Bug#868956: libmspack: CVE-2017-11423

2017-08-15 Thread Sebastian Andrzej Siewior
On 2017-08-15 05:55:49 [+0900], Marc Dequènes (Duck) wrote: > Quack, Hi, > I was at DebConf in Canada, so I was busy meeting people :-). > It should be done before or after flying back home. No worries. We got the two CVEs sorted out and a release in the meantime. I see an unstable upload almost

Bug#868956: libmspack: CVE-2017-11423

2017-08-14 Thread Duck
Quack, On 08/07/2017 04:22 AM, Sebastian Andrzej Siewior wrote: > Marc do plan you upload something to unstable/security soon, wait for a > new release or would you prefer someone else to NMU it with this > change? I was at DebConf in Canada, so I was busy meeting people :-). It should be done

Bug#868956: libmspack: CVE-2017-11423

2017-08-13 Thread Stuart Caie
For your information, libmspack 0.6alpha has now been released. On 06/08/17 20:22, Sebastian Andrzej Siewior wrote: On 2017-08-06 10:22:11 [+0100], Stuart Caie wrote: Commited a fix: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38 I'll put out a release in

Bug#868956: libmspack: CVE-2017-11423

2017-08-06 Thread Sebastian Andrzej Siewior
On 2017-08-06 10:22:11 [+0100], Stuart Caie wrote: > Commited a fix: > https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38 > > I'll put out a release in the near future. thank you Stuart. Marc do plan you upload something to unstable/security soon, wait for a new

Bug#868956: libmspack: CVE-2017-11423

2017-08-06 Thread Stuart Caie
On 05/08/17 10:36, Stuart Caie wrote: libmspack is wrong to convert to unsigned without checking for errors first. When I get to my computer, I'll check all calls to mspack_system read/write/seek/tell methods, to be sure this doesn't happen anywhere else. I checked all the other mspack_system

Bug#868956: libmspack: CVE-2017-11423

2017-08-05 Thread Stuart Caie
On 4 Aug 2017 7:40 am, Sebastian Andrzej Siewior wrote: > > The way I see it, the problem is that the read functions returns -1 on > error and libmspack >   https://sources.debian.net/src/libmspack/0.5-1/mspack/cabd.c/#L524 > > treats the return code as unsigned

Bug#868956: libmspack: CVE-2017-11423

2017-08-04 Thread Sebastian Andrzej Siewior
On 2017-07-23 16:52:16 [+0100], Stuart Caie wrote: > Hello, Hi Stuart, > https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191 > > 2015-05-10 Stuart Caie > > * cabd_read_string(): correct rejection of empty strings. Thanks to > > Hanno Böck for

Bug#868956: libmspack: CVE-2017-11423

2017-07-23 Thread Stuart Caie
Hello, I have no more infomation than you do. If you can find out who raised the issue, please ask them to send me the example of the crafted file, The bug says "stack-based buffer over-read and application crash" - the file

Bug#868956: libmspack: CVE-2017-11423

2017-07-23 Thread duck
Quack, I added libmspack's upstream author in case he could give a hand. Here is the bugreport: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868956 On 2017-07-20 05:15, Salvatore Bonaccorso wrote: Unfortunately the upstream bug [1] is locked-down. Thanks for reporting it.