Your message dated Fri, 16 May 2008 13:02:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#481186: fixed in wordnet 1:3.0-10
has caused the Debian Bug report #481186,
regarding CVE-2008-2149: buffer overflows
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
481186: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481186
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: wordnet
Severity: grave
Tags: security
Justification: user security hole
Hi
The following CVE(0) has been issued against wordnet.
CVE-2008-2149:
Stack-based buffer overflow in the searchwn function in Wordnet 2.0,
2.1, and 3.0 might allow context-dependent attackers to execute
arbitrary code via a long command line option. NOTE: this issue probably
does not cross privilege boundaries except in cases in which Wordnet is
used as a back end.
More information can be found in the gentoo bugreport(1).
I filled it as an RC bug, because wordnet is sometimes used as a backend
for web applications
Please mention the CVE id in your changelog, when you fix this bug.
Cheers
Steffen
(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2149
(1): https://bugs.gentoo.org/show_bug.cgi?id=211491
--- End Message ---
--- Begin Message ---
Source: wordnet
Source-Version: 1:3.0-10
We believe that the bug you reported is fixed in the latest version of
wordnet, which is due to be installed in the Debian FTP archive:
dict-wn_3.0-10_all.deb
to pool/main/w/wordnet/dict-wn_3.0-10_all.deb
wordnet-base_3.0-10_all.deb
to pool/main/w/wordnet/wordnet-base_3.0-10_all.deb
wordnet-dev_3.0-10_i386.deb
to pool/main/w/wordnet/wordnet-dev_3.0-10_i386.deb
wordnet-grind_3.0-10_i386.deb
to pool/main/w/wordnet/wordnet-grind_3.0-10_i386.deb
wordnet-sense-index_3.0-10_all.deb
to pool/main/w/wordnet/wordnet-sense-index_3.0-10_all.deb
wordnet_3.0-10.diff.gz
to pool/main/w/wordnet/wordnet_3.0-10.diff.gz
wordnet_3.0-10.dsc
to pool/main/w/wordnet/wordnet_3.0-10.dsc
wordnet_3.0-10_i386.deb
to pool/main/w/wordnet/wordnet_3.0-10_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <[EMAIL PROTECTED]> (supplier of updated wordnet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 15 May 2008 14:20:57 +0200
Source: wordnet
Binary: wordnet wordnet-dev wordnet-base wordnet-sense-index wordnet-grind
dict-wn
Architecture: source all i386
Version: 1:3.0-10
Distribution: unstable
Urgency: high
Maintainer: Andreas Tille <[EMAIL PROTECTED]>
Changed-By: Andreas Tille <[EMAIL PROTECTED]>
Description:
dict-wn - electronic lexical database of English language for dict
wordnet - electronic lexical database of English language
wordnet-base - electronic lexical database of English language
wordnet-dev - electronic lexical database of English language
wordnet-grind - WordNet lexicographer files processor
wordnet-sense-index - electronic lexical database of English language
Closes: 481186
Changes:
wordnet (1:3.0-10) unstable; urgency=high
.
* Fix CVE-2008-2149: buffer overflows by limiting the length
of the string in sprintf format string
Closes: #481186
Please note: The WordNet code contains several other occurences
of potentially exploitable functions like strcpy()/strcat()/...
and so even if there are no known exploits the code needs a
full security audit.
* Mentioned the potential security issues in README.Debian
Checksums-Sha1:
877fca56c3ac4b217cdf55f89c56b14798bfd107 1227 wordnet_3.0-10.dsc
ff8507333e165283a960ac769db62fb4e1ba0e16 68038 wordnet_3.0-10.diff.gz
e7e671b1abce7422d9aaf6296ad1d9730fefdaee 8759496 wordnet-base_3.0-10_all.deb
a82a66c017d26ea50cfad2acbec5886e855ce414 2241376
wordnet-sense-index_3.0-10_all.deb
15c9f9224731f2e3d89caf6e63deda14c2f82204 10893236 dict-wn_3.0-10_all.deb
87570974f02f518e8ebd4c5d7554c270d06c1102 104074 wordnet_3.0-10_i386.deb
9110e4fbf5a30176d3625edcb33f4d808ad666a4 61316 wordnet-dev_3.0-10_i386.deb
15c59c768d15e389f843d1ef5710d2b420afd3ef 40916 wordnet-grind_3.0-10_i386.deb
Checksums-Sha256:
3f35eec4645acbf0ed87c9704dd4b27be24d3c6deb9f82974ef6cc462a21919a 1227
wordnet_3.0-10.dsc
3c2f1c1e15f4eb54ec39315e9bf2327d7ca61711baf15d949183ddcece297c9f 68038
wordnet_3.0-10.diff.gz
9bc884b844dd5ea3de93ee3171a7334dc8e2fba9417feabed7277694bd2de1d8 8759496
wordnet-base_3.0-10_all.deb
39e996e1a2ce90f7683e121bd24356051d3f575dd87e2e016d7a95712d26616f 2241376
wordnet-sense-index_3.0-10_all.deb
71634b25150b035bb407d1f97f3ad17ac59c0119a2460774b01d2c23a74e4f45 10893236
dict-wn_3.0-10_all.deb
f16458352bf0b1565d0afafc0d7e24805241eb74661a3e4630a5c4b06094bf1a 104074
wordnet_3.0-10_i386.deb
3a9452beb9541f3165dea3dcfe4936a0811804666ac04406d8b0bf4283ce68c6 61316
wordnet-dev_3.0-10_i386.deb
529fd03362227a2095070178e9766104c7e206eaa2d03c6c285359363bb96289 40916
wordnet-grind_3.0-10_i386.deb
Files:
10934dc8536f76c16402a05849db7c9e 1227 text optional wordnet_3.0-10.dsc
108ca9c7c738fe7c6a8d63b9757c61d4 68038 text optional wordnet_3.0-10.diff.gz
57a88da8a5e291637a7aafabb8045ea7 8759496 text optional
wordnet-base_3.0-10_all.deb
685e2aa8e2adfd5f1ecc26177ca0368e 2241376 text extra
wordnet-sense-index_3.0-10_all.deb
8ba0754d8442541279e65971dfd84cd4 10893236 text optional dict-wn_3.0-10_all.deb
3085204765ee84c6a4af4c49fbc9e151 104074 text optional wordnet_3.0-10_i386.deb
d12a8a6f02206b0cf2576a892c39bf6c 61316 devel optional
wordnet-dev_3.0-10_i386.deb
f10c10a5aa4bdaba562ab878b9b735cb 40916 text extra wordnet-grind_3.0-10_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFILYKMYDBbMcCf01oRAmMhAJ9MQsn1aS6VDXip9DrSnx4ZbYFsUgCgjs5Q
S9FCFUewXCGKXLmCu1ujLkI=
=f7fq
-----END PGP SIGNATURE-----
--- End Message ---
