Your message dated Sat, 16 Aug 2025 01:36:58 +0000
with message-id <[email protected]>
and subject line Bug#1109338: fixed in mruby 3.4.0-2
has caused the Debian Bug report #1109338,
regarding mruby: CVE-2025-7207
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109338: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109338
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mruby
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for mruby.
CVE-2025-7207[0]:
| A vulnerability, which was classified as problematic, was found in
| mruby up to 3.4.0-rc2. Affected is the function scope_new of the
| file mrbgems/mruby-compiler/core/codegen.c of the component nregs
| Handler. The manipulation leads to heap-based buffer overflow. An
| attack has to be approached locally. The exploit has been disclosed
| to the public and may be used. The name of the patch is
| 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended to apply
| a patch to fix this issue.
https://github.com/mruby/mruby/issues/6509
https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7207
https://www.cve.org/CVERecord?id=CVE-2025-7207
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: mruby
Source-Version: 3.4.0-2
Done: Nobuhiro Iwamatsu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mruby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <[email protected]> (supplier of updated mruby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 16 Aug 2025 09:18:10 +0900
Source: mruby
Architecture: source
Version: 3.4.0-2
Distribution: unstable
Urgency: medium
Maintainer: Nobuhiro Iwamatsu <[email protected]>
Changed-By: Nobuhiro Iwamatsu <[email protected]>
Closes: 1109338
Changes:
mruby (3.4.0-2) unstable; urgency=medium
.
* Fix CVE-2025-7207 (Closes: #1109338)
Add CVE-2025-7207.patch to d/patches/series.
Checksums-Sha1:
9443fe975f08c9852bdfa8c5cdef19b7d830a6cf 1899 mruby_3.4.0-2.dsc
6ef7f506adbdeaa69a0e1d7c0646ceffb7ada1df 7572 mruby_3.4.0-2.debian.tar.xz
54f25a00e4fc36f0827cb2d84f281e9e29e0946c 6621 mruby_3.4.0-2_amd64.buildinfo
Checksums-Sha256:
959f8531fce885a7d8ce6a5ace24995c39d5457064e55d11f341a7c16401cd7c 1899
mruby_3.4.0-2.dsc
25abd90e6b7242923345b2f86e0bcbd89dcd370715f9aead6793986f0cb8ebe7 7572
mruby_3.4.0-2.debian.tar.xz
dbeea06382a84c3be2a20a4975d063147b3e776bc5819fd1b5c47303de8c8812 6621
mruby_3.4.0-2_amd64.buildinfo
Files:
bfcdc288de616f18b78741c3b5853530 1899 ruby optional mruby_3.4.0-2.dsc
01367c906b59fdb65588dbf2904c01ec 7572 ruby optional mruby_3.4.0-2.debian.tar.xz
fd43c2911283dc3824e4d8070f5991dc 6621 ruby optional
mruby_3.4.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAmif2QsACgkQMiR/u0Ct
H6bFAw//TYKA20w944X/zPujyVkXEVf3upqTGDltgSh9x37mrKgeBSgiWenDSAUi
wIuQFAevN5Cnv3Wj2DgdInF1lf6p7/t0W+pYqDZEv8ofXml9i32ZwVApdoxuWm8e
O6HJX1h3q6nQXh8k8m6glEeY4sfrUPQc9NPXIArD57x4RESWMTrF0QgKsG8dtbqd
MhCqqXg7zjGN0Z6ySPoRAWk4J/hQQkePkhlEMYeMFH3LPnLEllp3VGzXKLAzG0aO
HGJ6VAXn+EHuVpnQwjzoDfnn21ot2T7V1uebLvWypPZ8aZLQ1r4EQLjs6p4PlQii
E+Sg5AeiivyooOVIkADZSQjLLL1vvODTFqFlm8umyqPCVaDrJWhYD+/yF7NsWqRg
ZccnsSpyWhIAwYYBuFGB6Bm2qgVAKQ4RTurDMRE+wL3H587owjnJ+oOrwqYTE993
U4nzITbw5YolBKcNOAYdzRJcuBhDNuxd5Fy5Hyju2UxiGuRzXyRcefk+KACXWz3r
BxRUSmcGCTOVpWZG4oWMNtvR2X9B3LQ4187QqRrJMgmefZhdMCWhXg0VsQGW2E+D
3qDd2jGH/EvcO6284jQ03NgJUWQ1qgAZfIFft8MTtj3K+BXFL4eAWsbIPQOYTcPi
tKEOxUVA8o9ka0Ri/xdzW5xixPJguPKQDyEblc0HZaJjuUqTX+I=
=AM87
-----END PGP SIGNATURE-----
pgpoQGVnvsyDI.pgp
Description: PGP signature
--- End Message ---
