Your message dated Thu, 05 May 2022 13:03:54 +0000 with message-id <e1nmb98-0009al...@fasolo.debian.org> and subject line Bug#1010526: fixed in libxml2 2.9.14+dfsg-1 has caused the Debian Bug report #1010526, regarding libxml2: CVE-2022-29824: integer overflows in xmlBuf and xmlBuffer to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010526: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010526 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxml2 Version: 2.9.13+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libxml2. CVE-2022-29824[0]: | In libxml2 before 2.9.14, several buffer handling functions in buf.c | (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. | This can result in out-of-bounds memory writes. Exploitation requires | a victim to open a crafted, multi-gigabyte XML file. Other software | using libxml2's buffer functions, for example libxslt through 1.1.35, | is affected as well. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29824 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824 [1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxml2 Source-Version: 2.9.14+dfsg-1 Done: Mattia Rizzolo <mat...@debian.org> We believe that the bug you reported is fixed in the latest version of libxml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mattia Rizzolo <mat...@debian.org> (supplier of updated libxml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 May 2022 14:43:51 +0200 Source: libxml2 Architecture: source Version: 2.9.14+dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Mattia Rizzolo <mat...@debian.org> Closes: 1010526 Changes: libxml2 (2.9.14+dfsg-1) unstable; urgency=high . * Team upload. * New upstream version 2.9.14+dfsg. + Integer overflows in xmlBuf/xmlBuffer. CVE-2022-29824 Closes: #1010526 Checksums-Sha1: 8429b8bb146e769de5ddde76604625c0cadc3238 2915 libxml2_2.9.14+dfsg-1.dsc b41615e638174b4e36845c68d4b305dd6a6b541f 2351200 libxml2_2.9.14+dfsg.orig.tar.xz 6f34e85ab2a7a69939d63f114508355792d19772 28664 libxml2_2.9.14+dfsg-1.debian.tar.xz 77585c2c8ef6d57131de7d21d64b7c33b3840c96 9305 libxml2_2.9.14+dfsg-1_amd64.buildinfo Checksums-Sha256: 560b526a9b445b239eedac460cb7554e4e9aeaea5cf6a7c669dae08e3d4c14a5 2915 libxml2_2.9.14+dfsg-1.dsc 4fe913dec8b1ab89d13b489b419a8203176ea39e931eaa0d25b17eafb9c279e9 2351200 libxml2_2.9.14+dfsg.orig.tar.xz 6d563feb4a3f79c5e704703264bc4c06afd6fb30176a85afaba3549e3bef2a28 28664 libxml2_2.9.14+dfsg-1.debian.tar.xz 09a9c90e2a5c94ac5985cdb739e08db298bbaa7daec8554e33d4c306abc14800 9305 libxml2_2.9.14+dfsg-1_amd64.buildinfo Files: b2eb0a3aa5ad7ee9d22c42e93c9c48f6 2915 libs optional libxml2_2.9.14+dfsg-1.dsc bbcae2f48d1c9b1413ef953ce87e9346 2351200 libs optional libxml2_2.9.14+dfsg.orig.tar.xz d36d0dc977d8564c7a6945cc2eeaff3c 28664 libs optional libxml2_2.9.14+dfsg-1.debian.tar.xz 2be9224d463dde28a3ff31527930dd26 9305 libs optional libxml2_2.9.14+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmJzyMIACgkQCBa54Yx2 K60+RA/+NZc4vKOcYMorlMrbJOXj9ywJZEIZFi4LjEtyCBfMG8m8hJxhtDrmCydL e9Y65rry1g1C39chSM1VrW9ckUkZ9CgokOa0V8gKM/A7EIDfyLjxx4dWHKAJ0rPM vd8hY3LGOxb5WCjHG4PNE4TAR8ZbB1hIJyUboGvBREfAbN7P+NQ0p0pF41JzDCG2 bLze03Wcc5bGWKRBwuptsHfQJBYuwHC1ut1tnizwGzU24/eol66xdsuj30bLaCKd VFyLMsQ9DDQH5Jn/03+mKQKx7sYeWrO5ZRfe+heJ+Lpwr1wVepvgk4whJt7ZseS3 BWdK0DwKimKre+Ntm2/Oe2W70NFE39SWET1Rnayr9zGTIoDEnkLUMLvgekUAJs+v PUtuSQavQaWUoAu+KmeqKPvX6x8VgQPLYG4PvOrN3aAi1X2K6BE7Yl3wcXbRpW6P PpyzWIVDB8CokVTwJvTIwZn5NU6ztTOY3IQNT22jzkzy82tZBuHZp5zORrxoUrTc B1f3KxrwBlwbLteb9zeKaczVvXAlaweG6GmeJdHdL9cuyyluYrlriwSWbx/QKP9+ IKZ5wssfjQ4acVLps6z9BmA8JJzE5VhiCe9QlofDQLLTwoZDjemyJNFsfimz3Ujg vuzWX7+puvx6UVrLGYbsxhzqi6EpV7GNs/LU4tEX8EOEj39dcy4= =25Cq -----END PGP SIGNATURE-----
--- End Message ---
