X-Loop: help-debbugs@HIDDEN
Subject: bug#47622: vigra package is vulnerable to CVE-2021-30046
Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Tue, 06 Apr 2021 17:22:01 +0000
Resent-Message-ID: <handler.47622.B.161772971820462 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 47622
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 47622 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.161772971820462
(code B ref -1); Tue, 06 Apr 2021 17:22:01 +0000
Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 17:21:58 +0000
Received: from localhost ([127.0.0.1]:41554 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lTpOn-0005Jy-UP
for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 13:21:58 -0400
Received: from lists.gnu.org ([209.51.188.17]:59986)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <lle-bout@HIDDEN>) id 1lTpOn-0005Jr-1s
for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 13:21:57 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33758)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
id 1lTpOl-0002El-Cr
for bug-guix@HIDDEN; Tue, 06 Apr 2021 13:21:56 -0400
Received: from mail.zaclys.net ([178.33.93.72]:50337)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
id 1lTpOi-0002Fa-NU
for bug-guix@HIDDEN; Tue, 06 Apr 2021 13:21:55 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
[78.195.19.20] (may be forged)) (authenticated bits=0)
by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136HLndW030215
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <bug-guix@HIDDEN>; Tue, 6 Apr 2021 19:21:50 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136HLndW030215
Authentication-Results: mail.zaclys.net;
dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
s=default; t=1617729710;
bh=LEXZ3DKUXBHQIFkLZ4+6CLGoiiQFXvdGXlJ6PQvlmrE=;
h=Subject:From:To:Date:From;
b=pCDgedRqasMf4yN+8ibad6Mt88fMthCcn5k8LrfQp/cC3ETKMFQWkZLcuMEcIbBEd
gk1ZLa2lyDsv26JhkWS5HeLJa2vi01/twJANbTkHNW0x4KKMh5xOWgTU0Lqs2FDaCh
MrddPt8j56yTNSZynnACZrb4mjj+JZpgkiDU75Zk=
Message-ID: <49b8011d527a93437436f0e9039f638e6f9a7f12.camel@HIDDEN>
From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Date: Tue, 06 Apr 2021 19:21:48 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature"; boundary="=-DRT/wD3eMAAiJMTR7dKy"
User-Agent: Evolution 3.34.2
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.5 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: CVE-2021-30046 15:15 VIGRA Computer Vision Library
Version-1-11-1
contains a segmentation fault vulnerability in the impex.hxx read_image_band()
function, in which a crafted file can cause a denial of [...]
Content analysis details: (1.5 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,
medium trust [209.51.188.17 listed in list.dnswl.org]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4)
[209.51.188.17 listed in wl.mailspike.net]
0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
2.8 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
--=-DRT/wD3eMAAiJMTR7dKy
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
CVE-2021-30046 15:15
VIGRA Computer Vision Library Version-1-11-1 contains a segmentation
fault vulnerability in the impex.hxx read_image_band() function, in
which a crafted file can cause a denial of service.
Upstream issue: https://github.com/ukoethe/vigra/issues/494
No fix provided yet.
--=-DRT/wD3eMAAiJMTR7dKy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBsmKwACgkQRaix6GvN
EKb12hAAtIgtQdZJxe22xEavnOd2vU/0g1B7BZZ8R55mb8nr4Ds74k4k+ZTyRQrp
a3S8If7l9Pz64xC7lZKzlxKEapGzCTeH+sI+jYcB5vI2DDwLF4Eqeq31KhrMA/Ki
dvoDmSA7AKWRHDDz+hUqzp655fgIGw4t9YG4+gEg3BQOCeG72Q+Hh1sko6VOOiky
j69c/mq8qzQDcG41iVw5SyK6iFafyONz5urMzzfe0D/C0HRFhlYB5+mZ5a3orzye
Q/t5i2fn7fm1q7x07i3/OLqeMtrPrtBQ1SK13rCNXKUaRQtRLwMu84VNCQ6qXoC1
Q7+ahuN8pzDSux6er0bQtKE1DL38nV7RSfyjo+q4dBSKJeotN9V5ZcyMySWUkosz
6uWJh8PX1ZKcAfLKDDujI+sTB8VUQD5RQFNZV1fni1tsNJIBWYgynvmCSWOoHRan
wJM98nVFkejAvDJvOFd2o6VEGOsWVS1qrIlGAc8r3Sk76V3IxLE+eaKpv+VMHalz
B5Vy2F2CT8x4oMe7XMBV0Lbpw/GgtQ03mIXlMWUFIJbrI3ZMKBclornXI8Itw2vH
Hk3wPMLAjwYDpRl+Lv2C88s6OBGSzvUDbgbJ8pTi7YGVnKoJoWqQ6137kxT337PA
NmIWzBqfHxIrYaGgs4o4lp8C1M9yHsZxMXnD2MgC6GSQjjhkcek=
=GhRa
-----END PGP SIGNATURE-----
--=-DRT/wD3eMAAiJMTR7dKy--
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN> Subject: bug#47622: Acknowledgement (vigra package is vulnerable to CVE-2021-30046) Message-ID: <handler.47622.B.161772971820462.ack <at> debbugs.gnu.org> References: <49b8011d527a93437436f0e9039f638e6f9a7f12.camel@HIDDEN> X-Gnu-PR-Message: ack 47622 X-Gnu-PR-Package: guix Reply-To: 47622 <at> debbugs.gnu.org Date: Tue, 06 Apr 2021 17:22:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 47622 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 47622: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D47622 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
Received: (at control) by debbugs.gnu.org; 6 Apr 2021 17:23:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 06 13:23:05 2021 Received: from localhost ([127.0.0.1]:41559 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lTpPt-0005MU-9z for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 13:23:05 -0400 Received: from mail.zaclys.net ([178.33.93.72]:32879) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lle-bout@HIDDEN>) id 1lTpPr-0005Lo-Sa for control <at> debbugs.gnu.org; Tue, 06 Apr 2021 13:23:04 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136HMwsC030309 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <control <at> debbugs.gnu.org>; Tue, 6 Apr 2021 19:22:58 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136HMwsC030309 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@HIDDEN DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617729778; bh=0MwVvLE+h8VuImb/YqtsNulo6Zg0js7ng2NLtA5lHEI=; h=Subject:From:To:Date:From; b=lptG5HI72ZwwBX7o5TuwgPjaR9KnL7M+5i9USp32L1Uc9nuG6BHEDhwIQV4sy/f53 uQa5OZkthdjHqHsQnjbT/8dzQAjp3VBe1pcvfFRPQp52kM+0w1/r/wWFVK5OM3hoQc EV6SQCg4D7QX2269QCEPDgSSLFBOI+o2131TBLi0= Message-ID: <39f093453400486423e834d1f1ba7e924973d959.camel@HIDDEN> Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN> To: control <at> debbugs.gnu.org Date: Tue, 06 Apr 2021 19:22:57 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-BPCejmfwm9l37wktTCTB" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47622 + security quit Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 1.0 (+) --=-BPCejmfwm9l37wktTCTB Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47622 + security quit --=-BPCejmfwm9l37wktTCTB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBsmPEACgkQRaix6GvN EKZUahAAmwN90pj7Qz5hSsAG3iqTD3qMgRbTya/ckE3gX/Gf3GFSc9cK+73jteUy +gj0jMnSFymuEkGaTsHFGY9N7xOlVnEGrAAXpBEmWlRYOZIu3ngXwIkYI1QQqe5I asJIN4PVT0XXjsVREvmCjPW4Ij+CW0Wcu9FuikQPAQwtKZTj2KhMItITduDp9/9k O2cLbmrdcji8o4OAyNv0w09hUx9CMUIbmAm1h9DCKZIJ+kqqvZhUaLWqqCttem9B /KbthvMswtHxSo1O1p0Jx6aBjID4f9Jg1FmRPs38tKcZ9NNL4fu0bfrkb+SqiZZi e7D7ybhwGy4dxyAzsfrMArH9FbFjXm6GWoHz6D4iwL4fIon3XZa5ur3fCY+UJBHl 60Xk74/6Ir9yvYuQL9Z9/YEjXbXGhveQbOiPXnBYUB4z9PyVnCKg1MsBKL1oNEyk u9WHX4m3uQSULep2suAVQOlFMrg+G9hKZXAOFl8DLm+AFuhZk/8pqkNFECAwNWDP 0Z0LkcAXNVkpkgxZaHAjhdwVgB0Gf5O6HrqvIi0VB1TWbXZqDgrxF42E4HG6QH+Z EI8pGJXMURdf9aJ/vJETp8UzAWKsR2LN2U9DjliuostCmzYuA7D/B9oU5favZCmM 2nNy7YwfQlTV3d4Qh5DjncN+ISehKM/YnuBjC7Rd29SB7tO16LQ= =YSjm -----END PGP SIGNATURE----- --=-BPCejmfwm9l37wktTCTB--
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.