Thanks for taking the time to report this bug and helping to make Ubuntu better. Both CVEs are already in our tracker[1][2]. We don't consider this issue to be a critical and have rated it to medium Priority [3]. Currently there are no fix available on upstream for those CVEs, see [4]. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
[1] https://ubuntu.com/security/CVE-2023-40889 [2] https://ubuntu.com/security/CVE-2023-40890 [3] https://people.canonical.com/~ubuntu-security/priority.html [4] https://github.com/mchehab/zbar/issues/263 ** Bug watch added: github.com/mchehab/zbar/issues #263 https://github.com/mchehab/zbar/issues/263 ** Changed in: zbar (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to zbar in Ubuntu. https://bugs.launchpad.net/bugs/2039712 Title: Two critical CVEs in zbar Status in zbar package in Ubuntu: Confirmed Bug description: There are two CVEs with a score of 9.8 CRITICAL published on 29-08-2023: * https://nvd.nist.gov/vuln/detail/CVE-2023-40889 * https://nvd.nist.gov/vuln/detail/CVE-2023-40890 No new release seems to be available that fixes these vulnerabilities. The latest package version seems to be zbar-tools (0.23.92-7). Additional information: ~ $ lsb_release -rd No LSB modules are available. Description: Ubuntu 23.04 Release: 23.04 ~ $ apt-cache policy zbar-tools zbar-tools: Installed: 0.23.92-7 Candidate: 0.23.92-7 Version table: *** 0.23.92-7 500 500 http://ch.archive.ubuntu.com/ubuntu lunar/universe amd64 Packages 100 /var/lib/dpkg/status # Expected No CVE # Actual There are two known CVEs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zbar/+bug/2039712/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp