Your message dated Sun, 22 Mar 2015 21:24:51 +0000
with message-id <[email protected]>
and subject line Bug#780756: fixed in libzip 0.11.2-1.2
has caused the Debian Bug report #780756,
regarding libzip: CVE-2015-2331: ZIP integer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
780756: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780756
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libzip
Version: 0.11.2-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for libzip.
CVE-2015-2331[0]:
ZIP Integer Overflow
The issue was originally reported to php5 for the embedded (modified)
copy of libzip there, but affects as well libzip.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-2331
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libzip
Source-Version: 0.11.2-1.2
We believe that the bug you reported is fixed in the latest version of
libzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 Mar 2015 20:17:45 +0100
Source: libzip
Binary: libzip-dev libzip2 zipcmp zipmerge ziptorrent
Architecture: source amd64
Version: 0.11.2-1.2
Distribution: unstable
Urgency: high
Maintainer: Fathi Boudra <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libzip-dev - library for reading, creating, and modifying zip archives (develo
libzip2 - library for reading, creating, and modifying zip archives (runtim
zipcmp - compare contents of zip archives
zipmerge - merge zip archives
ziptorrent - torrentzip zip archives
Closes: 780756
Changes:
libzip (0.11.2-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2015-2331.patch patch.
CVE-2015-2331: ZIP integer overflow leads to writing past heap boundary.
(Closes: #780756)
Checksums-Sha1:
82dabbee804504a392e507383a81c121d2b73e51 1912 libzip_0.11.2-1.2.dsc
e83e8369f497b87923c2dcbf224b9e4e9a0a16fe 4936 libzip_0.11.2-1.2.debian.tar.xz
Checksums-Sha256:
dd87b3cc2ebb29c3e4bd0f123dae19bd0cdaa6879d3cd6a0ff30a5e857a19548 1912
libzip_0.11.2-1.2.dsc
b7c60de18fca1aa5f529cda08a1f36c8d5be70c156f0ede2f9912d4be80f7d34 4936
libzip_0.11.2-1.2.debian.tar.xz
Files:
dedd5456363364460ce7bc5f9cd30e1f 1912 libs optional libzip_0.11.2-1.2.dsc
7ab53d5265f1e3592a84918963d804d5 4936 libs optional
libzip_0.11.2-1.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVDHNaAAoJEAVMuPMTQ89ET0EP/3y0l8+fZD5fkdz2tQojqrVA
/2EdJD9anndZycAN1Dcke01jyL3Upb3NGZZc513RhdiuhGC0Y+PVKuh0EEG/k0+i
APdxhICjKLlrAKLzUlDI3ZLX9ecklEszfbfGdC8quPzAVbP4T940VqYwAEWF38O2
PnxJ63X752Vf+m0CCdUDV9iBw609srQ1KODBWMu0YUD3aOrU1Zpe38mg0uSO7scU
yFPGtX3l/ngslOZkSYOi44qmWcohPl/OSb8gE07vxyBcRaHZPXJKtMn+uI50uQG4
x1gO5bvWAbJQmUdkDdLJStOLmy+tAq3KbO2LimC5AeK2ona2gxHwqU/0xwfxW0d6
pLvglfP7jLRBgoWzc5nl4txZHePBRP84CRRk8tNziCv2qLOgvZnibuMA/4Z/TjAP
I3Ilq+R8gcw9KEe4NvaOXDJm5TqeGqXueAaKpkNyADRcjp8o9ipMXIGecB3bJBZS
r6EaTonwej3sGOrlCCEUFngiTnqHcVmLkVuBwVee78sEDk2OtTJvxk0wfOw8J6BE
NGsOEUrN9A02bhMJ0sQWakGK1zXLweC6YiCSuxNqAhI6xpMI/o03iuWpFOjuJwQR
zJCifXT0v9mIeR4zWEFwNLSpjT/bm1t6Vo5IFO+ooHe58HUvFkCJv74lTUd8JdGE
OxU2L+E0beXJailn7VSl
=ny0A
-----END PGP SIGNATURE-----
--- End Message ---
