Bug#899999: liblouis: CVE-2018-11410
Salvatore Bonaccorso
carnil at debian.org
Fri May 25 18:33:46 BST 2018
Hello Samuel,
On Fri, May 25, 2018 at 01:15:55PM +0200, Samuel Thibault wrote:
> Hello,
>
> Salvatore Bonaccorso, le ven. 25 mai 2018 12:24:28 +0200, a ecrit:
> > On Fri, May 25, 2018 at 11:00:49AM +0200, Samuel Thibault wrote:
> > > Hello
> > >
> > > Salvatore Bonaccorso, le jeu. 24 mai 2018 16:16:16 +0200, a ecrit:
> > > > The following vulnerability was published for liblouis, it was
> > > > reported at [1], not sure if it was forwarded to upstream, can you
> > > > double check that?
> > >
> > > I reported it to upstream and is now fixed there. I have uploaded a
> > > fixed package to unstable as version 3.5.0-2.
> > >
> > > I have prepared a stable upload in
> > > git at salsa.debian.org:a11y-team/liblouis.git in the debian-stretch branch
> > >
> > > The buffer overflow can be exploited only if one is able to feed the
> > > content of a braille table, which is not normally something that is
> > > possible, usually only the content of the text to be transcribed to
> > > braille can be fed, so I don't see any situation where this can really
> > > be a security concern, so I guess a simple stable upload would be
> > > enough?
> >
> > I agree, if you can prepare an update to be included in the upcoming
> > point release for stretch that would be great!
>
> Ok, liblouis_3.0.0-3+deb9u2 is now in proposed-updates->stable-new ,
> should I reportbug release.debian.org, or should the security team
> handle it?
yes, please do reportbug against release.d.o (although it's alowed to
already upload, the release team still would like to have a bug for
the update, cf. [1]).
Regards,
Salvatore
[1] https://lists.debian.org/debian-devel-announce/2018/04/msg00007.html
More information about the Pkg-a11y-devel
mailing list