Bug#873903: marked as done (libidn: CVE-2017-14062: integer overflow in decode_digit)

[Debian Bug Tracking System]

Your message dated Tue, 12 Sep 2017 10:05:25 +0000
with message-id <address@hidden>
and subject line Bug#873903: fixed in libidn 1.33-2
has caused the Debian Bug report #873903,
regarding libidn: CVE-2017-14062: integer overflow in decode_digit
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact address@hidden
immediately.)


-- 
873903: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873903
Debian Bug Tracking System
Contact address@hidden with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> libidn2-0: CVE-2017-14062: integer overflow in decode_digit
>
>
>
>
> Date: 
>
> Fri, 01 Sep 2017 06:52:53 +0200
>
>
>
>
> Source: libidn2-0
> Version: 0.10-2
> Severity: important
> Tags: upstream security patch
>
> Hi,
>
> the following vulnerability was published for libidn2-0.
>
> CVE-2017-14062[0]:
> | Integer overflow in the decode_digit function in puny_decode.c in
> | Libidn2 before 2.0.4 allows remote attackers to cause a denial of
> | service or possibly have unspecified other impact.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-14062
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062
> [1] 
> https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
>
> Regards,
> Salvatore
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Bug#873903: fixed in libidn 1.33-2
>
>
>
>
> Date: 
>
> Tue, 12 Sep 2017 10:05:25 +0000
>
>
>
>
> Source: libidn
> Source-Version: 1.33-2
>
> We believe that the bug you reported is fixed in the latest version of
> libidn, which is due to be installed in the Debian FTP archive.
>
> A summary of the changes between this version and the previous one is
> attached.
>
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to address@hidden,
> and the maintainer will reopen the bug report if appropriate.
>
> Debian distribution maintenance software
> pp.
> Ondřej Surý <address@hidden> (supplier of updated libidn package)
>
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing address@hidden)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Tue, 12 Sep 2017 11:18:33 +0200
> Source: libidn
> Binary: idn libidn11-dev libidn11 libidn11-java
> Architecture: source
> Version: 1.33-2
> Distribution: unstable
> Urgency: high
> Maintainer: Ondřej Surý <address@hidden>
> Changed-By: Ondřej Surý <address@hidden>
> Description:
>  idn        - Command line and Emacs interface to GNU Libidn
>  libidn11   - GNU Libidn library, implementation of IETF IDN specifications
>  libidn11-dev - Development files for GNU Libidn, an IDN library
>  libidn11-java - Java port of the GNU Libidn library, an IDN implementation
> Closes: 853493 873903
> Changes:
>  libidn (1.33-2) unstable; urgency=high
>  .
>    * CVE-2017-14062: Fix integer overflow in decode_digit (Closes: #873903)
>    * Add myself to Uploaders
>    * Pull upstream patches of gcc-7 compatibility (Closes: #853493)
>    * Add help2man to Build-Depends to fix FTBFS
>    * Update Makefile.gdoc to use $(GDOC_BIN) instead of hardcoded path
> Checksums-Sha1:
>  dc6b0c5e7dfc69c922547e4e719a76dc1c271914 2392 libidn_1.33-2.dsc
>  5ee0924140992dc20b6b612e7a98ce603da97f74 65292 libidn_1.33-2.debian.tar.xz
>  9bf4fccff9727adc01a8034d7aedb295920662be 9826 libidn_1.33-2_amd64.buildinfo
> Checksums-Sha256:
>  80fbd163a786f6ea83d983e82afc19b793a0769463802ebfb74fec296f6e3696 2392 
> libidn_1.33-2.dsc
>  13e3e90d34fefcfb81036b28311aa2771a98d998233b615f831df8ee988e4c9e 65292 
> libidn_1.33-2.debian.tar.xz
>  8b62602ebc2b87dcfc4ab53aa72a5eaa23b8f0e9094ef08bcf4d7ce67af1a7a7 9826 
> libidn_1.33-2_amd64.buildinfo
> Files:
>  c50b736157d952137bb86a6a214f146e 2392 libs optional libidn_1.33-2.dsc
>  f108dcbc20029560ee767af77099599c 65292 libs optional 
> libidn_1.33-2.debian.tar.xz
>  b253011110204db5f7d476e4c211106e 9826 libs optional 
> libidn_1.33-2_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlm3q8ZfFIAAAAAALgAo
> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
> QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
> uwcbphAAsFMOMPFVA/CRR2hLKInCPZihM3PBHiDe4WdF4bDVdIGRDPEK+nXevUrd
> ShxxG4nVelOXIHvI/6uzgAjfexqxxXXsRVW5X9k2qfjIygzrF0SWB/QloeW5A4dN
> OxIZL64eH3/HIfLMmrcqEG9bWvAVDMiDzNqhBFLvAHaMGE+Xn9oCCVuk0ulJ04pB
> C0rrguTuLc1UP1xzoAzrexQ93LWAdAnNPvkB4Yto0vDv3Gim+Gcx3KC/n5e05t0E
> FkG8I2YRNrYg0PSRaZyjTGQwk6nlXFduy4pP5uj+4zWQaGyB1lRiSMknhBu0ohW+
> f+5xZoFc0Q8C619qSOjCSM1E+lK3q0kMSLKASoKxlbeurXm2LsAEFSKUEeuoe7XN
> qjbuCf82bzeChfIarUuCQtqWiZiMOciHVAa3GWI1ishPNheWCYndBCOIMdQCFC+b
> JoN1cSH0kUdby7o7PxDNBQHvK+TZ2MTpVmIEufaSLbf4vb176S60ze/NUo40sIyk
> NTkn6rac0nSlc0loqpMU1mQkrvLYOsOMUFm56Kw55312qyIoFDQDC8jybY+KxMqD
> Fey/zKuZiq4ITueQDQennHiAR+Chlg13z/VkrpBCzDmkmMzGFxIpoE3wqT99dcEt
> yl3+QZkTTNUN6VLQpSaNGO8mv3a4CAWLTs9PAbppL2nAZik4dJ0=
> =oZyt
> -----END PGP SIGNATURE-----
>
> --- End Message ---