Source: erofs-utils Version: 1.6-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for erofs-utils. CVE-2023-33551[0]: | Heap Buffer Overflow in the erofsfsck_dirent_iter function in | fsck/main.c in erofs-utils v1.6 allows remote attackers to execute | arbitrary code via a crafted erofs filesystem image. CVE-2023-33552[1]: | Heap Buffer Overflow in the erofs_read_one_data function at data.c in | erofs-utils v1.6 allows remote attackers to execute arbitrary code via | a crafted erofs filesystem image. The proposed fixes are yet only commited in upstream repository but in the experimental branch. So they might be subject of changes yet. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-33551 https://www.cve.org/CVERecord?id=CVE-2023-33551 [1] https://security-tracker.debian.org/tracker/CVE-2023-33552 https://www.cve.org/CVERecord?id=CVE-2023-33552 Please adjust the affected versions in the BTS as needed. Regards, Salvatore