Your message dated Mon, 13 Oct 2025 18:25:58 +0000
with message-id <[email protected]>
and subject line Bug#1117936: fixed in golang-github-nwaples-rardecode 2.2.1-1
has caused the Debian Bug report #1117936,
regarding golang-github-nwaples-rardecode: CVE-2025-11579
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117936
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-nwaples-rardecode
Version: 2.1.1-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-github-nwaples-rardecode.
Technically speaking this is not really RC, but choosing as such to
make sure (even in distant future) not included in this version in
forky.
CVE-2025-11579[0]:
| github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the
| dictionary size when reading large RAR dictionary sizes, which
| allows an attacker to provide a specially crafted RAR file and cause
| Denial of Service via an Out Of Memory Crash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11579
https://www.cve.org/CVERecord?id=CVE-2025-11579
[1]
https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-nwaples-rardecode
Source-Version: 2.2.1-1
Done: Daniel Baumann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-nwaples-rardecode, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <[email protected]> (supplier of updated
golang-github-nwaples-rardecode package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 Oct 2025 18:09:07 +0200
Source: golang-github-nwaples-rardecode
Architecture: source
Version: 2.2.1-1
Distribution: sid
Urgency: medium
Maintainer: Daniel Baumann <[email protected]>
Changed-By: Daniel Baumann <[email protected]>
Closes: 1117936
Changes:
golang-github-nwaples-rardecode (2.2.1-1) sid; urgency=medium
.
* Removing rules-requires-root, not needed anymore.
* Merging upstream version 2.2.1:
- fixes Out Of Memory Crash when reading large RAR dictionary of specially
crafted RAR file [CVE-2025-11579] (Closes: #1117936).
Checksums-Sha1:
e26c7c723a5bf7e4c6535427eb881360bc56302c 1586
golang-github-nwaples-rardecode_2.2.1-1.dsc
4a8445ba0fc614982e8bc4cb877f3ec81c400005 38640
golang-github-nwaples-rardecode_2.2.1.orig.tar.xz
345599dbe4590226859ac62c4ceb0bdae4752fe1 2004
golang-github-nwaples-rardecode_2.2.1-1.debian.tar.xz
6b9153a89d51bde244272f678cf733d3eb86d671 5222
golang-github-nwaples-rardecode_2.2.1-1_amd64.buildinfo
Checksums-Sha256:
8e33bfbbca521c8cd53d6387b3f4e476c51da4913993efbbce32a31c4e558818 1586
golang-github-nwaples-rardecode_2.2.1-1.dsc
36fdb375b18a3d04b71935501d8409698592326f8baa37adfd87e322dedfe615 38640
golang-github-nwaples-rardecode_2.2.1.orig.tar.xz
fc5de80b77778278439b7b6fdf0a326f99b82405276007c7392c4751af3124d3 2004
golang-github-nwaples-rardecode_2.2.1-1.debian.tar.xz
deb6ddf0ec3c327e1bbeadc0015c063a1156a8825664872d0a975d3bb0352db4 5222
golang-github-nwaples-rardecode_2.2.1-1_amd64.buildinfo
Files:
8833af30f3a0fc20be3ff7dd2941c272 1586 golang optional
golang-github-nwaples-rardecode_2.2.1-1.dsc
bf30889f69135a69675effb048741127 38640 golang optional
golang-github-nwaples-rardecode_2.2.1.orig.tar.xz
16e502119bb142e066e24775c407d291 2004 golang optional
golang-github-nwaples-rardecode_2.2.1-1.debian.tar.xz
3c043905c445d196266e140a95c30bf3 5222 golang optional
golang-github-nwaples-rardecode_2.2.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQQmmGg4gLaoSj0ERgL7tPDoCoAiLwUCaO0kdAAKCRD7tPDoCoAi
L0vnAQCnVWLUnl37z0Qvh6eJqbU3BDxm1Fc360v6VqNcx+bK7QD/Wu/PNt7SR0yf
8RxyCFQ2ZV7HijvhFfUEvGqZGw2x1ws=
=Ttjh
-----END PGP SIGNATURE-----
pgpNgx6HsZK67.pgp
Description: PGP signature
--- End Message ---
