Your message dated Tue, 05 Feb 2019 11:05:24 +0000 with message-id <e1gqyxc-000bev...@fasolo.debian.org> and subject line Bug#921355: fixed in libpng1.6 1.6.36-4 has caused the Debian Bug report #921355, regarding libpng1.6: CVE-2019-7317: use-after-free in png_image_free in png.c to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 921355: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921355 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libpng1.6 Version: 1.6.36-3 Severity: grave Tags: security upstream Forwarded: https://github.com/glennrp/libpng/issues/275 Control: found -1 1.6.28-1 Control: found -1 1.6.36-2 Hi, The following vulnerability was published for libpng1.6. CVE-2019-7317[0]: | png_image_free in png.c in libpng 1.6.36 has a use-after-free because | png_image_free_function is called under png_safe_execute. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-7317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317 [1] https://github.com/glennrp/libpng/issues/275 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libpng1.6 Source-Version: 1.6.36-4 We believe that the bug you reported is fixed in the latest version of libpng1.6, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 921...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gianfranco Costamagna <locutusofb...@debian.org> (supplier of updated libpng1.6 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 05 Feb 2019 11:43:24 +0100 Source: libpng1.6 Binary: libpng16-16 libpng-dev libpng-tools libpng16-16-udeb Architecture: source Version: 1.6.36-4 Distribution: unstable Urgency: high Maintainer: Anibal Monsalve Salazar <ani...@debian.org> Changed-By: Gianfranco Costamagna <locutusofb...@debian.org> Description: libpng-dev - PNG library - development (version 1.6) libpng-tools - PNG library - tools (version 1.6) libpng16-16 - PNG library - runtime (version 1.6) libpng16-16-udeb - PNG library - minimal runtime library (version 1.6) (udeb) Closes: 921355 Changes: libpng1.6 (1.6.36-4) unstable; urgency=high . * debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch, debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch: - new fixes for arm64 and general test failures (and leaks) * debian/patches/CVE-2019-7317.patch: - fix for CVE 2019-7317 (Closes: #921355) Thanks Salvatore Bonaccorso for your report! Checksums-Sha1: f3ebd3ec7b267f2a3b431b24e32df7dfc8449384 2197 libpng1.6_1.6.36-4.dsc 8c73a75f17fd757cbc792b6ca060c0e4f02d82d8 37216 libpng1.6_1.6.36-4.debian.tar.xz 44a559b61f469799a75334ffa69825cb286ff156 6360 libpng1.6_1.6.36-4_source.buildinfo Checksums-Sha256: ff9bb26af634d9eb6a158a6b61183b6038d1ef81e03ba567b471902c9f58a2e2 2197 libpng1.6_1.6.36-4.dsc 040a1ba72164d91e7a2e821a4cc2eea7fc16948f4891b02ed6e1ce6e5b6cf96d 37216 libpng1.6_1.6.36-4.debian.tar.xz bd2c57897358e5f218e02958081c4e8a54c26ca6296f7256661bd06d30c7a15a 6360 libpng1.6_1.6.36-4_source.buildinfo Files: 21b1c30ef9acea00f1530e632c2e8b43 2197 libs optional libpng1.6_1.6.36-4.dsc be1aaceffdaee5b62f05d54250541ad7 37216 libs optional libpng1.6_1.6.36-4.debian.tar.xz 3dbe855428e1b86485b2778fa051af34 6360 libs optional libpng1.6_1.6.36-4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAlxZae0ACgkQ808JdE6f Xdk8qhAAnAUkzNu/fo44ZaAegrCayJpeuYzyJX8lG5HAyio9Ip5wooIDFESyA/em wbS3fL5+A6FJpHRJe9b4+jOzh7PazEy3Vnt4Ze8Rg5UosEdN030RuTpuYQsy2Koy irHjXRJ2TyAEamDet/7WZ9ZXNWe3a8L8OH53GWNzCQVZ7c4dKWCl2+eyRt9sdVYc Q7XcmB5emZYR/AFZTRdyUYjT6D4jAo2hXbEili9m6smaXewTlMyItFbSwsHJKHpD na3untgFyHgVIycuazWOiQeAYaNt3PDVAF8N3y5yWCjADeeu1C4fKzDuT4Fmi+tN aOYaTl+InfRa7F7GTUMprPh7CYu2Nfa3dVBM4q/ivK3Sp0Fx5noFkyJlzbXNDo9Z bcMyA30NJLgjZG45okQIhZC7nGl+2s7nhZq/xCQkxmviI9OQAgJp1wQ7Co2iBVYU 7kscrLzsq32LtZnA3EmEqsRr3QKewfC9yvf9nZS33WOHWehHFfxGa3b8jJU3GHZg judjG0kox8CuBz2DC6Dg1/NzM7NeDlTdKBow4EeaNFbX2Nl3vLfkM09Nsg0UuOOf YR5muPYpa3uRvWkiN50EzwwwKaDttegQeOQWWTP/00o8JqtcrHgzAkbWvNjFvhTe iECQjNRA42ZKr3/jVXgXDrLNZb/Ja40Nz0I6ZKZjoR7M+l0T7rs= =VxFV -----END PGP SIGNATURE-----
--- End Message ---
