Your message dated Sun, 04 Feb 2024 00:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1051724: fixed in zbar 0.23.92-7+deb12u1
has caused the Debian Bug report #1051724,
regarding zbar: CVE-2023-40889 CVE-2023-40890
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1051724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051724
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: zbar
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for zbar.
CVE-2023-40889[0]:
| A heap-based buffer overflow exists in the qr_reader_match_centers
| function of ZBar 0.23.90. Specially crafted QR codes may lead to
| information disclosure and/or arbitrary code execution. To trigger
| this vulnerability, an attacker can digitally input the malicious QR
| code, or prepare it to be physically scanned by the vulnerable
| scanner.
https://hackmd.io/@cspl/B1ZkFZv23
CVE-2023-40890[1]:
| A stack-based buffer overflow vulnerability exists in the
| lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes
| may lead to information disclosure and/or arbitrary code execution.
| To trigger this vulnerability, an attacker can digitally input the
| malicious QR code, or prepare it to be physically scanned by the
| vulnerable scanner.
https://hackmd.io/@cspl/H1PxPAUnn
It is unclear if these were reported upstream, could you please sync
up with them?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40889
https://www.cve.org/CVERecord?id=CVE-2023-40889
[1] https://security-tracker.debian.org/tracker/CVE-2023-40890
https://www.cve.org/CVERecord?id=CVE-2023-40890
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: zbar
Source-Version: 0.23.92-7+deb12u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
zbar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated zbar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Jan 2024 16:37:27 +0100
Source: zbar
Architecture: source
Version: 0.23.92-7+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Boyuan Yang <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1051724
Changes:
zbar (0.23.92-7+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2023-40889 qrdec.c: Fix array out-of-bounds access (Closes: #1051724)
* Add bounds check for CVE-2023-40890 (Closes: #1051724)
Checksums-Sha1:
02b08315580ef0af7c1d5925a7fae1f4a3f873a6 2958 zbar_0.23.92-7+deb12u1.dsc
62924c879d7ec041766268039c92e988754181e2 1005358 zbar_0.23.92.orig.tar.gz
206aced8eb204240b76b6f27609d6aae12f57373 13780
zbar_0.23.92-7+deb12u1.debian.tar.xz
c0129368c11bb4e386835f936bce6e97484c3375 7976
zbar_0.23.92-7+deb12u1_source.buildinfo
Checksums-Sha256:
e49f0116d235cc50dcfafa1053292ccf8d0d75b21fa9b5afb00e3f0894d3d5e0 2958
zbar_0.23.92-7+deb12u1.dsc
dffc16695cb6e42fa318a4946fd42866c0f5ab735f7eaf450b108d1c3a19b4ba 1005358
zbar_0.23.92.orig.tar.gz
bb794d1466b2ba5adabbb5ac7d271e801c757d096d4838fb0f721f6ed87eb588 13780
zbar_0.23.92-7+deb12u1.debian.tar.xz
6be05531f733723bacba72a1e657b3c6e1d45b52da731b91c7b32b6f1bca3900 7976
zbar_0.23.92-7+deb12u1_source.buildinfo
Files:
1e60ad2d65a90a3d6d0beb61a65f6405 2958 libs optional zbar_0.23.92-7+deb12u1.dsc
dabc49973afbc7daa6dc8b09dc34f123 1005358 libs optional zbar_0.23.92.orig.tar.gz
03da871a5c9fedb0158a950142d8d66b 13780 libs optional
zbar_0.23.92-7+deb12u1.debian.tar.xz
3b547af42ab7193ab35a6b608761c505 7976 libs optional
zbar_0.23.92-7+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWkAQVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ep+kP/A7ofwyeGgETvhoD2pc1XgkCLM+Rmhod
LVbbgyB+90cgVSuLOBjrj616Y+RquUcNwcFA6/EBDZ632V0gQfM8mUNl2ABLB4RR
dRo/9l794OWjBwAtDTEUpYdNVMv/zU3YHgc5JYIGb+QCR7FPHrtewkzu/lh4evyH
W8c4qeUzHo62Nvo3RBfpqZqcXeyTJDFYSki84dz/AACoMbzzipPTBGLVjIiBZ1Cn
yG4pXVT62rzLaa3GFqYz8uZ2+apDSBuKwGjnTyaqsE+ISXm2NcSLHht+UH8s1H7J
YhSCBfvdWpjBfM+N+CkgPHzBBkbpl1BfsZhQbe5P5TBv52RscKQlezDVy3o1au+w
xqgxvKmI5M8I/dFY96iPfVp6rR62IM/Xi+NPJOF++OVTxO6dvulRAWbCs/1r9MhV
vbw4KLPG8mwWX2vh9nc7ZKav8HssIIu8yqJnfFTM+Ef+vyX52y/N4SdE4WgaL9z4
SaUY0b4KE5j54yOOS5NcJoj0eWg0ksu2bk3fNeFdlKcxB65601aC4uscoJpY8l7A
CtnZUAAz9Bbigj00rxhNxZFlAcetzRkMzXwSz4zfyEs6fOXdLz00/OCuDn71UR9K
zJYyRhdaG4TB33jQr4yVQ39N+L4S1xo0K/7idvTsqsqci2c8j88KDA33nngAp6C+
nrJM0qTqtpFu
=WUha
-----END PGP SIGNATURE-----
--- End Message ---
