbar (0.23.90-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2023-40889 qrdec.c: Fix array out-of-bounds access (Closes: #1051724)
* Add bounds check for CVE-2023-40890 (Closes: #1051724)
Checksums-Sha1:
4513a67ceeb961ae441cb63e672016d20190a758 2787 zbar_0.23.90-1+deb11u1.dsc
26e7ad8d6c750dba8fe57100d4a7bdf5d4ee5995 1019128 zbar_0.23.90.orig.tar.gz
da9899cd63f2bbe21eb18362f90adcab012dcd64 12716
zbar_0.23.90-1+deb11u1.debian.tar.xz
Checksums-Sha256:
1a3fe535a101195aec086a455e0aa48a8fd9731dc1e92687d2990c74ecf42585 2787
zbar_0.23.90-1+deb11u1.dsc
e5aabcb2926c2d4cd626935c06b7553ed9e3eec0b2e08a102ea14516b8709fe1 1019128
zbar_0.23.90.orig.tar.gz
e1b287effc4d0d915c144d5857caa3d7501414897976e6fbc26227fa685ca1ec 12716
zbar_0.23.90-1+deb11u1.debian.tar.xz
Files:
898064e9e6d7dacff81f52f1f3292f1a 2787 libs optional zbar_0.23.90-1+deb11u1.dsc
50ba03736c96031d7788dedbae207baf 1019128 libs optional zbar_0.23.90.orig.tar.gz
02d741101d1622e80522dfec4d172f5e 12716 libs optional
zbar_0.23.90-1+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWkA8hfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EEdoP/0QHmpcKBnRV8OM23O/BEA31Pn1eQxej
xhkgFAYovy89w7KHeV9/65GNCidp63xzLjhYrw2PLO4WmvjMZu54Q/XJZA43UUYx
6cFU4iga6X6BlVm92K0Yq6+zehzf7MkYZiqV57NYHYyabpsPQA2S9BDimeUYiiDx
gs3PlId/urNrWLyfaN0Hkw1wQhNlcdQ6nax7Bj3fH/I9khG1uaRlPNeBbEaevFBH
aCz6ysurAbbB+qIIITdinUAtYVbZsXhx/3sco0wdNRg/0rZRiYh0TAWJEgEI+A9O
Quv+7ame3PhOxSIrf3OoKqBIFGCkZ2fzAqFUUuD6FU2V0gsWtbXDPffsyhimjPMh
GOUPeb6o9jfpnEKUfbFDik4ketEecyk7TQUg3E5xqKpBxYhDFFwbuWWq2cIOx+9t
JaWp3ChN5C6YqJKR657cOkk79oxvTov+F/roODbcIoYq44YoGxgiqGmTWhXTq8HZ
OgaD/JV5LblN5sd4lqXze8DLlREd/N7gyQxHuEnjYXhYR3ifxLMLbv0VPJfNSHsq
H6TUHqx6Ra1gOG0f3JU3b7As7h3a3SIcGRPkdVCrNoHPxyu6C9TQeNSlRLeanMAi
/kpHCx78oQ+KGW/OkSGXKwrK69heADJXRzYT1uCTfA7N2jdWwVbna6nwTQXRbZb7
zCuIP5q6n69C
=Qcpa
-----END PGP SIGNATURE-----
--- End Message ---
