Debian Bug report logs - #854054
icoutils: CVE-2017-6010 CVE-2017-6011

version graph

Package: icoutils; Maintainer for icoutils is Colin Watson <cjwatson@debian.org>; Source for icoutils is src:icoutils (PTS, buildd, popcon).

Reported by: "op7ic \\x00" <op7ica@gmail.com>

Date: Fri, 3 Feb 2017 13:30:01 UTC

Severity: grave

Tags: security, upstream

Found in versions 0.31.1, icoutils/0.31.1-1

Fixed in versions icoutils/0.31.2-1, 0.31.0-2+deb8u3

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#854054; Package icoutils. (Fri, 03 Feb 2017 13:30:03 GMT) (full text, mbox, link).


Acknowledgement sent to "op7ic \\x00" <op7ica@gmail.com>:
New Bug report received and forwarded. Copy sent to Colin Watson <cjwatson@debian.org>. (Fri, 03 Feb 2017 13:30:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "op7ic \\x00" <op7ica@gmail.com>
To: submit@bugs.debian.org
Subject: Fwd: Buffer Overflows and OOBs in icotool
Date: Fri, 3 Feb 2017 13:26:49 +0000
[Message part 1 (text/plain, inline)]
Package: icoutils
Version: 0.31.1


---------- Forwarded message ----------
From: op7ic \x00 <op7ica@gmail.com>
Date: Wed, Feb 1, 2017 at 11:28 AM
Subject: Buffer Overflows and OOBs in icotool
To: frank.richter@gmail.com, oskar@osk.mine.nu


Please see attached reports.
[BO_extract_icons.txt (text/plain, attachment)]
[OOB_simple_vec.txt (text/plain, attachment)]

Changed Bug title to 'icoutils: CVE-2017-6010' from 'Fwd: Buffer Overflows and OOBs in icotool'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 16 Feb 2017 20:06:04 GMT) (full text, mbox, link).


Marked as found in versions icoutils/0.31.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 16 Feb 2017 20:06:07 GMT) (full text, mbox, link).


Changed Bug title to 'icoutils: CVE-2017-6010 CVE-2017-6011' from 'icoutils: CVE-2017-6010'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 16 Feb 2017 20:09:02 GMT) (full text, mbox, link).


Added tag(s) upstream and security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 16 Feb 2017 20:12:05 GMT) (full text, mbox, link).


Severity set to 'grave' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 16 Feb 2017 20:12:09 GMT) (full text, mbox, link).


Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Tue, 07 Mar 2017 22:36:09 GMT) (full text, mbox, link).


Notification sent to "op7ic \\x00" <op7ica@gmail.com>:
Bug acknowledged by developer. (Tue, 07 Mar 2017 22:36:09 GMT) (full text, mbox, link).


Message #20 received at 854054-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: 854054-close@bugs.debian.org
Subject: Bug#854054: fixed in icoutils 0.31.2-1
Date: Tue, 07 Mar 2017 22:34:21 +0000
Source: icoutils
Source-Version: 0.31.2-1

We believe that the bug you reported is fixed in the latest version of
icoutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854054@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated icoutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Mar 2017 22:18:53 +0000
Source: icoutils
Binary: icoutils
Architecture: source
Version: 0.31.2-1
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 icoutils   - Create and extract MS Windows icons and cursors
Closes: 854050 854054
Changes:
 icoutils (0.31.2-1) unstable; urgency=high
 .
   * New upstream release.
     - CVE-2017-6009, CVE-2017-6010, CVE-2017-6011: Various security fixes
       from Martin Gieseking, issues found by Jerzy Kramarz (closes: #854050,
       #854054).
Checksums-Sha1:
 e0f88ce4c7d1ca5ab5885e052f397e249657cc81 1952 icoutils_0.31.2-1.dsc
 49391e2187ea9850893e042b69444e6b4cc5f9aa 573585 icoutils_0.31.2.orig.tar.bz2
 7b24e823b3cdbd6696ea3dd4a2fab01d2fa9aa09 4820 icoutils_0.31.2-1.debian.tar.xz
 7d96f57070eea28e970a27f74acd2714ed445269 4990 icoutils_0.31.2-1_source.buildinfo
Checksums-Sha256:
 4d88ff0e735f860393c949b4087edd247e7e1eabd16702869f48baf7fdacde76 1952 icoutils_0.31.2-1.dsc
 14155eb22e7531ed449a822a3e94df511a36b75273fcece75a37794ed3e34be0 573585 icoutils_0.31.2.orig.tar.bz2
 c2030c0e4a69d761a2230c2fea47983963b3207a440630f75ecfa1e0cef37980 4820 icoutils_0.31.2-1.debian.tar.xz
 23abc7be485f9a9c474fe4ae467f028b886a73b6b0d05f5fa1ffb19ce47eb63b 4990 icoutils_0.31.2-1_source.buildinfo
Files:
 f08e6dfe37106912540d187f606aab6c 1952 graphics optional icoutils_0.31.2-1.dsc
 adf40f06b43c64b9ffcf2ead6ef3db17 573585 graphics optional icoutils_0.31.2.orig.tar.bz2
 4c0c730762a42c003ecef9477358642d 4820 graphics optional icoutils_0.31.2-1.debian.tar.xz
 ec493418e958a400e212a3e5477b6528 4990 graphics optional icoutils_0.31.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAli/Mg8ACgkQOTWH2X2G
UAva0Q/8D82uHV2gG3Gs7xe3L1zhY74DHoXNdDaIJjzKMeYGEWz/S2ruwLkvnKHC
USH/Zl9RnMSd6ZdKXepUWg5tV4yblVBwisnWjVWmQAQVBpWTYSh+lRgdcuZXrSww
Rca9HAa+q/PXGaYzZ8TXvuYUGR+WqV8JbmWXcPb7ix3ud/wjd0EsnGXDC201vx7e
ZZ+OZIxOBWWjtD47llVzUvDFNL+0Wjn3wmCtxVvQ921ACEq0eOE83JxgZjBjivB/
pOVSJo6bS/Nl99Svn2dG301qlhAMrem3GYMgdst1vsgYsfr4lWNNnJSogLszO/F8
sYXoOsNGQGOw+5QQfDGWIFoM/u7DMoO0T+fzCabMhuHQE8+pfpcG0SptmvdFdywI
t/QoPvC06HMBRypUcH+kG4aNMfwoX68CG0AIDLRQDhIN40AXM72w7XuxCC4RT3uu
oa433ecoL1yynHj3n+4NGWPwIlEmfNodKQ/bWrUwC5dfUmrm4cQGCDAU36KRueqF
T4jOixkQjJlxd98kZLUPFO1MjFQjfW3L9L4+IWU5U/llCZ35P/U2e6D1fCnIUBTR
d3EXw16lim0tFbBfdrskkcAfNtiUxUw3KvGbCfEqOBWzuT1/IFIK4jQhC5NzDohP
THw7PiP6Sxb5NfcVO+4wMcvqXvOFwz8Ek0/AzQhVFDvnJyd5DaA=
=9Ds8
-----END PGP SIGNATURE-----




Marked as fixed in versions 0.31.0-2+deb8u3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 12 Mar 2017 17:36:03 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 10 Apr 2017 07:26:33 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:46:48 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.