Your message dated Fri, 15 Aug 2025 23:10:16 +0000
with message-id <[email protected]>
and subject line Bug#1109338: fixed in mruby 3.4.0-1
has caused the Debian Bug report #1109338,
regarding mruby: CVE-2025-7207
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109338: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109338
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mruby
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for mruby.
CVE-2025-7207[0]:
| A vulnerability, which was classified as problematic, was found in
| mruby up to 3.4.0-rc2. Affected is the function scope_new of the
| file mrbgems/mruby-compiler/core/codegen.c of the component nregs
| Handler. The manipulation leads to heap-based buffer overflow. An
| attack has to be approached locally. The exploit has been disclosed
| to the public and may be used. The name of the patch is
| 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended to apply
| a patch to fix this issue.
https://github.com/mruby/mruby/issues/6509
https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7207
https://www.cve.org/CVERecord?id=CVE-2025-7207
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: mruby
Source-Version: 3.4.0-1
Done: Nobuhiro Iwamatsu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mruby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <[email protected]> (supplier of updated mruby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 16 Aug 2025 07:14:20 +0900
Source: mruby
Architecture: source
Version: 3.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Nobuhiro Iwamatsu <[email protected]>
Changed-By: Nobuhiro Iwamatsu <[email protected]>
Closes: 1109338
Changes:
mruby (3.4.0-1) unstable; urgency=medium
.
* Upload to unstable.
* Fix CVE-2025-7207 (Closes: #1109338)
Add d/patches/CVE-2025-7207.patch.
Checksums-Sha1:
3843e984d4814628fbd338f32e7c9fe48de058a4 1899 mruby_3.4.0-1.dsc
b3677501851865688de47c6a047e1b102488b9d9 7552 mruby_3.4.0-1.debian.tar.xz
4487fed36f179263b5b765b5501cdaaa90fb1272 6621 mruby_3.4.0-1_amd64.buildinfo
Checksums-Sha256:
d8d40dca89d5d88ed9070bb10218306acb759897ac8b86e4d0a6d345246a5d40 1899
mruby_3.4.0-1.dsc
38eb9ce71a5c52d224c38ba0b49f10856e6e5b48ffe4008c6b2253dc755a7140 7552
mruby_3.4.0-1.debian.tar.xz
94015ddb72cd02791c0f6f82077c415ecbdf93cc64422732deafbcd846cb04f7 6621
mruby_3.4.0-1_amd64.buildinfo
Files:
40b3bd409ba7dfa84014f1386b5b0f02 1899 ruby optional mruby_3.4.0-1.dsc
ef8b2b6f47687b2190eade6b9acf46ce 7552 ruby optional mruby_3.4.0-1.debian.tar.xz
4f3098187661b80ccf3eed61cd2c9b82 6621 ruby optional
mruby_3.4.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAmiftOYACgkQMiR/u0Ct
H6aEvxAAhHvfY49kGT02hGdh2XE1cYyA1gvuMw7jyPqKO7Hb5TFRZ4ncxSpGBSzz
Bgd7R7nD0pwpN+PQztxczEOzRh55PLWSPt+PWIiNw/58weFfhohwIxXCOQxdecED
lgypTr8R904k7CFdDGriyLr905t0dckD/1g7SoOiXHR8FrRtOYa3lejQPcP7RXQY
v3wx2Oqz3p59Iz2LgakWPMF1ZPqlb4r1H4ieVDC+XnnfBxgfA5UgZ+YHakadbC7Y
CO3DSMz5s1svvwO9ZFB42wFSeS4onAUeFtK3UN1jDaxl0W/i4FP0LFvC11l2nSq1
sj914454biNcVnXiiChpaZNfAKRn3/Bru2kRczgq7FqQm6LFzfxkMkMdbzjgXStF
KKrY6LGUjcw6iPeP+GT5T7X9lsmwq9ZwqPiGhFarmqyJwfJd+7k7LUj8FXeLmDC/
olIKkGXuTN4O7EcJjLTlOQcrw7otq2Jsf5484stSF7cBYCJfANou/HYEASwTejq0
bj17Dnc+P+SZvFVsWONQSZSnhDBjoJI+i3ebEiCkONaK3DD8D+B63k6E1Uk9NgRr
YnFBPHiUNd2rBPy+TT1tztrqT2pItCmPwb3cKESdoNDdwcfjYz2wIJqfDqRyLHq8
UBhCa2q7exkEMV/9JmaSIFPT3Bt/Ns/bi9NWTYXvP5CHtf2SroA=
=fiFE
-----END PGP SIGNATURE-----
pgpfVsOnLf0ux.pgp
Description: PGP signature
--- End Message ---
