Bug#988024: marked as done (hivex: CVE-2021-3504)

[Debian Bug Tracking System]

Your message dated Tue, 11 May 2021 09:03:35 +0000
with message-id <e1lgoih-0001wi...@fasolo.debian.org>
and subject line Bug#988024: fixed in hivex 1.3.20-1
has caused the Debian Bug report #988024,
regarding hivex: CVE-2021-3504
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
988024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988024
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: hivex
Version: 1.3.19-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for hivex.

CVE-2021-3504[0]:
| Buffer overflow when provided invalid node key length

Making the severity RC as I think the fix needs to go into bullseye.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3504
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3504
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1949687
[2] https://listman.redhat.com/archives/libguestfs/2021-May/msg00013.html
[3] 
https://github.com/libguestfs/hivex/commit/8f1935733b10d974a1a4176d38dd151ed98cf381

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: hivex
Source-Version: 1.3.20-1
Done: Hilko Bengen <ben...@debian.org>

We believe that the bug you reported is fixed in the latest version of
hivex, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <ben...@debian.org> (supplier of updated hivex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 05 May 2021 00:09:58 +0200
Source: hivex
Architecture: source
Version: 1.3.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers 
<pkg-libvirt-maintain...@lists.alioth.debian.org>
Changed-By: Hilko Bengen <ben...@debian.org>
Closes: 988024
Changes:
 hivex (1.3.20-1) unstable; urgency=medium
 .
   * New upstream version 1.3.20
   * Includes fix for CVE-2021-3504  (Closes: #988024)
Checksums-Sha1:
 0c7f7eca1f73df10097bd63dc07a0a6b78738f5d 2486 hivex_1.3.20-1.dsc
 4b77c5dc2d81e32d42fcbcc9dfa7eb927b60f8a6 1727498 hivex_1.3.20.orig.tar.gz
 9bbeceb14046f7b73a40874186ada54f06b90980 7036 hivex_1.3.20-1.debian.tar.xz
 20b8bb946a7bfcdf389055801b37a8f0c7f59652 14149 hivex_1.3.20-1_source.buildinfo
Checksums-Sha256:
 e3b431f3ed13e2006b0fca1caaeeeeb7002716bd709264f045b089ac0f363b0e 2486 
hivex_1.3.20-1.dsc
 f523c37bb064a4bab7db5224902c34eee4f9fab2d9b81cf615b32c0b8509d32d 1727498 
hivex_1.3.20.orig.tar.gz
 8e753622666b99f0ab1ca1e1e21cf67f72da4b9bc16938ddcebd7e4b2512da4e 7036 
hivex_1.3.20-1.debian.tar.xz
 bd6040d56d82e47964569ce0157b40787843ccd053abb80e3af0818ba5e71245 14149 
hivex_1.3.20-1_source.buildinfo
Files:
 0445075666e096259a85d1571611c7a2 2486 libs optional hivex_1.3.20-1.dsc
 57ff58d82b508d080dced65f32c580bf 1727498 libs optional hivex_1.3.20.orig.tar.gz
 05c05a605234f858debfcd61e3f68b26 7036 libs optional 
hivex_1.3.20-1.debian.tar.xz
 bc0760d128a5baaf5cb432ab045010f0 14149 libs optional 
hivex_1.3.20-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAmCaQuUACgkQdbcQY1wh
On5PCxAAkpEaJj2mHw+lIqAmtwx6pgLtyV0Nd2kkl4BKdMcGOoBnJcwOkc4fh3BK
OCv1IuSYeQL3dO12JHwQEY3hhltVPCp2pjYJVdAN9KL+lo9PVufTW2QT9RIWK81V
oMeO/IrNhMm77Em5n9gc+IRi8Yu0uz95sOytyFjDLmnxV2zI+5us/9WAk04KEQtq
CtyMuxc2yFa/TueCukXT47+VEi08blmMFNyi1HJioRlDt7wPgiaWb0hD9yQDdlE4
0TtDfJOUTG4U1TzeCHEWohXLcozIALL8PMpo0b/r29FdnmvRcgLXMdwkPOeutndD
GLVop7TMhX/e/Q4kycZ0CgTtqVeyxLbHh131ay3JrRjA8+O8U0Q4VLRS91mHJ+Th
FDDdwy2YVcAbSjbhpXVUuwfxKZCAsJOvn24mbp1EQNSzzdwATk28rI15CS6JqFba
UCGiDw1JJEH6nxI09TvoGxpKEdkQmSf5WqdyS2j1JlrQuyzSOXwMlu7VOcqN7B7M
njRsya2Po4HZL0mL9ItwCABpPR461RpNkr4T69H+Y3Uu4WcgoGFbAOlX92x699r2
DVteva6mzSNnKDcLLNL9ux+CEhTL+S3RGxNr8ZLdNE9NSJpgHiH7SCrZNXfh90Ae
gZqJlPUcTjMfgweMAQOXGgJmKdS9BQPX2ubEtOdCnSj+4pPzIw0=
=reld
-----END PGP SIGNATURE-----

--- End Message ---