Your message dated Mon, 05 May 2025 15:06:04 +0000
with message-id <[email protected]>
and subject line Bug#1104255: fixed in quickjs 2025.04.26-1
has caused the Debian Bug report #1104255,
regarding quickjs: CVE-2025-46687 CVE-2025-46688
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1104255: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: quickjs
Version: 2024.01.13-5
Severity: grave
Tags: security upstream
Forwarded: https://github.com/bellard/quickjs/issues/399
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for quickjs.

Setting the severity to RC as might be worth having it adressed from
the start for the trixie release.

CVE-2025-46687[0]:
| quickjs-ng through 0.9.0 has a missing length check in JS_ReadString
| for a string, leading to a heap-based buffer overflow. QuickJS
| before 2025-04-26 is also affected.


CVE-2025-46688[1]:
| quickjs-ng through 0.9.0 has an incorrect size calculation in
| JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow.
| QuickJS before 2025-04-26 is also affected.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-46687
    https://www.cve.org/CVERecord?id=CVE-2025-46687
[1] https://security-tracker.debian.org/tracker/CVE-2025-46688
    https://www.cve.org/CVERecord?id=CVE-2025-46688
[2] https://github.com/bellard/quickjs/issues/399
[3] 
https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: quickjs
Source-Version: 2025.04.26-1
Done: Sebastian Humenda <[email protected]>

We believe that the bug you reported is fixed in the latest version of
quickjs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Humenda <[email protected]> (supplier of updated quickjs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 03 May 2025 17:18:27 +0200
Source: quickjs
Architecture: source
Version: 2025.04.26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Accessibility Team <[email protected]>
Changed-By: Sebastian Humenda <[email protected]>
Closes: 1104255
Changes:
 quickjs (2025.04.26-1) unstable; urgency=medium
 .
   * new upstream version
   * Fix CVE-2025-46687 and CVE-2025-46688 with upstream import, see upstream
     GitHub issue #399 (Closes: #1104255)
Checksums-Sha1:
 e4f571826d224bb9c953586dcc4aeeb36f91a8cd 1978 quickjs_2025.04.26-1.dsc
 c09eb782efad2b6b8e7165d7e93d65dd9f946972 580408 quickjs_2025.04.26.orig.tar.xz
 52766930ca2e86b2ac17af740af79cc4f855f2a1 3396 
quickjs_2025.04.26-1.debian.tar.xz
 40715721a91abedb9c6943e9b7971132448972b6 6394 
quickjs_2025.04.26-1_source.buildinfo
Checksums-Sha256:
 9dc1d44c9d68023ba42778f2263b25409e0037aefa32cd72a56420d2ed4fdc06 1978 
quickjs_2025.04.26-1.dsc
 ec81da5b3249ed648dbc7df4a1654988910e66a118d9b71cb63534216efcfbbe 580408 
quickjs_2025.04.26.orig.tar.xz
 33e980d4737e83419ae2fb3c833a9d1813ee5edbf2e3da129a66f8bffac23862 3396 
quickjs_2025.04.26-1.debian.tar.xz
 de486473663029060de5b1a8cfff4a79f0204ff2d0d5282f6b0ccfce97100565 6394 
quickjs_2025.04.26-1_source.buildinfo
Files:
 8cbcf6cb9bc4c1f1c41a2da0bbafdf5d 1978 devel optional quickjs_2025.04.26-1.dsc
 807a286cc5d44ad8cc8e14b5034640b4 580408 devel optional 
quickjs_2025.04.26.orig.tar.xz
 96ce974adaf310cbff7304297db113a0 3396 devel optional 
quickjs_2025.04.26-1.debian.tar.xz
 bfa04ba18a2a8671f399e9e530c5b7d5 6394 devel optional 
quickjs_2025.04.26-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEDdK8MMbHMms/+s0k2/EkeQsw7KUFAmgYz/QACgkQ2/EkeQsw
7KXF8g/8DrNlyNMCHh6bm8rAz9/IX2+zaYTDY2bVC/890Ajj9BJ9bBZF7hDdOysZ
eOmuGwu6Yc/+asOA5dA5eciV0bPox3RNHQfZL7eF01wCgrjFMTTrJLZihhV8lwxW
sLIgyqivB1FUiAL85k6QEEa6YRGS3AjO8TQUFfycnBjky4tk6SGEoWo54maY77+I
5Ji3mCeAGgH/gXzyzOjZ/qWhQBfi7sYfmajLxqNz2krBJvuQ6e7zuoGh+JPDvcVC
amg1pL0oi1mdRQL2jPBB64ZFnHoQzWb4ifCZa2ejlNSbDXozw6hMjp43LmO5lrtL
CHbx6l1AgNkeZ5Xb8Z4AVidnGBNurTbyUA2kDQXkxmRrztgzcMU5gMKTIHbJmAgu
ZGx+weUXNSM3uzfV6ypf5bbQTX30ZEQPmoHoFzD3B2uM4u3ezUk1EjrzannsE937
KUTb75gah/dFVZ+CmAeUzVTBXT4h2JCjmbq0nhj/bgnCG2ncq/AmJRiubtTHuroa
MS+MHK1IdXKWHkDyYY3XjTaASm8abI8gVix/+gmsG51ddLBtNbgjDJvGsbRYHiVW
6pkj6NYuScVyP3688sUzVcJbtG714Y2+yFTQqMqmWlM7+nAWjIjUnAlqr1vyIZt2
bcFXze+MdPKA3TLfZR4bdXwFxNaBojeIMPg9XOKpnvs11Uv6P5Y=
=sOVD
-----END PGP SIGNATURE-----

Attachment: pgpKd3EXKtKE7.pgp
Description: PGP signature


--- End Message ---

Reply via email to