Your message dated Tue, 15 Jan 2019 21:54:35 -0800
with message-id
<ca+rerfvfwaxpztnxdyqrpooeycjdq6_3agcadx5gy_n8rnb...@mail.gmail.com>
and subject line Re: CVE-2019-6245 CVE-2019-6247
has caused the Debian Bug report #919322,
regarding CVE-2019-6245 CVE-2019-6247
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
919322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919322
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: agg
Severity: grave
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6247
Given that the package isn't exactly fast-moving, how about
revisiting #377270 for buster? Right now we need to coordinate
rebuilds against the fixed agg...
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
CVE-2019-6245 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6245>
was fixed in libagg-dev 1:2.4, SVG++ uses a 5 year old copy of AGG
that predates this fix.
CVE-2019-6247 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6247>
is a bug in SVG++ calling AGG functions with incorrect values for the
buffer used. See SVG++ commit: #70 Fix for bug 2
<https://github.com/svgpp/svgpp/commit/1ae3c0feea4b29d67d921046715f65c0994a0a07#diff-3d2d98aef5dd23af492e615cf32a7ec5>
which fixes the call to use the correct arguments. AGG is working as
expected and doesn't exhibit this vulnerability when called with the
proper arguments.
--- End Message ---
