Bug#1031877: marked as done (vtk9: CVE-2021-42521)

[Debian Bug Tracking System]

Your message dated Mon, 29 Apr 2024 18:12:23 +0000
with message-id <e1s1vuf-005tj9...@fasolo.debian.org>
and subject line Bug#1031877: fixed in vtk9 9.1.0+really9.1.0+dfsg2-8
has caused the Debian Bug report #1031877,
regarding vtk9: CVE-2021-42521
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1031877: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031877
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: vtk9
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for vtk9.

CVE-2021-42521[0]:
| There is a NULL pointer dereference vulnerability in VTK, and it lies
| in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return
| value of libxml2 API 'xmlDocGetRootElement', and try to dereference
| it. It is unsafe as the return value can be NULL and that NULL pointer
| dereference may crash the application.

https://gitlab.kitware.com/vtk/vtk/-/issues/17818
        

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-42521
    https://www.cve.org/CVERecord?id=CVE-2021-42521

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: vtk9
Source-Version: 9.1.0+really9.1.0+dfsg2-8
Done: Michael R. Crusoe <cru...@debian.org>

We believe that the bug you reported is fixed in the latest version of
vtk9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1031...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael R. Crusoe <cru...@debian.org> (supplier of updated vtk9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 Apr 2024 16:16:28 +0200
Source: vtk9
Architecture: source
Version: 9.1.0+really9.1.0+dfsg2-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers 
<debian-science-maintain...@lists.alioth.debian.org>
Changed-By: Michael R. Crusoe <cru...@debian.org>
Closes: 1031877 1054471 1064762 1068321
Changes:
 vtk9 (9.1.0+really9.1.0+dfsg2-8) unstable; urgency=medium
 .
   [ Bo YU ]
   * Team upload.
   * Add support for loongarch64. Thanks to Dandan Zhang
     <zhangdan...@loongson.cn>. (Closes: #1054471)
 .
   [ Michael R. Crusoe ]
   * Cherry-pick patch from upstream to fix issue with newer expat and
     appended data. Closes: #1064762
   * d/control: build-dep on libhdf5-mpi-dev instead of libhdf5-openmpi-
     dev. Closes: #1068321
   * Cherry-pick patch from upstream to fix CVE-2021-42521. Closes:
     #1031877.
   * Fix Maintainer name of Debian Science team (routine-update)
   * Remove trailing whitespace in debian/copyright (routine-update)
   * d/control: Updated some dependencies on obsolete or supercede packages
     names.
Checksums-Sha1:
 0e49de85a38be6b02dd0cb196ba2d8c31a799dc1 3936 
vtk9_9.1.0+really9.1.0+dfsg2-8.dsc
 437f962bdb4b36e655e472153494a1b0e28e0412 23928 
vtk9_9.1.0+really9.1.0+dfsg2-8.debian.tar.xz
 feb3e3e4269354c7db9ac83ac8b277e31b44e1de 19737 
vtk9_9.1.0+really9.1.0+dfsg2-8_source.buildinfo
Checksums-Sha256:
 560fe11f3836dbf1dfc4ca83fa6164b6e95865723f2c4ef31839bb41d4b120e9 3936 
vtk9_9.1.0+really9.1.0+dfsg2-8.dsc
 43035e454a267d60afc9c0907af268b90e24bbd8f2499077f7dc91de0e2ac65a 23928 
vtk9_9.1.0+really9.1.0+dfsg2-8.debian.tar.xz
 578244f697680dcfffd2426edbb09b2504c7c9d5261e74ba817f9dd9abaf6ccc 19737 
vtk9_9.1.0+really9.1.0+dfsg2-8_source.buildinfo
Files:
 5cabc4175e12292e272f16d601369ca9 3936 graphics optional 
vtk9_9.1.0+really9.1.0+dfsg2-8.dsc
 14e55b06a2c679dd7a8cf130f8c4c445 23928 graphics optional 
vtk9_9.1.0+really9.1.0+dfsg2-8.debian.tar.xz
 0261f7381233823eff80d8f4b53f17aa 19737 graphics optional 
vtk9_9.1.0+really9.1.0+dfsg2-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEck1gkzcRPHEFUNdHPCZ2P2xn5uIFAmYv3wEACgkQPCZ2P2xn
5uLJcQ/+Jhsdvcv3vVWDqANlwgWm0ZJsQNV1MVBbQcDuRbKhTgzFOzz1eNVM8qeV
p5gpWKs8b3KX/Rk4ilSL3uDweuPlrpeXI7k4qAxrRZrfMI2GiF3AyGb17pVAmR1J
YHjNmw+AphEBy/+nLcpH0UfXD+iss9v/ivzhT84a+oS8CHkWXtB4pgXJDk2lp2T+
fMvS+QpLhgnM8RM+7+Vx8BM5UO8UvnSHYD22wCqiE6m7Z6C0eVRiwVAWQ40gNrsI
pJhli6ictsBmXkybUqOR15nJZZ1RQvK8BlRYKENZ3yRz6vRyOQmLo4IiWwSiYnbc
4IDUTfGNO68BoU76wvknpCpobDe2S6PepQ1kFp7fIQ9HSfjMiHuzfj+UOu/81lZC
mBjdDEX/ATbpKxzdSj55FwjRyrlaLnJCLyERpgb6iupYxbhWPXaqNiNf4FQ0pIbu
t4T4PEC3mVk6JBbINk+POFS55UN8CZrvJvBbruNotftHCX6BJf8Hr95X/F5T/aPx
iVDjzeOkrNrY/bTP9hDGXM/6Dx4IqgiztbpAf+h4i3lt76u6FK1cFUyTrS1RP4JJ
LggvbidREzYJdmfh73/Ge14irtapv1btmd4z/21r6xBefN1G6MYNCEKA1d1Vft4w
9QCQiifDzds2FYJbzlsOtdQkzoF0awmC25g8j2DjHACil009yw0=
=Y9FD
-----END PGP SIGNATURE-----

pgpbVmZYfI7V8.pgp
Description: PGP signature

--- End Message ---

-- 
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers