Your message dated Mon, 05 Nov 2018 00:52:49 +0000 with message-id <e1gjt8l-0006qz...@fasolo.debian.org> and subject line Bug#912618: fixed in sdl-image1.2 1.2.12-10 has caused the Debian Bug report #912618, regarding sdl-image1.2: CVE-2018-3977: do_layer_surface code execution vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 912618: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912618 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libsdl2-image Version: 2.0.3+dfsg1-2 Severity: grave Tags: patch security upstream Justification: user security hole Control: found -1 2.0.1+dfsg-1 Control: found -1 2.0.1+dfsg-2+deb9u1 Control: clone -1 -2 Control: retitle -2 sdl-image1.2: CVE-2018-3977: do_layer_surface code execution vulnerability Control: reassign -2 src:sdl-image1.2 1.2.12-9 Control: found -2 1.2.12-5 Control: found -2 1.2.12-5+deb9u1 Hi, The following vulnerability was published for libsdl2-image. CVE-2018-3977[0]: | An exploitable code execution vulnerability exists in the XCF image | rendering functionality of SDL2_image-2.0.3. A specially crafted XCF | image can cause a heap overflow, resulting in code execution. An | attacker can display a specially crafted image to trigger this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-3977 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3977 [1] https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645 [2] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: sdl-image1.2 Source-Version: 1.2.12-10 We believe that the bug you reported is fixed in the latest version of sdl-image1.2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 912...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated sdl-image1.2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 04 Nov 2018 23:58:30 +0000 Source: sdl-image1.2 Binary: libsdl-image1.2 libsdl-image1.2-dev Architecture: source amd64 Version: 1.2.12-10 Distribution: unstable Urgency: medium Maintainer: Debian SDL packages maintainers <pkg-sdl-maintain...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: libsdl-image1.2 - Image loading library for Simple DirectMedia Layer 1.2, libraries libsdl-image1.2-dev - Image loading library for Simple DirectMedia Layer 1.2, developme Closes: 912618 Changes: sdl-image1.2 (1.2.12-10) unstable; urgency=medium . * Non-maintainer upload with permission of maintainers. * CVE-2018-3977: Prevent a potential buffer overflow on a corrupt or maliciously-crafted XCF file. (Closes: #912618) Checksums-Sha1: 0d087c7afa05b52466f71af78d3f9f2674b6340c 2206 sdl-image1.2_1.2.12-10.dsc 3cff2642f6fa7338366c7148b724bb44240ca165 10556 sdl-image1.2_1.2.12-10.debian.tar.xz fb4cfa6e2a2f49b43e2c158938ac5d3138c43a4d 79832 libsdl-image1.2-dbgsym_1.2.12-10_amd64.deb b0cda7ab015094a49122fb6b1aadfb86831cd451 40660 libsdl-image1.2-dev_1.2.12-10_amd64.deb 208e68b629ea3975aa5967d13a8bf8e6561bfed4 36372 libsdl-image1.2_1.2.12-10_amd64.deb 0ea1b384e073e0e88f92eaa0f812b55c6dc34f8d 10319 sdl-image1.2_1.2.12-10_amd64.buildinfo Checksums-Sha256: 1fb2b23c829460e2f6a4396cc2311680439ae9f5cf7c8c3deb6b91a7134740d1 2206 sdl-image1.2_1.2.12-10.dsc 36f9587a50eb0b3dd60edacd7ccc8c1c5f1e441089f6b7c2a15dc7d01502112a 10556 sdl-image1.2_1.2.12-10.debian.tar.xz 57bf5f1f99150a51db24b7b46103e1d514b64deb9970383ad8c95a970075277f 79832 libsdl-image1.2-dbgsym_1.2.12-10_amd64.deb 5180898d9fa5f5dafc1cc2159021f9ae5eca879d946e480bc1a6adec5d0bc7a9 40660 libsdl-image1.2-dev_1.2.12-10_amd64.deb 30d36f0f321aeb7b42a45ce4d9b6ebc069d3f5703db7a926f49665866f9d3010 36372 libsdl-image1.2_1.2.12-10_amd64.deb 1ebc55aa4adb0f3bde22367b8904a77f4e6fb2ca5a6d4cef8c06ec1ed2c228fb 10319 sdl-image1.2_1.2.12-10_amd64.buildinfo Files: b1354bef0eb73a3168b95ef096fb3a70 2206 libs optional sdl-image1.2_1.2.12-10.dsc 8b051207456bfdaa91e070face64c69d 10556 libs optional sdl-image1.2_1.2.12-10.debian.tar.xz 595166dc1474eef0b38f5201e96d0fee 79832 debug optional libsdl-image1.2-dbgsym_1.2.12-10_amd64.deb abb9536b8a46878c09df7aacc4aae935 40660 libdevel optional libsdl-image1.2-dev_1.2.12-10_amd64.deb 0ec6668caf1195541b5f1b11f595f713 36372 libs optional libsdl-image1.2_1.2.12-10_amd64.deb 0e53cb53b442635e78f7e226c3fef032 10319 libs optional sdl-image1.2_1.2.12-10_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlvfi2MACgkQHpU+J9Qx HlitVxAAhPPfE9WAEeNc1MQBBrmGhLfFZ4jpQ6d5gh+uQXyLBjfMEKAwijJZ14cP ZVUkaw08C6+9yxt7W+et+4HePfLGb3Ye/CYZbO/JC4efUj436wwFITbGVSEXr5KC ovRpC6UliKGuVlE55c2rEOiahPCXoPnJki0s5fIQot3y+yEqKOyRsXiozW1xNoSu Dcwx6idfnf7dB+gaL3p882XzHJIfir+P28abNwsIuWcbCpOQSPGUhp3BMomZzUjd MO7wHsf1F7NDRPyQWSpLsNDJVahJSmHLgZlruM8IK73efsbkgWUNOabqSAj84k9i sr7ew19l0zeTdTcACGDDwuZw8Y+ogXnass1Czi9D+QqIIk8PPgrDpFlq/mwQAueJ MoUX2oW6dXJ4u0gEbAKZcace3MVCWraQMPd7T9gaM9H87nKhfsgtdAL6oykuqgp0 gxzNMQIjeCQnBvJD+H93LZJrQynRG+EhzRm36m/Z2VmyJRGSEllijDUf3fmxhQTG XZioYCxKRLf4yTXegAzLNJXgLvd2f9MUx2BmB0bOwyctd0H82Sp9Y3AJSsh9h4+p YVOIpHHn3uvrYLyBbAj9fefpwca6ipu8kXtM0PW7UVLCvQGYTR+W2apRPuKnF+tn FFJORnofBZOELAtgytBZY/MENBCBCln+OzIv8MmVbkuSvY32X8U= =GX7n -----END PGP SIGNATURE-----
--- End Message ---
