Your message dated Thu, 09 Apr 2009 16:40:54 +0000
with message-id <e1lrxj8-0001mg...@ries.debian.org>
and subject line Bug#520046: fixed in glib2.0 2.12.4-2+etch1
has caused the Debian Bug report #520046,
regarding glib2.0: CVE-2008-4316 large string vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
520046: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520046
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: glib2.0
severity: grave
tags: security
it has been found that libsoup is vulnerable to an integer overflow
attack, see CVE-2008-4316 [1]. details are:
Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow
context-dependent attackers to execute arbitrary code via a long
string that is converted either (1) from or (2) to a base64
representation.
since this potentially allows remote attackers to execute arbitrary
code, it should be treated with high urgency.
this was just fixed in ubuntu, so it may be possible to adopt their
patch [2].
note that bug #520039 in libsoup is related (an exact code copy).
if you fix these vulnerabilities, please make sure to include the CVE
id in your changelog. please contact the security team to coordinate
a fix for stable and/or if you have any questions.
regards,
mike
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
[2] http://www.ubuntu.com/usn/USN-738-1
--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.12.4-2+etch1
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive:
glib2.0_2.12.4-2+etch1.diff.gz
to pool/main/g/glib2.0/glib2.0_2.12.4-2+etch1.diff.gz
glib2.0_2.12.4-2+etch1.dsc
to pool/main/g/glib2.0/glib2.0_2.12.4-2+etch1.dsc
libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
to pool/main/g/glib2.0/libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
libglib2.0-0_2.12.4-2+etch1_amd64.deb
to pool/main/g/glib2.0/libglib2.0-0_2.12.4-2+etch1_amd64.deb
libglib2.0-data_2.12.4-2+etch1_all.deb
to pool/main/g/glib2.0/libglib2.0-data_2.12.4-2+etch1_all.deb
libglib2.0-dev_2.12.4-2+etch1_amd64.deb
to pool/main/g/glib2.0/libglib2.0-dev_2.12.4-2+etch1_amd64.deb
libglib2.0-doc_2.12.4-2+etch1_all.deb
to pool/main/g/glib2.0/libglib2.0-doc_2.12.4-2+etch1_all.deb
libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb
to pool/main/g/glib2.0/libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 520...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Dröge <sl...@debian.org> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 17 Mar 2009 13:36:50 +0100
Source: glib2.0
Binary: libglib2.0-0-dbg libglib2.0-udeb libglib2.0-data libglib2.0-dev
libglib2.0-doc libglib2.0-0
Architecture: source amd64 all
Version: 2.12.4-2+etch1
Distribution: oldstable-security
Urgency: low
Maintainer: Sebastien Bacher <seb...@debian.org>
Changed-By: Sebastian Dröge <sl...@debian.org>
Description:
libglib2.0-0 - The GLib library of C routines
libglib2.0-0-dbg - The GLib libraries and debugging symbols
libglib2.0-data - Common files for GLib library
libglib2.0-dev - Development files for the GLib library
libglib2.0-doc - Documentation files for the GLib library
libglib2.0-udeb - The GLib library of C routines (udeb)
Closes: 520046
Changes:
glib2.0 (2.12.4-2+etch1) oldstable-security; urgency=low
.
* SECURITY: 012_base64-overflow-CVE-2008-4316.patch:
+ Possible arbitrary code execution when processing large Base64 strings.
Patch from upstream SVN, fixes CVS-2008-4316 (Closes: #520046).
Files:
18cae69e02a1227e09226857626c0533 1499 libs optional glib2.0_2.12.4-2+etch1.dsc
d121999e4cdfdc68621e3eb23f66cd66 3838981 libs optional
glib2.0_2.12.4.orig.tar.gz
9b22fc1fa8d82aded0a08cc9a7a6f55d 18438 libs optional
glib2.0_2.12.4-2+etch1.diff.gz
f30d726d7a8aa293c9b4c5b864b61ce6 285378 misc optional
libglib2.0-data_2.12.4-2+etch1_all.deb
275321184f9ed1e0edb0a6a26f477836 737208 doc optional
libglib2.0-doc_2.12.4-2+etch1_all.deb
4796b12af73cbe7c18ce91cf300f9049 547570 libs optional
libglib2.0-0_2.12.4-2+etch1_amd64.deb
735a0b44ed7edf2eac961beae0046b43 656440 debian-installer optional
libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb
44d3bded85806ec86c1da38350791e39 595848 libdevel optional
libglib2.0-dev_2.12.4-2+etch1_amd64.deb
561ab303f654edd1c3da1e854eb1c162 605210 libdevel extra
libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkm/qI0ACgkQBsBdh1vkHyGp1QCfUjKSwZKN72IJ3ZLyuhP/smG4
UEsAnAy84Gr5A5diQRpEr2V8BDS7H00d
=afBH
-----END PGP SIGNATURE-----
--- End Message ---
