Bug#917807: libcaca: CVE-2018-20544 CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549
Hi nicoo, On Mon, Mar 11, 2019 at 12:34:56AM +0100, Nicolas Braud-Santoni wrote: > clone 917807 -1 > retitle -1 Orphan libcaca > severity -1 normal > thanks > > > Hi Sam, > > I'm planning on fixing those security issues for Buster. > > Given that you last touched the package in 2014, and didn't address this > critical > bug within 3 months, may I go ahead and orphan the package while I'm at it? > > I will do so in the absence of an answer, but I shall make sure that my upload > is delayed until at least next Monday (2019-03-18), so you have time to > intercept it. Not the maintainer hiere, so disclaimer. When fixing the isuse just make sure to cherry-pick all needed changes, as far I remember there were for some of the upstream bugs iterations on the commits. Notabene: Upstream is same as Debian maintainer, so Sam might give you the needed input! Regards, Salvatore
Bug#917807: libcaca: CVE-2018-20544 CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549
clone 917807 -1 retitle -1 Orphan libcaca severity -1 normal thanks Hi Sam, I'm planning on fixing those security issues for Buster. Given that you last touched the package in 2014, and didn't address this critical bug within 3 months, may I go ahead and orphan the package while I'm at it? I will do so in the absence of an answer, but I shall make sure that my upload is delayed until at least next Monday (2019-03-18), so you have time to intercept it. Best, nicoo On Sun, Dec 30, 2018 at 04:42:04PM +0100, Salvatore Bonaccorso wrote: > Source: libcaca > Version: 0.99.beta19-2 > Severity: important > Tags: security upstream fixed-upstream > > Hi, > > The following vulnerabilities were published for libcaca. > > CVE-2018-20544[0]: > | There is floating point exception at caca/dither.c (function > | caca_dither_bitmap) in libcaca 0.99.beta19. > > CVE-2018-20545[1]: > | There is an illegal WRITE memory access at common-image.c (function > | load_image) in libcaca 0.99.beta19 for 4bpp data. > > CVE-2018-20546[2]: > | There is an illegal READ memory access at caca/dither.c (function > | get_rgba_default) in libcaca 0.99.beta19 for the default bpp case. > > CVE-2018-20547[3]: > | There is an illegal READ memory access at caca/dither.c (function > | get_rgba_default) in libcaca 0.99.beta19 for 24bpp data. > > CVE-2018-20548[4]: > | There is an illegal WRITE memory access at common-image.c (function > | load_image) in libcaca 0.99.beta19 for 1bpp data. > > CVE-2018-20549[5]: > | There is an illegal WRITE memory access at caca/file.c (function > | caca_file_read) in libcaca 0.99.beta19. > > Note: obviously I realize given you are both upstream am Debian > maintainer you have already fixed this upstream with the reports > submitted and two of those issues are actually unimportant as the > Debian build does not use the fallback. > > Reporting these issues still in the BTS for tracking purpose. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-20544 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20544 > [1] https://security-tracker.debian.org/tracker/CVE-2018-20545 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545 > [2] https://security-tracker.debian.org/tracker/CVE-2018-20546 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546 > [3] https://security-tracker.debian.org/tracker/CVE-2018-20547 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20547 > [4] https://security-tracker.debian.org/tracker/CVE-2018-20548 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20548 > [5] https://security-tracker.debian.org/tracker/CVE-2018-20549 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20549 > > Regards, > Salvatore > signature.asc Description: PGP signature
Bug#917807: libcaca: CVE-2018-20544 CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549
Source: libcaca Version: 0.99.beta19-2 Severity: important Tags: security upstream fixed-upstream Hi, The following vulnerabilities were published for libcaca. CVE-2018-20544[0]: | There is floating point exception at caca/dither.c (function | caca_dither_bitmap) in libcaca 0.99.beta19. CVE-2018-20545[1]: | There is an illegal WRITE memory access at common-image.c (function | load_image) in libcaca 0.99.beta19 for 4bpp data. CVE-2018-20546[2]: | There is an illegal READ memory access at caca/dither.c (function | get_rgba_default) in libcaca 0.99.beta19 for the default bpp case. CVE-2018-20547[3]: | There is an illegal READ memory access at caca/dither.c (function | get_rgba_default) in libcaca 0.99.beta19 for 24bpp data. CVE-2018-20548[4]: | There is an illegal WRITE memory access at common-image.c (function | load_image) in libcaca 0.99.beta19 for 1bpp data. CVE-2018-20549[5]: | There is an illegal WRITE memory access at caca/file.c (function | caca_file_read) in libcaca 0.99.beta19. Note: obviously I realize given you are both upstream am Debian maintainer you have already fixed this upstream with the reports submitted and two of those issues are actually unimportant as the Debian build does not use the fallback. Reporting these issues still in the BTS for tracking purpose. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20544 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20544 [1] https://security-tracker.debian.org/tracker/CVE-2018-20545 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545 [2] https://security-tracker.debian.org/tracker/CVE-2018-20546 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546 [3] https://security-tracker.debian.org/tracker/CVE-2018-20547 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20547 [4] https://security-tracker.debian.org/tracker/CVE-2018-20548 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20548 [5] https://security-tracker.debian.org/tracker/CVE-2018-20549 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20549 Regards, Salvatore