Two critical CVEs in zbar
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zbar (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
There are two CVEs with a score of 9.8 CRITICAL published on 29-08-2023:
* https:/
* https:/
No new release seems to be available that fixes these vulnerabilities. The latest package version seems to be zbar-tools (0.23.92-7).
Additional information:
~ $ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 23.04
Release: 23.04
~ $ apt-cache policy zbar-tools
zbar-tools:
Installed: 0.23.92-7
Candidate: 0.23.92-7
Version table:
*** 0.23.92-7 500
500 http://
100 /var/lib/
# Expected
No CVE
# Actual
There are two known CVEs
CVE References
description: | updated |
information type: | Private Security → Public Security |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Both CVEs are already in our tracker[1][2]. We don't consider this issue to be a critical and have rated it to medium Priority [3]. Currently there are no fix available on upstream for those CVEs, see [4]. /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res
Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
[1] https:/ /ubuntu. com/security/ CVE-2023- 40889 /ubuntu. com/security/ CVE-2023- 40890 /people. canonical. com/~ubuntu- security/ priority. html /github. com/mchehab/ zbar/issues/ 263
[2] https:/
[3] https:/
[4] https:/