Your message dated Fri, 22 Mar 2019 11:19:35 +0000
with message-id <[email protected]>
and subject line Bug#924185: fixed in libmatio 1.5.13-2
has caused the Debian Bug report #924185,
regarding libmatio: CVE-2019-9026 CVE-2019-9027 CVE-2019-9028 CVE-2019-9029
CVE-2019-9030 CVE-2019-9031 CVE-2019-9032 CVE-2019-9033 CVE-2019-9034
CVE-2019-9035 CVE-2019-9036 CVE-2019-9037 CVE-2019-9038
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
924185: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924185
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libmatio
Version: 1.5.13-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/tbeu/matio/issues/103
Hi,
The following vulnerabilities were published for libmatio.
CVE-2019-9026[0]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a heap-based buffer overflow in the function
| InflateVarName() in inflate.c when called from ReadNextCell in mat5.c.
CVE-2019-9027[1]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a heap-based buffer overflow problem in the
| function ReadNextCell() in mat5.c.
CVE-2019-9028[2]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a stack-based buffer over-read in the
| function InflateDimensions() in inflate.c when called from ReadNextCell
| in mat5.c.
CVE-2019-9029[3]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is an out-of-bounds read with a SEGV in the
| function Mat_VarReadNextInfo5() in mat5.c.
CVE-2019-9030[4]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a stack-based buffer over-read in
| Mat_VarReadNextInfo5() in mat5.c.
CVE-2019-9031[5]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a NULL pointer dereference in the function
| Mat_VarFree() in mat.c.
CVE-2019-9032[6]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is an out-of-bounds write problem causing a SEGV
| in the function Mat_VarFree() in mat.c.
CVE-2019-9033[7]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a stack-based buffer over-read for the "Rank
| and Dimension" feature in the function ReadNextCell() in mat5.c.
CVE-2019-9034[8]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a stack-based buffer over-read for a memcpy
| in the function ReadNextCell() in mat5.c.
CVE-2019-9035[9]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a stack-based buffer over-read in the
| function ReadNextStructField() in mat5.c.
CVE-2019-9036[10]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a heap-based buffer overflow in the function
| ReadNextFunctionHandle() in mat5.c.
CVE-2019-9037[11]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is a buffer over-read in the function
| Mat_VarPrint() in mat.c.
CVE-2019-9038[12]:
| An issue was discovered in libmatio.a in matio (aka MAT File I/O
| Library) 1.5.13. There is an out-of-bounds read problem with a SEGV in
| the function ReadNextCell() in mat5.c.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9026
[1] https://security-tracker.debian.org/tracker/CVE-2019-9027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9027
[2] https://security-tracker.debian.org/tracker/CVE-2019-9028
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9028
[3] https://security-tracker.debian.org/tracker/CVE-2019-9029
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9029
[4] https://security-tracker.debian.org/tracker/CVE-2019-9030
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9030
[5] https://security-tracker.debian.org/tracker/CVE-2019-9031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9031
[6] https://security-tracker.debian.org/tracker/CVE-2019-9032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9032
[7] https://security-tracker.debian.org/tracker/CVE-2019-9033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9033
[8] https://security-tracker.debian.org/tracker/CVE-2019-9034
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9034
[9] https://security-tracker.debian.org/tracker/CVE-2019-9035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9035
[10] https://security-tracker.debian.org/tracker/CVE-2019-9036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9036
[11] https://security-tracker.debian.org/tracker/CVE-2019-9037
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9037
[12] https://security-tracker.debian.org/tracker/CVE-2019-9038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9038
[13] https://github.com/tbeu/matio/issues/103
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libmatio
Source-Version: 1.5.13-2
We believe that the bug you reported is fixed in the latest version of
libmatio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sébastien Villemot <[email protected]> (supplier of updated libmatio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 Mar 2019 11:46:25 +0100
Source: libmatio
Architecture: source
Version: 1.5.13-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Team
<[email protected]>
Changed-By: Sébastien Villemot <[email protected]>
Closes: 924185
Changes:
libmatio (1.5.13-2) unstable; urgency=medium
.
* Fix security issues
+ fix-reading-vars-from-mat-v5.patch: new patch backported from upstream.
Fixes CVE-2019-9026, CVE-2019-9027, CVE-2019-9028, CVE-2019-9029,
CVE-2019-9030, CVE-2019-9031, CVE-2019-9032, CVE-2019-9033,
CVE-2019-9034, CVE-2019-9035, CVE-2019-9038.
+ fix-printing-vars-from-mat-v5.patch: new patch backported from upstream.
Fixes CVE-2019-9037.
+ avoid-int-mult-overflow.patch: new patch backported from upstream.
Fixes CVE-2019-9036.
+ d/copyright: mention two files added by the latest patch.
(Closes: #924185)
Checksums-Sha1:
079459bf990214170ab04df21e6e152c8e11c4a3 2107 libmatio_1.5.13-2.dsc
bc88ff3f3398c65b9416a016191304965276ab0f 22352 libmatio_1.5.13-2.debian.tar.xz
0216193adf7541816cba3f2866ddc37a8316be8f 9111 libmatio_1.5.13-2_amd64.buildinfo
Checksums-Sha256:
21b55c13702ec3ee24e800b889780a0d4414fb40219881cab079e1754a4a85c4 2107
libmatio_1.5.13-2.dsc
b1c5ca2aba50967186139602a9759c8705ef20624ae66dfb3535d9f7225b1baf 22352
libmatio_1.5.13-2.debian.tar.xz
896fff5677e68104f13733535abdee854073b5b6b76ce6e01bd990344e340559 9111
libmatio_1.5.13-2_amd64.buildinfo
Files:
a30fa7c5c285755368b3565c8cea700d 2107 libs optional libmatio_1.5.13-2.dsc
d10233323ffb780c344c9e22ee07c802 22352 libs optional
libmatio_1.5.13-2.debian.tar.xz
dcfcec220e7d7fa7836412f907df5c8e 9111 libs optional
libmatio_1.5.13-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEU5UdlScuDFuCvoxKLOzpNQ7OvkoFAlyUwIIACgkQLOzpNQ7O
vkoOrA//SUkd0DzWE9osHmUdS9G76dcfx+LNdxLHrKPqtd22jZFJxouF2J4Cj+LF
x2/bd2m7bUf9yhgObFykMlSziA9RB1tteP2CDGC9cQblD8bePwmaE8tTLMSxHzEK
xrBJgEk/oM6D/bFBjXIuTHB46o6SazJzBg/wQWAsthiB2J92C7e2gPC9+9p1CeTV
3+3ijQSkyTsfT0i57YA0/FRVVNM4j+xavnGU3+f1K/P1psHrgd4rTCW8m42VRZ6q
XYPfQKpxlUabF2QGNJ40O4NnJvt7yNQABQ4hrOmno0Zzbu6+8siRxNSfHnwR/qN1
X2vQttX5qNmPf2PfwVbtMdn0tsuEKAxqyXwIPgtYSUrdwdKfBC0jiVBKlnrPXfbS
14Os2srsShg9ePrvStIITrhj4xvhrIy4rK42YWohiWook2/oWHtm+7/TN7Ch94VB
2x/tRFbIX+Qg+BriJ6Xilotrvey8VwXUhLFTsnFSik4vBvsogO+xfV3LcQYeUcpu
SntJ8jGX58tAUBOGrxsWzxP1p64EP+ZVJ4g6E4M4ATNFNLlRdbin9XjyP3j9yXGA
tcslzf5TGjEA2wwbv8wr6WhUljAyq0McCJ96qtay6FhEMPOySKNEJqLiv9siw6gh
YRyh3ZDXUUFN58y7dGkl4cpqLK0iru7gQD9Wr9EW/0DHegUb//g=
=hmil
-----END PGP SIGNATURE-----
--- End Message ---
--
debian-science-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
