Bug#295556: marked as done (FWD: [SECURITY] [DSA 684-1] New typespeed packages fix arbitrary group games code execution)

[Debian Bug Tracking System]

Your message dated Wed, 16 Feb 2005 16:47:29 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#295556: fixed in typespeed 0.4.4-8
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Feb 2005 17:38:26 +0000
>From [EMAIL PROTECTED] Wed Feb 16 09:38:26 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D1T86-0000Vm-00; Wed, 16 Feb 2005 09:38:26 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
        by kitenet.net (Postfix) with ESMTP id 6CDDF18048
        for <[EMAIL PROTECTED]>; Wed, 16 Feb 2005 17:38:25 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
        id 97D516E0EF; Wed, 16 Feb 2005 12:40:40 -0500 (EST)
Date: Wed, 16 Feb 2005 12:40:40 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: FWD: [SECURITY] [DSA 684-1] New typespeed packages fix arbitrary group 
games code execution
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: typespeed
Tags: security
Severity: grave
Version: 0.4.4-7

Filing this bug to track the security hole in the DSA below. Apparently
a fix for unstable has not yet been uploaded.

----- Forwarded message from Martin Schulze <[EMAIL PROTECTED]> -----

=46rom: Martin Schulze <[EMAIL PROTECTED]>
Date: Wed, 16 Feb 2005 12:50:08 +0100 (CET)
To: Debian Security Announcements <[EMAIL PROTECTED]
g>
Subject: [SECURITY] [DSA 684-1] New typespeed packages fix arbitrary group =
games code execution
User-Agent: dsa-launch $Revision: 1.17 $
Reply-To: debian-security@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 684-1                     [EMAIL PROTECTED]
http://www.debian.org/security/                             Martin Schulze
February 16th, 2005                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : typespeed
Vulnerability  : format string
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2005-0105

Ulf H=E4rnhammar from the Debian Security Audit Project discovered a
problem in typespeed, a touch-typist trainer disguised as game.  This
could lead to a local attacker executing arbitrary code as group
games.

For the stable distribution (woody) this problem has been fixed in
version 0.4.1-2.3.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your typespeed package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3.dsc
      Size/MD5 checksum:      575 70ebea5828757f0c963a27e2d87d8515
    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3.diff.gz
      Size/MD5 checksum:     8457 78235ab890462e83f9c2779d0882e329
    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1.orig.tar.gz
      Size/MD5 checksum:    35492 0af9809cd20bd9010732ced930090f32

  Alpha architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_alpha.deb
      Size/MD5 checksum:    44486 81d20c78d05fd028c5d40a77fc09923d

  ARM architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_arm.deb
      Size/MD5 checksum:    39164 5eedf595ec3b9714e1c7de731f34e5a1

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_i386.deb
      Size/MD5 checksum:    38852 96e8651b24c5cbc48bfb21ed4e8196d4

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_ia64.deb
      Size/MD5 checksum:    50122 d422760c9350d78d2b30a933a2b25df0

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_hppa.deb
      Size/MD5 checksum:    42064 0123e88f6b81d9d95f43d06a73e015b6

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_m68k.deb
      Size/MD5 checksum:    37570 8052b9b8e45dbba90b946eb76d8625fa

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_mips.deb
      Size/MD5 checksum:    41224 897c4771e1cd215e178cb4cc922ede0a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_mipsel.deb
      Size/MD5 checksum:    41250 0972a4ec92ec47bb4cd81e10a9255bee

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_powerpc.deb
      Size/MD5 checksum:    41408 0e3c124090e9f410fe82751214c68cdd

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_s390.deb
      Size/MD5 checksum:    38994 0b9306e15ab0afa697ad9aca5fd799e7

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/t/typespeed/typespeed_0.4.=
1-2.3_sparc.deb
      Size/MD5 checksum:    43140 e7f9fbb0dc02dadf975a4f22a0fadc94


  These files will probably be moved into the stable distribution on
  its next update.

- -------------------------------------------------------------------------=
--------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/update=
s/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCEzNwW5ql+IAeqTIRAkbYAJ9Bjy8vBHnpgtcNmZmizYYmUhhDGQCcDnTC
EYvRN6r1hUTqQ1H86RNokEI=3D
=3DzlYF
-----END PGP SIGNATURE-----


--=20
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
rg


----- End forwarded message -----
--=20
see shy jo

--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCE4WXd8HHehbQuO8RAlc/AJ9bwlot2AYsl5p44zyuI0fiWLqbiQCgvi/U
4fpSd5ZBNr2Z0uX8I9DErXA=
=0jdg
-----END PGP SIGNATURE-----

--C7zPtVaVf+AK4Oqc--

---------------------------------------
Received: (at 295556-close) by bugs.debian.org; 16 Feb 2005 21:53:03 +0000
>From [EMAIL PROTECTED] Wed Feb 16 13:53:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D1X6U-0006WX-00; Wed, 16 Feb 2005 13:53:02 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1D1X17-0001xa-00; Wed, 16 Feb 2005 16:47:29 -0500
From: Dafydd Harries <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#295556: fixed in typespeed 0.4.4-8
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 16 Feb 2005 16:47:29 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: typespeed
Source-Version: 0.4.4-8

We believe that the bug you reported is fixed in the latest version of
typespeed, which is due to be installed in the Debian FTP archive:

typespeed_0.4.4-8.diff.gz
  to pool/main/t/typespeed/typespeed_0.4.4-8.diff.gz
typespeed_0.4.4-8.dsc
  to pool/main/t/typespeed/typespeed_0.4.4-8.dsc
typespeed_0.4.4-8_i386.deb
  to pool/main/t/typespeed/typespeed_0.4.4-8_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dafydd Harries <[EMAIL PROTECTED]> (supplier of updated typespeed package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 16 Feb 2005 22:15:38 +0200
Source: typespeed
Binary: typespeed
Architecture: source i386
Version: 0.4.4-8
Distribution: unstable
Urgency: high
Maintainer: Dafydd Harries <[EMAIL PROTECTED]>
Changed-By: Dafydd Harries <[EMAIL PROTECTED]>
Description: 
 typespeed  - Zap words flying across the screen by typing them correctly
Closes: 295556
Changes: 
 typespeed (0.4.4-8) unstable; urgency=high
 .
   * Security upload.
   * Applied patch by Ulf Härnhammar to fix a format string vulnerability in
     file.c. (CAN-2005-0105) Closes: #295556.
Files: 
 2fa7bc51ed1834c81f0f9d5c7d64c8d0 584 games optional typespeed_0.4.4-8.dsc
 ddedc8c8eacbadbacbe65d57cf727546 6598 games optional typespeed_0.4.4-8.diff.gz
 35f9b2e9b27c006d48ba38327ef61eb2 43550 games optional 
typespeed_0.4.4-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCE7qa2tp5zXiKP0wRAiIOAJ9bJ9RW8fTO9qEqZEvATHobrzY/LQCeJ2/g
lmOT5/Z5mFWhjaDfgndjwbQ=
=A2Qr
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]