Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id
<b70f86aac27195271a9b5212c7acc936da6ff100.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #976019,
regarding buster-pu: package vips/8.7.4-1+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
976019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976019
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Hi SRMs,
There's a minor information leak, CVE-2020-20739 in VIPS which doesn't
warrant a DSA. I would like to fix it with a PU, proposed patch is
attached.
Thanks for consideration,
Laszlo/GCS
diff -Nru vips-8.7.4/debian/changelog vips-8.7.4/debian/changelog
--- vips-8.7.4/debian/changelog 2019-01-18 18:07:38.000000000 +0100
+++ vips-8.7.4/debian/changelog 2020-11-21 17:50:57.000000000 +0100
@@ -1,3 +1,9 @@
+vips (8.7.4-1+deb10u1) buster; urgency=medium
+
+ * Fix CVE-2020-20739: variable used-before-set error in im_vips2dz() .
+
+ -- Laszlo Boszormenyi (GCS) <[email protected]> Sat, 21 Nov 2020 17:50:57 +0100
+
vips (8.7.4-1) unstable; urgency=medium
* New upstream release.
diff -Nru vips-8.7.4/debian/patches/fix-used-before-set_error-in-im_vips2dz.patch vips-8.7.4/debian/patches/fix-used-before-set_error-in-im_vips2dz.patch
--- vips-8.7.4/debian/patches/fix-used-before-set_error-in-im_vips2dz.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.7.4/debian/patches/fix-used-before-set_error-in-im_vips2dz.patch 2020-11-21 17:50:57.000000000 +0100
@@ -0,0 +1,26 @@
+From 2ab5aa7bf515135c2b02d42e9a72e4c98e17031a Mon Sep 17 00:00:00 2001
+From: John Cupitt <[email protected]>
+Date: Tue, 3 Sep 2019 13:17:18 +0100
+Subject: [PATCH] fix a used-before-set error in im_vips2dz
+
+we were reading an uninited string in a vips7 compatibility wrapper, thanks
+yifengchen-cc
+
+see https://github.com/libvips/libvips/issues/1419
+---
+ libvips/deprecated/im_vips2dz.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libvips/deprecated/im_vips2dz.c b/libvips/deprecated/im_vips2dz.c
+index 6dbde78c3..aafe8f99d 100644
+--- a/libvips/deprecated/im_vips2dz.c
++++ b/libvips/deprecated/im_vips2dz.c
+@@ -75,6 +75,8 @@ im_vips2dz( IMAGE *in, const char *filename )
+ *p = '\0';
+ im_strncpy( mode, p + 1, FILENAME_MAX );
+ }
++ else
++ strcpy( mode, "" );
+
+ strcpy( buf, mode );
+ p = &buf[0];
diff -Nru vips-8.7.4/debian/patches/series vips-8.7.4/debian/patches/series
--- vips-8.7.4/debian/patches/series 2018-07-24 21:17:08.000000000 +0200
+++ vips-8.7.4/debian/patches/series 2020-11-21 17:50:57.000000000 +0100
@@ -1 +1,2 @@
reproducible-build.patch
+fix-used-before-set_error-in-im_vips2dz.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.7
Hi,
Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.
Regards,
Adam
--- End Message ---
