Your message dated Wed, 22 Apr 2009 06:18:33 +0200
with message-id <20090422041833.ga30...@ngolde.de>
and subject line CVE-2009-1274 is fixed
has caused the Debian Bug report #522811,
regarding xine-lib: heap-based buffer overflow due to integer overflow in
quicktime atom parsing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
522811: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522811
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: xine-lib
Severity: grave
Tags: security patch
Hi,
Tobias Klein discovered an integer overflow in the quicktime
STTS atom processing that leads to a heap-based buffer
overflow probably resulting in arbitrary code execution.
As you are also upstream of xine I expect you are aware of:
http://trapkit.de/advisories/TKADV2009-005.txt.
You fixed this bug in 1.1.16.3.
A few words from my side, I expect you to contact the
security team in case you get notified of a security issue
in xine in the future as it's not nice to see other people
notifying us while we our Debian maintainer is also the
upstream. Sorry but this workflow sucks! Debian can allocate
CVE ids if you need them and I see no reason why a fixed
package is not already in unstable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry if we get one in time.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpI18sjjgPMb.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 1.1.16.3-1
Darren,
you were neither able to reply on #522811, nor to notify the
security team of a security issue in xine-lib and you even
didn't comment on the bug afterwards that it is already
fixed in the version you uploaded nearly at the same time.
The bug was still open until now.
This wastes a lot of time which you as the maintainer should
spend. This is nothing personal but either you as upstream
are able to produce secure code or you are able to properly
communicate with your security team.
I talked with you about this problem in IRC and I would have
expected at least a notice that you uploaded a fixed version
if you are not able to close the bug by yourself.
This is nothing personal but on the next security related
bug of xine without maintainer reaction or coordination with
the security team I will file a removal bug for xine.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpMHDFYUaiW2.pgp
Description: PGP signature
--- End Message ---
