Your message dated Sun, 07 Dec 2025 13:05:41 +0000
with message-id <[email protected]>
and subject line Bug#1122057: fixed in duc 1.4.6-1
has caused the Debian Bug report #1122057,
regarding duc: CVE-2025-13654
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122057
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: duc
Version: 1.4.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for duc.
CVE-2025-13654[0]:
| A stack buffer overflow vulnerability exists in the buffer_get
| function of duc, a disk management tool, where a condition can
| evaluate to true due to underflow, allowing an out-of-bounds read.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13654
https://www.cve.org/CVERecord?id=CVE-2025-13654
[1] https://github.com/zevv/duc/commit/8638c4365ffd9e1966bdef8af6339dbee8c17e66
[2]
https://hackingbydoing.wixsite.com/hackingbydoing/post/stack-buffer-overflow-in-duc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: duc
Source-Version: 1.4.6-1
Done: Jonathan Dowland <[email protected]>
We believe that the bug you reported is fixed in the latest version of
duc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Dowland <[email protected]> (supplier of updated duc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Dec 2025 10:50:42 +0000
Source: duc
Architecture: source
Version: 1.4.6-1
Distribution: unstable
Urgency: high
Maintainer: Jonathan Dowland <[email protected]>
Changed-By: Jonathan Dowland <[email protected]>
Closes: 1122057
Changes:
duc (1.4.6-1) unstable; urgency=high
.
* New upstream version.
* fix: fixed logic error in buffer_get(). Addresses CVE-2025-13654.
Closes: #1122057.
Checksums-Sha1:
46529c085e6b2fdbd6b92c6b9df06c1607e01926 1909 duc_1.4.6-1.dsc
9d4a2117887e8d16e36f272f7f3c6ca2ad821c4c 808380 duc_1.4.6.orig.tar.xz
4d9c4ef2ff7ecb6c6be9381609875c3a00a5c7d5 5388 duc_1.4.6-1.debian.tar.xz
a3918c7bf95893234d70059e7d8220fdfc901913 10943 duc_1.4.6-1_amd64.buildinfo
Checksums-Sha256:
fb2d2fc3be4861d8e3a879372a48e70317c4fc1a23b3931796e324797062f3cb 1909
duc_1.4.6-1.dsc
26ae33528a53cacbab61c6821fa4b2c562d17e1202406983b32f559123528b4e 808380
duc_1.4.6.orig.tar.xz
9059d41f035ccddebba9e3a758c1f73fcb5958ca0c38f9543ed5c3a6f8c21550 5388
duc_1.4.6-1.debian.tar.xz
8fde528129c46c398fb102dd443219c3ca7e3e7cdb4ede0c740a5c931f802981 10943
duc_1.4.6-1_amd64.buildinfo
Files:
f4b4700683385a5469f0219084151160 1909 utils optional duc_1.4.6-1.dsc
438414af8e4f4d474566321d68baab77 808380 utils optional duc_1.4.6.orig.tar.xz
e44029d7ec89c0192d276bd6a48fe207 5388 utils optional duc_1.4.6-1.debian.tar.xz
65c5d8151e597005d43dfaae80758a9d 10943 utils optional
duc_1.4.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE4DfLKhoAYblDNjyLCQdAlgaqqqoFAmk1eGkQHGptdGRAZGVi
aWFuLm9yZwAKCRAJB0CWBqqqqqf4EACLB8jv+3BTbuTbPsxbPlFvnIIVdTRsXt8S
cBqXZgdgAMt9VXPvQ75q0Euwsmv6KUhACAVqQ2CUxQ3hwiHLwLU8+VDjk7+CicK9
+hRnsOnG3IBvNfIzjBDlZYLqwHF5oyesIPcRSilfVdsz32v96W3PRkCtAU28Yx3m
DBTSwLeRjQN2r0hlHTGhBiBQhi2cyosBA74WeSXrc6ZC2AmNl55za0TAQHZ17Ok+
fUwFXa5UVzS2Ijov6PRe+VGzfeuvg/6oFTqhE6CA7c1qatCQQmwsmkX0SmfvPNDy
cuMbyQbiZvjCFa9p4m639FRzx8hx1CY+gPEuOlXH/JFsq1V/eSHioWsgcXuutm0j
5WDuS3osw1EhxzQXx7DSOzSQcXCVB3d146eT+mFcKmmAxnyAwfwfvCvZ0v4jyZzG
ESMSlP0uBS6hGvBF8cxTEXLvXIGdHZw1Ej61/chaMffYEl/GC/Yo+GlQU4mlflxV
O41uP71IojBupyc9eqCNhUXaxdUS/+goru5bChyqPpaJ5XbLDegfozahHBDPp1I5
6FVrMVte6pb+CC14QaTqR0HiBIsWGtLGc6qtmj+1KP+rFahCFhR/TXHWLFvEEm5/
ZJJhMJZxYHhIp6oDGv1athBypDXIsfPunPkEbyBWmSU7ixNQUJOjBhnEKpCTMhpi
uFD6KHo7Dw==
=CyHy
-----END PGP SIGNATURE-----
pgpIvXQJ7AdTl.pgp
Description: PGP signature
--- End Message ---
