Two critical CVEs in zbar
Bug #2039712 reported by
Remi Meier
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| zbar (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
There are two CVEs with a score of 9.8 CRITICAL published on 29-08-2023:
* https:/
* https:/
No new release seems to be available that fixes these vulnerabilities. The latest package version seems to be zbar-tools (0.23.92-7).
Additional information:
~ $ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 23.04
Release: 23.04
~ $ apt-cache policy zbar-tools
zbar-tools:
Installed: 0.23.92-7
Candidate: 0.23.92-7
Version table:
*** 0.23.92-7 500
500 http://
100 /var/lib/
# Expected
No CVE
# Actual
There are two known CVEs
CVE References
| description: | updated |
| information type: | Private Security → Public Security |
Revision history for this message
| Eduardo Barretto (ebarretto) wrote | #1 |
| Changed in zbar (Ubuntu): | |
| status: | New → Confirmed |
To post a comment you must log in.
Thanks for taking the time to report this bug and helping to make Ubuntu better. Both CVEs are already in our tracker[1][2]. We don't consider this issue to be a critical and have rated it to medium Priority [3]. Currently there are no fix available on upstream for those CVEs, see [4].
Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
[1] https:/
[2] https:/
[3] https:/
[4] https:/