as possible in
the ML.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
CVEs are already marked as fixed, but the fix is 'only present'
in wheezy-security (have a look at the global overview[0], they are in the
"resolved issues" section).
Cheers,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/libav
--
Hugo Lefeuvre (hle)|
+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Multimedia Maintainers
<pkg-multimedia-maintain...@lists.alioth.debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
ffmpeg - Multimedia player, server, encoder and transcoder (transitional p
ond...@debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
botan1.10-dbg - multiplatform crypto library (debug)
libbotan-1.10-0 - multiplatform crypto library
libbotan1.10-dev - multiplatform crypto library (development)
Changes:
botan1.10 (1.10.5-1+deb7u2) wheezy-secur
l have them,
but it doesn't hurt to try.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
imes.cat-v.org/
[1]
http://git.qemu.org/?p=qemu.git;a=commit;h=805b5d98c649d26fc44d2d7755a97f18e62b438a
[2] https://marc.info/?l=oss-security=147259351226835=2
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
wheezy system to get rid of the first virtualization level.
Cheers,
Hugo
[0] https://www.mail-archive.com/kvm@vger.kernel.org/msg30993.html
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
ublic fix explaining the security issue has been released ?
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
org/tracker/CVE-2016-7116
[1]
http://git.qemu.org/?p=qemu.git;a=commit;h=56f101ecce0eafd09e2daf1c4eeb1377d6959261
[2]
http://sources.debian.net/src/qemu/1:2.1%2Bdfsg-12%2Bdeb8u5a~bpo70%2B1/hw/9pfs/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C A
also mark them as no-dsa.
Cheers,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/libav
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
Hi,
> I'm counting 22 open CVEs for libav at the moment. Which of them do you
> intend to address with your fixes? Do you mind working together with
> Hugo Lefeuvre on some issues? I could imagine you both could pool your
> resources together.
(24 if we count the two issues m
Hi Diego,
> What's the problem with cooperating through the upstream repository?
No problem for me as long as I can easily determine which commit fixes
which CVE.
I'll start preparing an LTS upload integrating your first patches.
Cheers,
Hugo
--
Hugo Lefeuvre (
ait for your release.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
d idea but it will
probably modify a large quantity of source code at once, and thus make debugging
harder in case of regressions.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
it would be better to have these patches
merged in the upstream repository if we want to upload them. But, anyway,
I wanted to wait for Diego's answer, as he is a libav developer.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C A
an other
LTS upload for CVE-2016-7170 later, if needed.
I should write two separate DLAs for qemu and qemu-kvm, right ?
Cheers,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2016-7170
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90
elpful.
> I always feel more comfortable with these things fixed than unfixed.
OK, I'll prepare an upload. Anyway, I will also ship the upstream patch
for CVE-2016-7161.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E
the updated package before it gets released.
Thank you very much.
Hugo Lefeuvre,
on behalf of the Debian LTS team.
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Multimedia Maintainers
<pkg-multimedia-maintain...@lists.alioth.debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
ffmpeg - Multimedia player, server, encoder and transcoder (transitional p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: libav
Version: 6:0.8.18-0+deb7u1
CVE ID : CVE-2015-1872 CVE-2015-5479 CVE-2016-7393
Multiple vulnerabilities have been found in libav:
CVE-2015-1872
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in
org/?p=qemu.git;a=commit;h=53c30545fb34c43c84d62ea1c2b0dc6b53303c34
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
qemu - fast processor emulator
qemu-keymaps - QEMU keyboard maps
qemu-system - QEMU full system emulation binaries
qemu-user - QEMU user mode emulation bi
,
and it may apply with some adaptations on the wheezy version. Should I
prepare a qemu update only for this little patch?
Otherwise, I'd like to mark it as non-dsa.
Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
t;c...@debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
quagga - BGP/OSPF/RIP routing daemon
quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
quagga-doc - documentation files for quagga
Closes: 822787 835223
Changes:
quagga (0.99.22.4-1+wheezy3) wheezy-security;
Hi,
I've packaged the 0.8.18 release of libav for wheezy-security. The
version number was previously 6:0.8.17-2+deb7u2. Could anybody confirm
me that the new version number should be 6:0.8.18-1+deb7u1 ?
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F
ee
> success before looking into it more closely.
Thank you.
I've packaged your new release, and will upload it soon. However,
more than 15 CVEs are still affecting libav in Debian wheezy. Would it
be feasible to work on a new point release fixing some of them ?
Cheers,
Hugo
--
.
* Prepared a security update for libav fixing CVE-2016-7393, CVE-2015-1872 and
CVE-2015-5479 (packaging of the new upstream release). Not uploaded yet.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
Hi Diego,
Could you summarize us the status of your work on the 0.8.x branch ?
I'd like to know if it's still possible to have a point release before
the end of the month.
Thanks !
Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C
fected by the issue.
I'll prepare a patch adding the usb_xhci_exit function and will
perform some more tests.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
.ru>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
kvm- dummy transitional package from kvm to qemu-kvm
qemu-kvm - Full virtualization on x86 hardware
qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 840340 840341 840343 840945
Changes:
qemu-kvm (1.1.2+dfsg-6+deb
just had a look at the embedded version of QEMU (which is,
by the way, very old now (0.10.2)), and it seems to be vulnerable to
several security issues already fixed in qemu and qemu-kvm...
I wasn't aware that Xen was embedding QEMU (what a weird idea !?).
Cheers,
Hugo
--
Hugo Lef
Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
qemu - fast processor emulator
qemu-keymaps - QEMU keyboard maps
qemu-system - QEMU full system emulation binaries
qemu-user - QEMU user mode emulation bi
ook closely, they are
still affecting Xen.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
lmost the same as in 0.8.
> CVE-2016-8675 / CVE-2016-8676
>
> I can reproduce the crash with 0.8 and 11 so both Wheezy and Jessie are
> affected.
From what I've seen on the tracker, there are some patches that could
(almost) be directly imported from ffmpeg, involving some testi
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
> I am already working on libass. See also dla-needed.txt.
Sorry, I've missed that !
I was writing a bug report for the four CVEs, should I send it ?
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 0
.ru>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
kvm- dummy transitional package from kvm to qemu-kvm
qemu-kvm - Full virtualization on x86 hardware
qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 837316 838850 839835
Changes:
qemu-kvm (1.1.2+dfsg-6+deb7u16) whe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: qemu
Version: 1.1.2+dfsg-6+deb7u16
CVE ID : CVE-2016-7161 CVE-2016-7170 CVE-2016-7908
Multiple vulnerabilities have been found in QEMU:
CVE-2016-7161
Heap-based buffer overflow in the .receive callback of
<debia...@lists.debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
libxrandr-dev - X11 RandR extension library (development headers)
libxrandr2 - X11 RandR extension library
libxrandr2-dbg - X11 RandR extension library (debug package)
Closes: 840441
Changes:
libxra
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: libxrandr
Version: 2:1.3.2-2+deb7u2
CVE ID : CVE-2016-7947 CVE-2016-7948
Debian Bug : 840441
Insufficient validation of data from the X server in libxrandr
before v1.5.0 can cause out of boundary memory writes
-2007-1322
CVE-2007-1366
CVE-2007-5729
CVE-2007-5730
CVE-2007-6227
CVE-2008-1945
CVE-2008-4539
CVE-2008-4553
CVE-2008-5714
Should I mark Xen as unaffected by these issues in the tracker or should
we just ignore them ?
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096
worth taking time for it...
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
], jessie is not affected).
I'd like to fix this issue. Should I create a tracker entry ?
Cheers,
Hugo
[0]
http://git.qemu.org/?p=qemu.git;a=commit;h=59be75227d3985c9f0a9f5396fc64e357a54defb
[1]
http://git.qemu.org/?p=qemu.git;a=commit;h=92304bf3998cedcf3b1026a795edba7e1fd17c74
--
Hugo
git;a=commit;h=898ae90a44551d25b8e956fd87372d303c82fe68
[5] For the record, the equivalent in wheezy of the modern realize function is
virtio_9p_init in virtio-9p-device.c.
[6]
http://git.qemu.org/?p=qemu.git;a=commit;h=6cecf093735f2e5af7d0e29d957350320044e354
--
Hugo Lefeuvre (
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: libav
Version: 6:0.8.19-0+deb7u1
CVE ID : CVE-2016-7424
Multiple vulnerabilities have been found in libav:
CVE-2016-7424
The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in
libav 11.7 and
+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Multimedia Maintainers
<pkg-multimedia-maintain...@lists.alioth.debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
ffmpeg - Multimedia player, server, encoder and transcoder (transitional p
sts.debian.org/debian-lts/2016/12/msg00058.html
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
r the advice. So, I can safely ignore all virtIO, qcow & ui issues ?
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
are not included during
compilation because of missing functionalities in the wheezy version of
glibc.
* CVE triage for qemu, qemu-kvm and Xen.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description
libav.git;a=commit;h=e807491fc6a336e4becc0cbc981274a8fde18aba
[2]
https://git.libav.org/?p=libav.git;a=commit;h=58405de0951a843765625159402870c1eea3c3b1
[3] https://bugzilla.libav.org/show_bug.cgi?id=983
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C
ive/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
libvirt.tar.xz
Description: application/xz
signature.asc
Description: PGP signature
can also take time to work on it outside of my assigned
time. In this case however, I'm not sure I'll be able to do it in a
timely manner.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description
Hi Guido,
Thank you for your investigations.
I've marked CVE-2016-9914/15/16 as no-dsa and will upload my patches for
the two remaining issues.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
qemu - fast processor emulator
qemu-keymaps - QEMU keyboard maps
qemu-system - QEMU full system emulation binaries
qemu-user - QEMU user mode emulat
.ru>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
kvm- dummy transitional package from kvm to qemu-kvm
qemu-kvm - Full virtualization on x86 hardware
qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 847951 847960
Changes:
qemu-kvm (1.1.2+dfsg-6+deb7u19) whe
zy are very likely
to really affect it, because the embedded version of qemu is affected.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: qemu-kvm
Version: 1.1.2+dfsg-6+deb7u19
CVE ID : CVE-2016-9911 CVE-2016-9921 CVE-2016-9922
Multiple vulnerabilities have been found in qemu-kvm:
CVE-2016-9911
qemu-kvm built with the USB EHCI Emulation support
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: qemu
Version: 1.1.2+dfsg-6+deb7u19
CVE ID : CVE-2016-9911 CVE-2016-9921 CVE-2016-9922
Multiple vulnerabilities have been found in QEMU:
CVE-2016-9911
Quick Emulator (Qemu) built with the USB EHCI Emulation
ems ?
Otherwise, if nobody is against it, I'd mark the issue no-dsa (the
issue is already no-dsa for Jessie).
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
.)
Cheers,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2017-6596
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
hack.img
Description: Binary data
signature.asc
Description: PGP signature
ch solution is the best, but the second solution is probably
better for future maintainance.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
--- a/src/decompose.c 2017-04-04 10:58:37.436084109 +0200
+++ b/src/decompos
TS is
> 8*(int)sizeof(potrace_word) = 8*(int)sizeof(unsigned long) and that is
> definitely a positive number always.
>
> I think this is definitely optimized away, if it ever had a meaning.
+1
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
affects potrace with higher optimization levels, then
it means probably that something is still going wrong.
Cheers,
Hugo
[0]
https://sources.debian.net/src/potrace/1.13-3/debian/patches/cve-2016-8685.patch/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F
the
issue on Debian yet (wheezy/jessie/stretch) and asked upstream for his
reproducer.
April is going to be a quieter month, and I should be able to spend all
of my assigned hours.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90
I didn't think of that... Then we could use both -fwrapv and modified
patch.
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: potrace
Version: 1.10-1+deb7u2
CVE ID : CVE-2016-8685
Debian Bug : 843861
It was discovered that potrace, an utility to transform bitmaps into
vector graphics, was affected by an integer overflow in the
org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
libpotrace-dev - development files for potrace library
libpotrace0 - library for tracing bitmaps
potrace- utility to transform bitmaps into vector graphics
Closes: 843861
Changes:
potrace (1.10-1+deb7u2) wheezy-security;
is neither exported, nor passed to ./configure as argument...
I don't understand that such a mistake is present in this rules file.
Could somebody take a look at the debdiff and confirm me that these
changes to debian/rules are pertinent ?
Cheers,
Hugo
--
Hugo Lefeuvre (hle
version than jessie.
Should I mark the issue no-dsa in this case ?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
. I'll wait for more issues and will prepare an upload for Jessie if
necessary.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
-2017-9833 (boa), propose to unsupport it.
Best Regards,
Hugo
PS: Signed with my new GPG key, transition statement here[0].
[0] https://people.debian.org/~hle/key-transition
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
.
Does anybody know whether our sponsors have interest in boa ?
Otherwise I think we should declare it unsupported.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \broken
In the wheezy version, the fd_open_atomic function doesn't exist and
the existing fd_open function doesn't use loops.
Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Tue, 25 Apr 2017 16:11:13 +0200
Source: partclone
Binary: partclone
Architecture: source amd64
Version: 0.2.48-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Georges Khaznadar <georg...@ofset.org>
Changed-By
/
[2]
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/
[3]
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F
?
I feel like fixing this issue is going to be very time consuming and I'm
not sure whether it's worth taking so much time for this (previously
no-dsa triaged) issue. :)
Cheers,
Hugo
[0] https://en.wikipedia.org/wiki/BMP_file_format#Bitmap_file_header
[1] https://cansecwest.com/core05/memory
ally is.
I think this is a crafted file.
By the way, where did you find the reproducer ? I can't find it
anywhere.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
w*h > MAXINT/(4*(frames+1))// I except frames+1 to say
positive
<=> w > MAXINT/(4*(frames+1)*h)
or
h > MAXINT/(4*(frames+1)*w)
Tested in practice, it works.
Does anybody have an alternative, maybe more elegant solution idea or integer
overflow check ?
Cheers,
Hug
, but I did not test it.
I can build a test package if needed.
Cheers,
Hugo
[0] https://people.debian.org/~hle/lts/apng2gif_1.5-1+deb7u1_amd64.changes
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
diff -Nru apng2gif-1.5/debian
Hi Moritz,
On Fri, May 19, 2017 at 06:25:43PM +0200, Moritz Muehlenhoff wrote:
> On Fri, May 19, 2017 at 04:23:25PM +0000, Hugo Lefeuvre wrote:
> > Author: hle
> > Date: 2017-05-19 16:23:25 + (Fri, 19 May 2017)
> > New Revision: 51756
> >
> > Modified:
>
required extensive debugging, testing
and patch development (see ML and BTS for apng2gif), which explains
the high amount of hours spent on only two issues.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
UINT_MAX/(4*(frames+1))) which I forgot to handle at the beginning.
regression tests with two "normal" apng files, everything was working
fine.
If nobody is against it, I'd upload this patch now.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: apng2gif
Version: 1.5-1+deb7u1
CVE ID : CVE-2017-6960
Debian Bug : #854367
It was discovered that apng2gif was vulnerable to an integer overflow
resulting in a heap-based buffer over-read/write. A remote
56b132c77aa
It looks like most of the changes are not related to the CVEs.
And the part fixing CVE-2016-8685 is identical to the patch that was
already used in stretch (which is buggy in wheezy).
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 153
two CVEs.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: clamav
Version: 0.99.2+dfsg-0+deb7u3
CVE ID : CVE-2017-6418 CVE-2017-6420
clamav is vulnerable to multiple issues that can lead
to denial of service when processing untrusted content.
CVE-2017-6418
e.
Cheers,
Hugo
[0] https://sourceforge.net/p/lame/mailman/lame-dev/?viewmonth=201709
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
Distribution: wheezy-security
Urgency: high
Maintainer: Stuart R. Anderson <ander...@netsweng.com>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
libming-dev - Library to generate SWF (Flash) Files (development files)
libming-util - Library to generate SWF (Flash) Files - Utiliti
3.100.
Regards,
Hugo
[0]
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
source-package/lame
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
:
https://github.com/libming/libming/issues/76
This is quite time-consuming because CVE-2017-11704 is actually caused
by several overflows in multiple methods.
Reproduce CVE-2017-117{04, 28, 29, 30, 32, 34}.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096
ture that is not present in libav.
Regards,
Hugo
[0] http://www.itu.int/rec/T-REC-T.4-200307-I/en
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
it;h=465eb0eb48a14f5308d7fa52c388e7be7170cc3e
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
er starts to be full of zeroes starting at
position 65533 (~ 2^16 = 65536, coincidence ?).
Is there a valid reason for a filter to be full of zeroes ?
Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
De
.debian.org/879474 .
Thanks for the information, I'll look into it.
Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
month I am planning to continue my work on ming, with the goal of
addressing all remaining issues in a near future.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
< 0.99.22.4-1+wheezy4, I'd like to
continue with 0.99.22.4-1+wheezy4, but this may be somewhat misleading.
Otherwise I'll probably have to use 0.99.22.4-1+wheezy3+deb7u2.
Any advice ?
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 7
for when we want to
> determine whether someone reports a regressions because of a security
> update.
Thanks, I have opted for 0.99.22.4-1+wheezy3+deb7u2.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BA
t;c...@debian.org>
Changed-By: Hugo Lefeuvre <h...@debian.org>
Description:
quagga - BGP/OSPF/RIP routing daemon
quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
quagga-doc - documentation files for quagga
Closes: 879474
Changes:
quagga (0.99.22.4-1+wheezy3+deb7u2) whe
1 - 100 of 329 matches
Mail list logo