subject:"Bug#888506\: marked as done \(lrzip\: CVE\-2018\-5786\: Infinite Loop Vulnerability in get

Bug#888506: marked as done (lrzip: CVE-2018-5786: Infinite Loop Vulnerability in get_fileinfo)

2022-04-12 Thread Debian Bug Tracking System

Your message dated Tue, 12 Apr 2022 17:03:52 +
with message-id 
and subject line Bug#888506: fixed in lrzip 0.651-2
has caused the Debian Bug report #888506,
regarding lrzip: CVE-2018-5786: Infinite Loop Vulnerability in get_fileinfo
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
888506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888506
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: lrzip
Version: 0.631-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ckolivas/lrzip/issues/91

Hi,

the following vulnerability was published for lrzip.

CVE-2018-5786[0]:
| In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and
| application hang in the get_fileinfo function (lrzip.c). Remote
| attackers could leverage this vulnerability to cause a denial of
| service via a crafted lrz file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5786
[1] https://github.com/ckolivas/lrzip/issues/91

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lrzip
Source-Version: 0.651-2
Done: Laszlo Boszormenyi (GCS) 

We believe that the bug you reported is fixed in the latest version of
lrzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS)  (supplier of updated lrzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Apr 2022 18:37:01 +0200
Source: lrzip
Architecture: source
Version: 0.651-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) 
Changed-By: Laszlo Boszormenyi (GCS) 
Closes: 888506
Changes:
 lrzip (0.651-2) unstable; urgency=high
 .
   * Fix CVE-2018-5786: infinite loop in get_fileinfo() (closes: #888506).
Checksums-Sha1:
 dc19550078b0b417ff1c0ad092e2f0d48ec8bca0 1781 lrzip_0.651-2.dsc
 86b6a5d468992d8b50ae24485c058de822c43803 8184 lrzip_0.651-2.debian.tar.xz
Checksums-Sha256:
 6034e09bd4a09cde72d42e8d473cdaf83f5fb61ed36316c07dd5393966d6d7b4 1781 
lrzip_0.651-2.dsc
 041693f7a15eacf50b6dca2907170a363ed1b3e546081834c456d99008e5f3e4 8184 
lrzip_0.651-2.debian.tar.xz
Files:
 adb84c72a74e2cf7dbb37ea03d36ac05 1781 utils optional lrzip_0.651-2.dsc
 8d78cf5db5acc486ecaa12217ba71dd2 8184 utils optional 
lrzip_0.651-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmJVrHAACgkQ3OMQ54ZM
yL9HNxAAmfIcvWHytFwdATvE/EwhKhsPPrWp0j8tncd55cGFsH4FnFSvSBJCGKW1
EuzGbZr5+gbPxL/X5xLq4SaD2XUSHKNYJGp7FqAcyKPYEBCeYjK6dd5eLs3fa7IQ
BTUgru+WLpUcGII3A5pD0P6E/Yz6vjfx6Xtlgz7+VqFCHRockWSORHHmcD1bcQRU
AGnbMZQzZ8SK+/navY8oNoO49HojlqMu0CC+SYAEWKXgbZbFKKO/3SXT6tcG1kPv
8qK45SRwWJzuIapRasuWA4cmEBMoqewStjp/Id+IXHkeULFNTrWVa4TZY8VImggk
XMuJbhSy5sSoPVa2ItQ3fPBaCOiy2Iks5b+ZgS0b+PomEPbm++iVjQ9wZ4k7cmkg
CCvFVGxPhAjnyiy7yysJyau6Fs7RnOwDgYAnx8WBOl3chJhmxFcBCHZHarbI4qHr
b3MR6No1wokKRkC7WXGwWjXKo+8hlrY7lNq6HReru4EXM40jyhRnZYAyuagAbH9Y
CENCl+jjGCiboMm3vKOciSjuXtKtGQTTw4mEczicqaR3nz6XewAao1kD1D516/22
DHD4hgrtJAwnQR90s61QyZN+vL4CT7Dft+lG5ltw19MOMFkibzSDg701UVWkQeLR
xN6LmUS/TVl8C1GXYc4uAVsgd8Ab+/VyRaxYDxHQAY3Fc5Jae38=
=6InS
-END PGP SIGNATURE End Message ---

Bug#888506: marked as done (lrzip: CVE-2018-5786: Infinite Loop Vulnerability in get_fileinfo)

2018-05-17 Thread Debian Bug Tracking System

Your message dated Thu, 17 May 2018 18:10:21 +
with message-id 
and subject line Bug#888506: fixed in lrzip 0.631+git180517-1
has caused the Debian Bug report #888506,
regarding lrzip: CVE-2018-5786: Infinite Loop Vulnerability in get_fileinfo
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
888506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888506
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: lrzip
Version: 0.631-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ckolivas/lrzip/issues/91

Hi,

the following vulnerability was published for lrzip.

CVE-2018-5786[0]:
| In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and
| application hang in the get_fileinfo function (lrzip.c). Remote
| attackers could leverage this vulnerability to cause a denial of
| service via a crafted lrz file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5786
[1] https://github.com/ckolivas/lrzip/issues/91

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lrzip
Source-Version: 0.631+git180517-1

We believe that the bug you reported is fixed in the latest version of
lrzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS)  (supplier of updated lrzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 17 May 2018 15:42:06 +
Source: lrzip
Binary: lrzip
Architecture: source amd64
Version: 0.631+git180517-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) 
Changed-By: Laszlo Boszormenyi (GCS) 
Description:
 lrzip  - compression program with a very high compression ratio
Closes: 863145 863150 863151 863153 863155 863156 866020 866022 887065 888506 
897645 898451
Changes:
 lrzip (0.631+git180517-1) unstable; urgency=high
 .
   * Git snapshot release to fix security issues:
 - CVE-2017-8842: divide-by-zero in bufRead::get() (closes: #863156),
 - CVE-2017-8843: NULL pointer dereference in join_pthread()
   (closes: #863155),
 - CVE-2017-8844: heap-based buffer overflow write in read_1g()
   (closes: #863153),
 - CVE-2017-8845: invalid memory read in lzo_decompress_buf()
   (closes: #863151),
 - CVE-2017-8846: use-after-free in read_stream() (closes: #863150),
 - CVE-2017-8847: NULL pointer dereference in bufRead::get()
   (closes: #863145),
 - CVE-2017-9928: stack buffer overflow in get_fileinfo() (closes: #866022),
 - CVE-2017-9929: another stack buffer overflow in get_fileinfo()
   (closes: #866020),
 - CVE-2018-5650: infinite loop from crafted/corrupt archive in
   unzip_match() (closes: #887065),
 - CVE-2018-5747: use-after-free in ucompthread() (closes: #898451),
 - CVE-2018-5786: infinite loop in get_fileinfo() (closes: #888506),
 - CVE-2018-9058: infinite loop in runzip_fd() ,
 - CVE-2018-10685: use-after-free in lzma_decompress_buf()
   (closes: #897645).
   * Update homepage location.
   * Update debhelper level to 11:
 - don't need dh_installman anymore,
 - remove dh-autoreconf build dependency,
 - remove autotools-dev build dependency.
   * Update Standards-Version to 4.1.4 .
Checksums-Sha1:
 55c93759cf16e87ae9d56738e982f07396de915c 1833 lrzip_0.631+git180517-1.dsc
 49d52bb9edc1524469d618cbe867560c8d704060 200660 
lrzip_0.631+git180517.orig.tar.xz
 3fbd5121440aee6c9a26fe2e53c0a7e42f095781 7688 
lrzip_0.631+git180517-1.debian.tar.xz
 8ac6130b8ceea862a54b253ffc17ebfc79b0cdb2 606280 
lrzip-dbgsym_0.631+git180517-1_amd64.deb
 f79257b587a3fe3594f79400906d19018b352df5 6826 
lrzip_0.631+git180517-1_amd64.buildinfo
 c10d6d80eaba467bd8472a836ee192dae21edf17 258876

Bug#888506: marked as done (lrzip: CVE-2018-5786: Infinite Loop Vulnerability in get_fileinfo)

Bug#888506: marked as done (lrzip: CVE-2018-5786: Infinite Loop Vulnerability in get_fileinfo)

2 matches

Site Navigation

Mail list logo

Footer information