Your message dated Tue, 04 Dec 2007 13:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#453686: fixed in libcairo 1.4.10-1.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libcairo
Version: 1.4.10-1
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libcairo.
CVE-2007-5503[0]:
| Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers
| to execute arbitrary code, as demonstrated using a crafted PNG image, which is
| not properly handled by the read_png function.
Until now this CVE seems to be reserved, see
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5503 in the meanwhile.
Patches can be found on:
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=e49bcde27f88e21d5b8037a0089a226096f6514b
I did not check if the stable version is also prone to this.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpqR0Hu8Ehii.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libcairo
Source-Version: 1.4.10-1.1
We believe that the bug you reported is fixed in the latest version of
libcairo, which is due to be installed in the Debian FTP archive:
libcairo-directfb2-dev_1.4.10-1.1_i386.deb
to pool/main/libc/libcairo/libcairo-directfb2-dev_1.4.10-1.1_i386.deb
libcairo-directfb2-udeb_1.4.10-1.1_i386.udeb
to pool/main/libc/libcairo/libcairo-directfb2-udeb_1.4.10-1.1_i386.udeb
libcairo-directfb2_1.4.10-1.1_i386.deb
to pool/main/libc/libcairo/libcairo-directfb2_1.4.10-1.1_i386.deb
libcairo2-dev_1.4.10-1.1_i386.deb
to pool/main/libc/libcairo/libcairo2-dev_1.4.10-1.1_i386.deb
libcairo2-doc_1.4.10-1.1_all.deb
to pool/main/libc/libcairo/libcairo2-doc_1.4.10-1.1_all.deb
libcairo2_1.4.10-1.1_i386.deb
to pool/main/libc/libcairo/libcairo2_1.4.10-1.1_i386.deb
libcairo_1.4.10-1.1.diff.gz
to pool/main/libc/libcairo/libcairo_1.4.10-1.1.diff.gz
libcairo_1.4.10-1.1.dsc
to pool/main/libc/libcairo/libcairo_1.4.10-1.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated libcairo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 03 Dec 2007 17:20:59 +0100
Source: libcairo
Binary: libcairo-directfb2-udeb libcairo-directfb2-dev libcairo-directfb2
libcairo2-doc libcairo2 libcairo2-dev
Architecture: source i386 all
Version: 1.4.10-1.1
Distribution: unstable
Urgency: high
Maintainer: Dave Beckett <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libcairo-directfb2 - The Cairo 2D vector graphics library DirectFB build
libcairo-directfb2-dev - Development files for Cairo graphics library DirectFB
build
libcairo-directfb2-udeb - The Cairo 2D vector graphics library DirectFB build
(udeb)
libcairo2 - The Cairo 2D vector graphics library
libcairo2-dev - Development files for the Cairo 2D graphics library
libcairo2-doc - Documentation for the Cairo Multi-platform 2D graphics library
Closes: 453686
Changes:
libcairo (1.4.10-1.1) unstable; urgency=high
.
* Non-maintainer upload by testing-security team.
* Fix multiple integer overflows leading to arbitrary code
execution (CVE-2007-5503; Closes: #453686).
Files:
61658caf9ed886f80ae37471a5eeef31 885 libs optional libcairo_1.4.10-1.1.dsc
88e7c87fc9c6dc90e08fceb6c408c2fd 28098 libs optional
libcairo_1.4.10-1.1.diff.gz
fbf24799ef0c9adea5d4ada126ffed3b 599518 libdevel optional
libcairo2-dev_1.4.10-1.1_i386.deb
534e07505604f981082bd0db965f691a 521696 libs optional
libcairo2_1.4.10-1.1_i386.deb
2fd6e9bbde539a5b4a7567f7c63f6502 411374 libs optional
libcairo2-doc_1.4.10-1.1_all.deb
6c40431074da99b1397d688663f295f9 183752 debian-installer optional
libcairo-directfb2-udeb_1.4.10-1.1_i386.udeb
817b1ea2caf217e4f4e65bf5a3a88ee8 476386 libs optional
libcairo-directfb2_1.4.10-1.1_i386.deb
bc3ecc4994915644e9c486ad71ef230c 544460 libdevel optional
libcairo-directfb2-dev_1.4.10-1.1_i386.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHVVhVHYflSXNkfP8RAubIAJ9qEp0gX5ToU+U9t04EkI8O2L2c2wCeLzS8
q/o8/vczGMwF8Xt4c5BvG58=
=gP1n
-----END PGP SIGNATURE-----
--- End Message ---
