Your message dated Thu, 17 May 2018 18:10:21 +
with message-id
and subject line Bug#888506: fixed in lrzip 0.631+git180517-1
has caused the Debian Bug report #888506,
regarding lrzip: CVE-2018-5786: Infinite Loop Vulnerability in get_fileinfo
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
888506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888506
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: lrzip
Version: 0.631-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ckolivas/lrzip/issues/91
Hi,
the following vulnerability was published for lrzip.
CVE-2018-5786[0]:
| In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and
| application hang in the get_fileinfo function (lrzip.c). Remote
| attackers could leverage this vulnerability to cause a denial of
| service via a crafted lrz file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5786
[1] https://github.com/ckolivas/lrzip/issues/91
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lrzip
Source-Version: 0.631+git180517-1
We believe that the bug you reported is fixed in the latest version of
lrzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) (supplier of updated lrzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 17 May 2018 15:42:06 +
Source: lrzip
Binary: lrzip
Architecture: source amd64
Version: 0.631+git180517-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS)
Changed-By: Laszlo Boszormenyi (GCS)
Description:
lrzip - compression program with a very high compression ratio
Closes: 863145 863150 863151 863153 863155 863156 866020 866022 887065 888506
897645 898451
Changes:
lrzip (0.631+git180517-1) unstable; urgency=high
.
* Git snapshot release to fix security issues:
- CVE-2017-8842: divide-by-zero in bufRead::get() (closes: #863156),
- CVE-2017-8843: NULL pointer dereference in join_pthread()
(closes: #863155),
- CVE-2017-8844: heap-based buffer overflow write in read_1g()
(closes: #863153),
- CVE-2017-8845: invalid memory read in lzo_decompress_buf()
(closes: #863151),
- CVE-2017-8846: use-after-free in read_stream() (closes: #863150),
- CVE-2017-8847: NULL pointer dereference in bufRead::get()
(closes: #863145),
- CVE-2017-9928: stack buffer overflow in get_fileinfo() (closes: #866022),
- CVE-2017-9929: another stack buffer overflow in get_fileinfo()
(closes: #866020),
- CVE-2018-5650: infinite loop from crafted/corrupt archive in
unzip_match() (closes: #887065),
- CVE-2018-5747: use-after-free in ucompthread() (closes: #898451),
- CVE-2018-5786: infinite loop in get_fileinfo() (closes: #888506),
- CVE-2018-9058: infinite loop in runzip_fd() ,
- CVE-2018-10685: use-after-free in lzma_decompress_buf()
(closes: #897645).
* Update homepage location.
* Update debhelper level to 11:
- don't need dh_installman anymore,
- remove dh-autoreconf build dependency,
- remove autotools-dev build dependency.
* Update Standards-Version to 4.1.4 .
Checksums-Sha1:
55c93759cf16e87ae9d56738e982f07396de915c 1833 lrzip_0.631+git180517-1.dsc
49d52bb9edc1524469d618cbe867560c8d704060 200660
lrzip_0.631+git180517.orig.tar.xz
3fbd5121440aee6c9a26fe2e53c0a7e42f095781 7688
lrzip_0.631+git180517-1.debian.tar.xz
8ac6130b8ceea862a54b253ffc17ebfc79b0cdb2 606280
lrzip-dbgsym_0.631+git180517-1_amd64.deb
f79257b587a3fe3594f79400906d19018b352df5 6826
lrzip_0.631+git180517-1_amd64.buildinfo
c10d6d80eaba467bd8472a836ee192dae21edf17 258876