Your message dated Mon, 10 Mar 2008 18:02:12 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#465643: fixed in tintin++ 1.97.9-2
has caused the Debian Bug report #465643,
regarding tintin++: CVE-2008-067[1-3] multiple vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
465643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465643
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: tintin++
Version: 1.97.9-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for tintin++.
CVE-2008-0673[0]:
| TinTin++ 1.97.9 and WinTin++ 1.97.9 open files on the basis of an
| inbound file-transfer request, before the user has an opportunity to
| decline the request, which allows remote attackers to truncate
| arbitrary files in the top level of a home directory.
CVE-2008-0672[1]:
| The process_chat_input function in TinTin++ 1.97.9 and WinTin++ 1.97.9
| allows remote attackers to cause a denial of service (application
| crash) via a YES message without a newline character, which triggers a
| NULL dereference.
CVE-2008-0671[2]:
| Stack-based buffer overflow in the add_line_buffer function in
| TinTin++ 1.97.9 and WinTin++ 1.97.9 allows remote attackers to execute
| arbitrary code via a long chat message, related to conversion from LF
| to CRLF.
If you fix these vulnerabilities please also include the CVE ids
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0673
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0672
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0671
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp22jGq39Gsg.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: tintin++
Source-Version: 1.97.9-2
We believe that the bug you reported is fixed in the latest version of
tintin++, which is due to be installed in the Debian FTP archive:
tintin++_1.97.9-2.diff.gz
to pool/main/t/tintin++/tintin++_1.97.9-2.diff.gz
tintin++_1.97.9-2.dsc
to pool/main/t/tintin++/tintin++_1.97.9-2.dsc
tintin++_1.97.9-2_amd64.deb
to pool/main/t/tintin++/tintin++_1.97.9-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ana Beatriz Guerrero Lopez <[EMAIL PROTECTED]> (supplier of updated tintin++
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 10 Mar 2008 18:09:24 +0100
Source: tintin++
Binary: tintin++
Architecture: source amd64
Version: 1.97.9-2
Distribution: unstable
Urgency: high
Maintainer: Ana Beatriz Guerrero Lopez <[EMAIL PROTECTED]>
Changed-By: Ana Beatriz Guerrero Lopez <[EMAIL PROTECTED]>
Description:
tintin++ - classic text-based MUD client
Closes: 465643
Changes:
tintin++ (1.97.9-2) unstable; urgency=high
.
* Add secutity.patch fixing the following security bugs:
- CVE-2008-0671:
Stack-based buffer overflow in the add_line_buffer function allows
remote attackers to execute arbitrary code via a long chat message,
related to conversion from LF to CRLF.
- CVE-2008-0672:
The process_chat_input function allows remote attackers to cause a
denial of service (application crash) via a YES message without a newline
character, which triggers a NULL dereference.
- CVE-2008-0673:
TinTin++ open files on the basis of an inbound file-transfer request,
before
the user has an opportunity to decline the request, which allows remote
attackers to truncate arbitrary files in the top level of a home directory.
(Closes: #465643)
.
* Add quilt support for patching.
Files:
70e495765e3b8ee7113f7861135f4212 701 games optional tintin++_1.97.9-2.dsc
84c076763b3f554e0d7dbfce30f77a85 6044 games optional tintin++_1.97.9-2.diff.gz
00b06180069dbc6fc5e286cca97b5a9c 140278 games optional
tintin++_1.97.9-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero
iD8DBQFH1XWwn3j4POjENGERAs3jAJ9dHITv/53lwUFyPjUiOsqy+5ak2ACbB0vl
7ayyPfqgnI9eJHpZ/5lTfh8=
=zYtK
-----END PGP SIGNATURE-----
--- End Message ---
